Overview

overview

10

Static

static

filesetup_...pg.exe

windows7-x64

1

filesetup_...pg.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2023 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    filesetup_v17.3.4.jpg.exe

  • Size

    253KB

  • MD5

    f50a1d78d091608f158eaccf0868aec3

  • SHA1

    6c8ace1c29eb95542bc19a2170c979e17cff5fca

  • SHA256

    0ba8881e6cc0bfc2c0669f8d96ee6c43afe7b5921dc93a259b4b27a1cfbec1f3

  • SHA512

    95a313e557a22af4e03eeaf556452ed2e65daa4064183ee5feecb984cf2b5ea2541a54789f5cd63d12aed2d1814512a82e03cdf165b5e2338587302f577432fb

  • SSDEEP

    3072:i14gX/gff43ix4iXQs8/NEK39fhEkC9EgaxOldWrS1/jdqw8PjNxtv9Tl0ZgQW6o:i14gZb7WFYQzvuB5U92/GI0/C6V

Score
10/10
raccoon058b163252af946c77f376d3f457096bstealer

Malware Config

Extracted

Family

raccoon

Botnet

058b163252af946c77f376d3f457096b

C2

http://160.119.253.242

rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\filesetup_v17.3.4.jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\filesetup_v17.3.4.jpg.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3804
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
        3⤵
          PID:1996
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
          3⤵
            PID:2112
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
            3⤵
              PID:1988

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1988-153-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1988-152-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1988-150-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1988-149-0x0000000000000000-mapping.dmp
          Download
        • memory/1996-147-0x0000000000000000-mapping.dmp
          Download
        • memory/2112-148-0x0000000000000000-mapping.dmp
          Download
        • memory/3804-133-0x00000000056C0000-0x0000000005C64000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3804-134-0x00000000051B0000-0x0000000005242000-memory.dmp
          Filesize

          584KB

          Download
        • memory/3804-135-0x0000000005180000-0x000000000518A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/3804-132-0x00000000007A0000-0x00000000007E4000-memory.dmp
          Filesize

          272KB

          Download
        • memory/4888-137-0x00000000027C0000-0x00000000027F6000-memory.dmp
          Filesize

          216KB

          Download
        • memory/4888-143-0x0000000007100000-0x0000000007144000-memory.dmp
          Filesize

          272KB

          Download
        • memory/4888-144-0x0000000007440000-0x00000000074B6000-memory.dmp
          Filesize

          472KB

          Download
        • memory/4888-145-0x0000000007B40000-0x00000000081BA000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/4888-146-0x00000000074C0000-0x00000000074DA000-memory.dmp
          Filesize

          104KB

          Download
        • memory/4888-142-0x0000000006130000-0x000000000614E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/4888-141-0x0000000005A90000-0x0000000005AF6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/4888-140-0x0000000005180000-0x00000000051E6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/4888-139-0x00000000050E0000-0x0000000005102000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4888-138-0x00000000052F0000-0x0000000005918000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/4888-136-0x0000000000000000-mapping.dmp
          Download