raccoon | c585f047d68f7bc0c694eaa795b57e38c22229a4a965b446dc1353be7299953e

Resubmissions

18-10-2022 23:58

221018-3z8hlaebh9 10

18-10-2022 23:33

221018-3jynfsefgk 10

Analysis

max time kernel
48s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
18-10-2022 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

565.exe
Size

369KB
MD5

b87c8d583a69a8a9b59fc628a2a8aa2a
SHA1

d0edbcb0176394e5f054c04f86ac5888dd806e39
SHA256

c585f047d68f7bc0c694eaa795b57e38c22229a4a965b446dc1353be7299953e
SHA512

47a8f972facbc3b84720da6fbbdfc587b7deb31eabaa51cf5cd1b3ca090194c930c3f5421943a97cca34dd5e36e6b719fc7b42b93bbf41afb990a72e23c556a2
SSDEEP

6144:PIIcrXQ4S33w614mazUBHfSdocWYD24IT+tcWnGwXt2wQh:JcrNS33L10QdrXZT+tcWnGwXtYh

Score

10^/10

raccoon ce21570f8b07f4e68bfb7f44917635b1 discovery spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

ce21570f8b07f4e68bfb7f44917635b1

http://77.73.133.7/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

2 680 WScript.exe
3 680 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

222.exe2.0.2-beta.exe

pid process

1744 222.exe
1316 2.0.2-beta.exe
Loads dropped DLL 9 IoCs

Processes:

565.exe222.exe2.0.2-beta.exe

pid process

1364 565.exe
1364 565.exe
1364 565.exe
1364 565.exe
1744 222.exe
1744 222.exe
1316 2.0.2-beta.exe
1316 2.0.2-beta.exe
1316 2.0.2-beta.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
2	680	WScript.exe
3	680	WScript.exe

pid	process
1744	222.exe
1316	2.0.2-beta.exe

pid	process
1364	565.exe
1364	565.exe
1364	565.exe
1364	565.exe
1744	222.exe
1744	222.exe
1316	2.0.2-beta.exe
1316	2.0.2-beta.exe
1316	2.0.2-beta.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

565.exe222.exe

description	pid	process	target process
PID 1364 wrote to memory of 680	1364	565.exe	WScript.exe
PID 1364 wrote to memory of 680	1364	565.exe	WScript.exe
PID 1364 wrote to memory of 680	1364	565.exe	WScript.exe
PID 1364 wrote to memory of 680	1364	565.exe	WScript.exe
PID 1364 wrote to memory of 1744	1364	565.exe	222.exe
PID 1364 wrote to memory of 1744	1364	565.exe	222.exe
PID 1364 wrote to memory of 1744	1364	565.exe	222.exe
PID 1364 wrote to memory of 1744	1364	565.exe	222.exe
PID 1364 wrote to memory of 1744	1364	565.exe	222.exe
PID 1364 wrote to memory of 1744	1364	565.exe	222.exe
PID 1364 wrote to memory of 1744	1364	565.exe	222.exe
PID 1744 wrote to memory of 1316	1744	222.exe	2.0.2-beta.exe
PID 1744 wrote to memory of 1316	1744	222.exe	2.0.2-beta.exe
PID 1744 wrote to memory of 1316	1744	222.exe	2.0.2-beta.exe
PID 1744 wrote to memory of 1316	1744	222.exe	2.0.2-beta.exe

C:\Users\Admin\AppData\Local\Temp\565.exe
"C:\Users\Admin\AppData\Local\Temp\565.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"
2⤵
- Blocklisted process makes network request
PID:680

C:\Windows\Temp\222.exe
"C:\Windows\Temp\222.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
"C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
Filesize
61KB

MD5
503c2e5233fa6b4e3556fdf9e9fb78cf

SHA1
c94e1a1220087ec5e01c07cf4f4bfc234bc3aa4c

SHA256
af2f7319195df494cd6b7e65e547002be46ee747d59d9d921908b20b3a9ff304

SHA512
7ca5c2c857644bff68bdc14f80f508488d5efb4ad3ef517f70559f4eee5fd83613f111dca5ad198330f7154293d975fee9c448c0545177b5de79e333e2b7bd03

Download Submit
C:\Windows\Temp\1.vbs
Filesize
105B

MD5
7402b8035ec1c280ca12067fb48f78cf

SHA1
f53efaa35eca6c64b1a54d250cd644d07269c787

SHA256
6479ad76955df79ac09773987823c4ca59f16db33668dae727d97c05178d2726

SHA512
bb7c9bf83e31de09f483221ee24ca12425c95e4e01005d8473666302e42b3633c974407d1053fd970fb325f1d35529c802486444fe5bc6ca72f024ff8d7d7d0b

Download Submit
C:\Windows\Temp\222.exe
Filesize
107KB

MD5
2233e570ad3c150909e29e7b9f14365c

SHA1
f575f9e9437d20311d7f3f6761afd010942485f6

SHA256
ab3fbfd93b11073b6167a7dae10814ea12c9d6ec98b88b58cf64bbd615cb4e97

SHA512
d4f1db0ace6e896a843bb19c58fdf6029bcf7de0146b8b29e01351b8421ea4975a089178987fdb9b93ad87769de6f2627c45eb75eed6c6b913ac482bdb0bcb85

Download Submit
C:\Windows\Temp\222.exe
Filesize
107KB

MD5
2233e570ad3c150909e29e7b9f14365c

SHA1
f575f9e9437d20311d7f3f6761afd010942485f6

SHA256
ab3fbfd93b11073b6167a7dae10814ea12c9d6ec98b88b58cf64bbd615cb4e97

SHA512
d4f1db0ace6e896a843bb19c58fdf6029bcf7de0146b8b29e01351b8421ea4975a089178987fdb9b93ad87769de6f2627c45eb75eed6c6b913ac482bdb0bcb85

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
Filesize
61KB

MD5
503c2e5233fa6b4e3556fdf9e9fb78cf

SHA1
c94e1a1220087ec5e01c07cf4f4bfc234bc3aa4c

SHA256
af2f7319195df494cd6b7e65e547002be46ee747d59d9d921908b20b3a9ff304

SHA512
7ca5c2c857644bff68bdc14f80f508488d5efb4ad3ef517f70559f4eee5fd83613f111dca5ad198330f7154293d975fee9c448c0545177b5de79e333e2b7bd03

Download Submit
\Users\Admin\AppData\Local\Temp\2.0.2-beta.exe
Filesize
61KB

MD5
503c2e5233fa6b4e3556fdf9e9fb78cf

SHA1
c94e1a1220087ec5e01c07cf4f4bfc234bc3aa4c

SHA256
af2f7319195df494cd6b7e65e547002be46ee747d59d9d921908b20b3a9ff304

SHA512
7ca5c2c857644bff68bdc14f80f508488d5efb4ad3ef517f70559f4eee5fd83613f111dca5ad198330f7154293d975fee9c448c0545177b5de79e333e2b7bd03

Download Submit
\Windows\Temp\222.exe
Filesize
107KB

MD5
2233e570ad3c150909e29e7b9f14365c

SHA1
f575f9e9437d20311d7f3f6761afd010942485f6

SHA256
ab3fbfd93b11073b6167a7dae10814ea12c9d6ec98b88b58cf64bbd615cb4e97

SHA512
d4f1db0ace6e896a843bb19c58fdf6029bcf7de0146b8b29e01351b8421ea4975a089178987fdb9b93ad87769de6f2627c45eb75eed6c6b913ac482bdb0bcb85

Download Submit
\Windows\Temp\222.exe
Filesize
107KB

MD5
2233e570ad3c150909e29e7b9f14365c

SHA1
f575f9e9437d20311d7f3f6761afd010942485f6

SHA256
ab3fbfd93b11073b6167a7dae10814ea12c9d6ec98b88b58cf64bbd615cb4e97

SHA512
d4f1db0ace6e896a843bb19c58fdf6029bcf7de0146b8b29e01351b8421ea4975a089178987fdb9b93ad87769de6f2627c45eb75eed6c6b913ac482bdb0bcb85

Download Submit
\Windows\Temp\222.exe
Filesize
107KB

MD5
2233e570ad3c150909e29e7b9f14365c

SHA1
f575f9e9437d20311d7f3f6761afd010942485f6

SHA256
ab3fbfd93b11073b6167a7dae10814ea12c9d6ec98b88b58cf64bbd615cb4e97

SHA512
d4f1db0ace6e896a843bb19c58fdf6029bcf7de0146b8b29e01351b8421ea4975a089178987fdb9b93ad87769de6f2627c45eb75eed6c6b913ac482bdb0bcb85

Download Submit
\Windows\Temp\222.exe
Filesize
107KB

MD5
2233e570ad3c150909e29e7b9f14365c

SHA1
f575f9e9437d20311d7f3f6761afd010942485f6

SHA256
ab3fbfd93b11073b6167a7dae10814ea12c9d6ec98b88b58cf64bbd615cb4e97

SHA512
d4f1db0ace6e896a843bb19c58fdf6029bcf7de0146b8b29e01351b8421ea4975a089178987fdb9b93ad87769de6f2627c45eb75eed6c6b913ac482bdb0bcb85

Download Submit
memory/680-55-0x0000000000000000-mapping.dmp

Download
memory/1316-69-0x0000000000000000-mapping.dmp

Download
memory/1364-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1744-60-0x0000000000000000-mapping.dmp

Download
memory/1744-65-0x00000000003A0000-0x00000000003C2000-memory.dmp

Filesize
136KB

Download