raccoon | 984e7d941327d6764df705f36223d4f137eff73c2dfb6acc117f6326b41e0968 | Triage

Submit
Reports

Overview

overview

Static

static

3a3b33f3c4...3d.exe

windows7-x64

3a3b33f3c4...3d.exe

windows10-2004-x64

Sharing

General

Target

3a3b33f3c468bfc7b2759d9e7ecf793d.exe
Size

16.9MB
Sample

221012-rnz7asfbc7
MD5

3a3b33f3c468bfc7b2759d9e7ecf793d
SHA1

74552fc3a50344a814c1e48d832ee055abbe3f4c
SHA256

984e7d941327d6764df705f36223d4f137eff73c2dfb6acc117f6326b41e0968
SHA512

5d7ed325372289c8e5c93d35265dcecceaeaa2e429fd4f3ab866a5868a18c765c870c931d4cac2380fc8ba25d85241db4ca569f194a76df757fef89f42beaa9f
SSDEEP

393216:z6tlPxMeW6cML02hze6fw0ZyHFZtFFvYts19VQIJgNx/srAAS:k3MeFtSbtFBYO1xUHJ

Score

10^/10

raccoon 9b19cf60d9bdf65b8a2495aa965456c3 discovery evasion persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

3a3b33f3c468bfc7b2759d9e7ecf793d.exe

Resource

win7-20220812-en

evasion persistence trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

3a3b33f3c468bfc7b2759d9e7ecf793d.exe

Resource

win10v2004-20220812-en

raccoon 9b19cf60d9bdf65b8a2495aa965456c3 discovery evasion persistence spyware stealer trojan

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://31.42.177.216/hfile.bin

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

C2

http://188.93.233.101/

rc4.plain

Targets

- Target
  
  3a3b33f3c468bfc7b2759d9e7ecf793d.exe
- Size
  
  16.9MB
- MD5
  
  3a3b33f3c468bfc7b2759d9e7ecf793d
- SHA1
  
  74552fc3a50344a814c1e48d832ee055abbe3f4c
- SHA256
  
  984e7d941327d6764df705f36223d4f137eff73c2dfb6acc117f6326b41e0968
- SHA512
  
  5d7ed325372289c8e5c93d35265dcecceaeaa2e429fd4f3ab866a5868a18c765c870c931d4cac2380fc8ba25d85241db4ca569f194a76df757fef89f42beaa9f
- SSDEEP
  
  393216:z6tlPxMeW6cML02hze6fw0ZyHFZtFFvYts19VQIJgNx/srAAS:k3MeFtSbtFBYO1xUHJ
Score

10^/10

evasion persistence trojan raccoon 9b19cf60d9bdf65b8a2495aa965456c3 discovery spyware stealer
- Modifies Windows Defender notification settings
  evasion trojan
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Process Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistencetrojan

behavioral2

raccoon9b19cf60d9bdf65b8a2495aa965456c3discoveryevasionpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy