raccoon | ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274

Analysis

max time kernel
53s
max time network
55s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
16-10-2022 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe
Size

213KB
MD5

4985af8c670ddde8fa978c82e8e6ed3e
SHA1

9e4b7558b5e69d2f0428b0728ceafd99afc95dcb
SHA256

ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274
SHA512

6ae4a4f32b1b48eee22c56a2c5cc2e1b1b069531993929908961ba4d0ab087dca0089395d4bf0f33665dda094fbdef5b4eee7fc4fd16faa73e01f4d5890556a3
SSDEEP

3072:cXpRHuHtLitAIpPw57XefTsjKtXo/me9+Ockt27t0Kg1Ok:YHuHtLoPeIgqe9+OFot0Ok

Score

10^/10

raccoon 63267bc2317b9849c2d512a4e16b0f3b discovery spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

63267bc2317b9849c2d512a4e16b0f3b

http://shettester1000.com/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
3268	ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 3268	2672	ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe	66

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 3268	2672	ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe	66
PID 2672 wrote to memory of 3268	2672	ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe	66
PID 2672 wrote to memory of 3268	2672	ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe	66
PID 2672 wrote to memory of 3268	2672	ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe	66
PID 2672 wrote to memory of 3268	2672	ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe	66
PID 2672 wrote to memory of 3268	2672	ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe	66
PID 2672 wrote to memory of 3268	2672	ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe	66
PID 2672 wrote to memory of 3268	2672	ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe	66
PID 2672 wrote to memory of 3268	2672	ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe	66
PID 2672 wrote to memory of 3268	2672	ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe	66

C:\Users\Admin\AppData\Local\Temp\ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe
"C:\Users\Admin\AppData\Local\Temp\ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe
  "C:\Users\Admin\AppData\Local\Temp\ff0f5c06e13d7f3038de3ba92aa5ac178368e5092763fd04b27867a323d1d274.exe"
  2⤵
  - Loads dropped DLL
  PID:3268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
memory/2672-120-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-121-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-122-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-123-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-124-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-125-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-126-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-127-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-128-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-129-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-130-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-131-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-132-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-133-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-134-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-135-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-136-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-137-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-138-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-139-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-140-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-141-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-142-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-143-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-144-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-145-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-146-0x0000000000721000-0x0000000000731000-memory.dmp

Filesize
64KB

Download
memory/2672-147-0x00000000001E0000-0x00000000001F1000-memory.dmp

Filesize
68KB

Download
memory/2672-148-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-152-0x0000000000721000-0x0000000000731000-memory.dmp

Filesize
64KB

Download
memory/3268-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3268-151-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-153-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-154-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-155-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-157-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-158-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-159-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-160-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-161-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-162-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-163-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-165-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-164-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-166-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-167-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-168-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-169-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-170-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3268-171-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-172-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-173-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-174-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-175-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-176-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-177-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-178-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-179-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-180-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-181-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-182-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-183-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-184-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-185-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-186-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-187-0x0000000077560000-0x00000000776EE000-memory.dmp

Filesize
1.6MB

Download
memory/3268-203-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download