raccoon | d4227ec9dd2159223342099e0ed7d55c0691fe677ab2fc513c149a137e50ced8

Analysis

max time kernel
95s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2022 06:47

Target

a5f5f00fb8fa9f4403b5d666698a5a17.exe
Size

1.3MB
MD5

a5f5f00fb8fa9f4403b5d666698a5a17
SHA1

9c39dd8abdc8ca70ddef39d66fa18d1ac43776a4
SHA256

d4227ec9dd2159223342099e0ed7d55c0691fe677ab2fc513c149a137e50ced8
SHA512

eb0aca212053059c78665d1cb81893ea5a704e153663be3f71bc5eafa48e43923bd5a0277c2c202ef84ade4eb5e15e75de2b4878af7fa89ef4ea7cb1030a9821
SSDEEP

12288:BnjoxXIB0nWZQzjFeM6DJOjB9sTTHyDErTTFyxhRz3Zws3OOiotlt1pXRW:AIqnYQb6VO3Er2hXt

Score

10^/10

Family

raccoon

Botnet

0ec468673cadb705e7aab6a7b0bb3906

http://193.106.191.150/

rc4.plain

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Suspicious use of SetThreadContext 1 IoCs

Processes:

a5f5f00fb8fa9f4403b5d666698a5a17.exe

description pid process target process

PID 2960 set thread context of 4968 2960 a5f5f00fb8fa9f4403b5d666698a5a17.exe a5f5f00fb8fa9f4403b5d666698a5a17.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a5f5f00fb8fa9f4403b5d666698a5a17.exe

pid process

2960 a5f5f00fb8fa9f4403b5d666698a5a17.exe
2960 a5f5f00fb8fa9f4403b5d666698a5a17.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a5f5f00fb8fa9f4403b5d666698a5a17.exe

description pid process

Token: SeDebugPrivilege 2960 a5f5f00fb8fa9f4403b5d666698a5a17.exe

description	pid	process	target process
PID 2960 set thread context of 4968	2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe	a5f5f00fb8fa9f4403b5d666698a5a17.exe

pid	process
2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe
2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe

description	pid	process
Token: SeDebugPrivilege	2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a5f5f00fb8fa9f4403b5d666698a5a17.exe

description	pid	process	target process
PID 2960 wrote to memory of 2272	2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe	a5f5f00fb8fa9f4403b5d666698a5a17.exe
PID 2960 wrote to memory of 2272	2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe	a5f5f00fb8fa9f4403b5d666698a5a17.exe
PID 2960 wrote to memory of 2272	2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe	a5f5f00fb8fa9f4403b5d666698a5a17.exe
PID 2960 wrote to memory of 4968	2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe	a5f5f00fb8fa9f4403b5d666698a5a17.exe
PID 2960 wrote to memory of 4968	2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe	a5f5f00fb8fa9f4403b5d666698a5a17.exe
PID 2960 wrote to memory of 4968	2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe	a5f5f00fb8fa9f4403b5d666698a5a17.exe
PID 2960 wrote to memory of 4968	2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe	a5f5f00fb8fa9f4403b5d666698a5a17.exe
PID 2960 wrote to memory of 4968	2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe	a5f5f00fb8fa9f4403b5d666698a5a17.exe
PID 2960 wrote to memory of 4968	2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe	a5f5f00fb8fa9f4403b5d666698a5a17.exe
PID 2960 wrote to memory of 4968	2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe	a5f5f00fb8fa9f4403b5d666698a5a17.exe
PID 2960 wrote to memory of 4968	2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe	a5f5f00fb8fa9f4403b5d666698a5a17.exe
PID 2960 wrote to memory of 4968	2960	a5f5f00fb8fa9f4403b5d666698a5a17.exe	a5f5f00fb8fa9f4403b5d666698a5a17.exe

C:\Users\Admin\AppData\Local\Temp\a5f5f00fb8fa9f4403b5d666698a5a17.exe
C:\Users\Admin\AppData\Local\Temp\a5f5f00fb8fa9f4403b5d666698a5a17.exe
2⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\a5f5f00fb8fa9f4403b5d666698a5a17.exe
C:\Users\Admin\AppData\Local\Temp\a5f5f00fb8fa9f4403b5d666698a5a17.exe
2⤵
PID:4968

memory/2272-134-0x0000000000000000-mapping.dmp

Download
memory/2960-132-0x0000000000610000-0x000000000076E000-memory.dmp

Filesize
1.4MB

Download
memory/2960-133-0x0000000005B10000-0x0000000005B32000-memory.dmp

Filesize
136KB

Download
memory/4968-135-0x0000000000000000-mapping.dmp

Download
memory/4968-136-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4968-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4968-139-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download