Overview

overview

10

Static

static

file.exe

windows7-x64

1

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2022 22:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    3.6MB

  • MD5

    16071179683d1f84d63728f7a4c03167

  • SHA1

    179bb2c4aff7752e8082c84b585212a2ab82124f

  • SHA256

    23b137ce3bf552461beac7baf3a449a620010feac5cf69a1864e40b5efa04c2d

  • SHA512

    1465fe553b9f105195a3de21e71c02df5e0dc23d33f8d8751afedee34becfc7351dc81b7054249c9b402673b59c528abccea9635da407b05bc05ecbd78e5958d

  • SSDEEP

    49152:zQYDduXQyUijUpPL6yukdjTbi6Q3/akOAA49SOt3wueGyiopbsb1GZHunfTrLh:8q2PUiApskdrUPakmO1wue3sbAOnbrLh

Score
10/10
raccoon9b19cf60d9bdf65b8a2495aa965456c3stealer

Malware Config

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

C2

http://5.2.70.65/

rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"
      2⤵
        PID:716
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 348
          3⤵
          • Program crash
          PID:3760
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 716 -ip 716
      1⤵
        PID:4340

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/716-136-0x0000000000408597-mapping.dmp
        Download
      • memory/716-137-0x0000000000190000-0x00000000001A4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/716-142-0x0000000000190000-0x00000000001A4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/716-146-0x0000000000190000-0x00000000001A4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/3492-132-0x0000000000180000-0x0000000000518000-memory.dmp
        Filesize

        3.6MB

        Download
      • memory/3492-133-0x00007FFE993F0000-0x00007FFE99EB1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3492-134-0x00007FFE993F0000-0x00007FFE99EB1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3492-140-0x00007FFE993F0000-0x00007FFE99EB1000-memory.dmp
        Filesize

        10.8MB

        Download