raccoon | c7d3d775fda24b3244022a1488315c51a55d54e155b8e788583c0d50a4a9f5e9

Analysis

max time kernel
90s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2022 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

3.5MB
MD5

85c27c29bcd669111e83ece79e7e0a62
SHA1

24cb399e0de0896709242e3e2cc2b0435d5c206e
SHA256

c7d3d775fda24b3244022a1488315c51a55d54e155b8e788583c0d50a4a9f5e9
SHA512

9d01e2e090c553f3de1a85300f7faa36cee4a4e135ec47854529aaa1fe2fd2e0313b8202dbf875b6cc21e0a1ec46d1c1d379563ad7560470dd0a246c8bae7e99
SSDEEP

24576:DqkwrOTxquuoM1iHVHv/Rkelbl1RWuetgVR04suAKluiCionxi3tWEvvbwDiqBQd:4uuoBVH7XRWFIDpkdj

Score

10^/10

raccoon 9b19cf60d9bdf65b8a2495aa965456c3 stealer

Malware Config

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

http://5.2.70.65/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 456 set thread context of 4736 456 file.exe vbc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3832 4736 WerFault.exe vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 456 file.exe

description	pid	process	target process
PID 456 set thread context of 4736	456	file.exe	vbc.exe

pid	pid_target	process	target process
3832	4736	WerFault.exe	vbc.exe

description	pid	process
Token: SeDebugPrivilege	456	file.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

file.exe

description	pid	process	target process
PID 456 wrote to memory of 4736	456	file.exe	vbc.exe
PID 456 wrote to memory of 4736	456	file.exe	vbc.exe
PID 456 wrote to memory of 4736	456	file.exe	vbc.exe
PID 456 wrote to memory of 4736	456	file.exe	vbc.exe
PID 456 wrote to memory of 4736	456	file.exe	vbc.exe
PID 456 wrote to memory of 4736	456	file.exe	vbc.exe
PID 456 wrote to memory of 4736	456	file.exe	vbc.exe
PID 456 wrote to memory of 4736	456	file.exe	vbc.exe
PID 456 wrote to memory of 4736	456	file.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"
2⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 340
3⤵
- Program crash
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4736 -ip 4736
1⤵
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/456-132-0x0000000000C00000-0x0000000000F86000-memory.dmp

Filesize
3.5MB

Download
memory/456-133-0x00007FFC18140000-0x00007FFC18C01000-memory.dmp

Filesize
10.8MB

Download
memory/456-134-0x00007FFC18140000-0x00007FFC18C01000-memory.dmp

Filesize
10.8MB

Download
memory/456-139-0x00007FFC18140000-0x00007FFC18C01000-memory.dmp

Filesize
10.8MB

Download
memory/4736-136-0x0000000000408597-mapping.dmp

Download
memory/4736-137-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download
memory/4736-142-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download
memory/4736-146-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download