raccoon | 8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

Analysis

max time kernel
28s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
13/01/2023, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f29f6dc54c33b2aae2950019ee54b04c.exe
Size

831KB
MD5

f29f6dc54c33b2aae2950019ee54b04c
SHA1

c37d98a04edbe68fbd4e054fe0e96b1c926460ea
SHA256

8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539
SHA512

3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c
SSDEEP

24576:Mf78hVkC6gGhgfyNbpiODGsSm+FGUz9q:MAhf6gGhgab6shWz

Score

10^/10

raccoon 75ea4cb7f040eb3056eaa4e86a3a9d6c stealer

Malware Config

Extracted

Family

raccoon

Botnet

75ea4cb7f040eb3056eaa4e86a3a9d6c

http://91.215.85.146/

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation	f29f6dc54c33b2aae2950019ee54b04c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 844 set thread context of 1160	844	f29f6dc54c33b2aae2950019ee54b04c.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	f29f6dc54c33b2aae2950019ee54b04c.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1160	844	f29f6dc54c33b2aae2950019ee54b04c.exe	28
PID 844 wrote to memory of 1160	844	f29f6dc54c33b2aae2950019ee54b04c.exe	28
PID 844 wrote to memory of 1160	844	f29f6dc54c33b2aae2950019ee54b04c.exe	28
PID 844 wrote to memory of 1160	844	f29f6dc54c33b2aae2950019ee54b04c.exe	28
PID 844 wrote to memory of 1160	844	f29f6dc54c33b2aae2950019ee54b04c.exe	28
PID 844 wrote to memory of 1160	844	f29f6dc54c33b2aae2950019ee54b04c.exe	28
PID 844 wrote to memory of 1160	844	f29f6dc54c33b2aae2950019ee54b04c.exe	28
PID 844 wrote to memory of 1160	844	f29f6dc54c33b2aae2950019ee54b04c.exe	28
PID 844 wrote to memory of 1160	844	f29f6dc54c33b2aae2950019ee54b04c.exe	28

C:\Users\Admin\AppData\Local\Temp\f29f6dc54c33b2aae2950019ee54b04c.exe
"C:\Users\Admin\AppData\Local\Temp\f29f6dc54c33b2aae2950019ee54b04c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844
- C:\Users\Admin\AppData\Local\Temp\f29f6dc54c33b2aae2950019ee54b04c.exe
  C:\Users\Admin\AppData\Local\Temp\f29f6dc54c33b2aae2950019ee54b04c.exe
  2⤵
  PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-54-0x0000000000310000-0x00000000003E6000-memory.dmp

Filesize
856KB

Download
memory/844-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/844-56-0x0000000004AF0000-0x0000000004BC4000-memory.dmp

Filesize
848KB

Download
memory/844-57-0x0000000004BE0000-0x0000000004C2A000-memory.dmp

Filesize
296KB

Download
memory/844-58-0x0000000004CB0000-0x0000000004D42000-memory.dmp

Filesize
584KB

Download
memory/1160-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1160-60-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1160-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1160-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1160-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download