raccoon | 0df4d085fc7efb1700b9d547006eae8ccfe1edeee8395555ff15e476d7736236

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0df4d085fc7efb1700b9d547006eae8ccfe1edeee8395555ff15e476d7736236.exe
Size

538KB
MD5

3e50c05017763de7bad56f03afc4406f
SHA1

05ff58d27dbd36c54f9a19f909feb79591fe361d
SHA256

0df4d085fc7efb1700b9d547006eae8ccfe1edeee8395555ff15e476d7736236
SHA512

59e89952f14324b973f2aeb0f71f80d283b97404840e09e6aaf3e6bcc93053cba8cc73df1d4aea4d1106c6d9d5043d1cc42cefe9c47200254ef2432bca10beef
SSDEEP

12288:FFexvwQ0qfjdLu4tnpIZkAtLCopegKGFaSeO03nC/JZQV0:FouVqf5dsC6OoggRanO0XkJZQV

Score

10^/10

raccoon a3a85b69314053c3bb015532d1a960a3d08baeb8 stealer

Malware Config

Extracted

Family

raccoon

Version

1.7.2

Botnet

a3a85b69314053c3bb015532d1a960a3d08baeb8

Attributes

url4cnc
https://telete.in/baudemars

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4976-133-0x0000000000880000-0x0000000000912000-memory.dmp	family_raccoon
behavioral2/memory/4976-134-0x0000000000400000-0x0000000000880000-memory.dmp	family_raccoon

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4452	4976	WerFault.exe	0df4d085fc7efb1700b9d547006eae8ccfe1edeee8395555ff15e476d7736236.exe
4128	4976	WerFault.exe	0df4d085fc7efb1700b9d547006eae8ccfe1edeee8395555ff15e476d7736236.exe
2956	4976	WerFault.exe	0df4d085fc7efb1700b9d547006eae8ccfe1edeee8395555ff15e476d7736236.exe
2384	4976	WerFault.exe	0df4d085fc7efb1700b9d547006eae8ccfe1edeee8395555ff15e476d7736236.exe
772	4976	WerFault.exe	0df4d085fc7efb1700b9d547006eae8ccfe1edeee8395555ff15e476d7736236.exe
3824	4976	WerFault.exe	0df4d085fc7efb1700b9d547006eae8ccfe1edeee8395555ff15e476d7736236.exe

C:\Users\Admin\AppData\Local\Temp\0df4d085fc7efb1700b9d547006eae8ccfe1edeee8395555ff15e476d7736236.exe
"C:\Users\Admin\AppData\Local\Temp\0df4d085fc7efb1700b9d547006eae8ccfe1edeee8395555ff15e476d7736236.exe"
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 740
2⤵
- Program crash
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 776
2⤵
- Program crash
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 892
2⤵
- Program crash
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 912
2⤵
- Program crash
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1100
2⤵
- Program crash
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1160
2⤵
- Program crash
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4976 -ip 4976
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4976 -ip 4976
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4976 -ip 4976
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4976 -ip 4976
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4976 -ip 4976
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4976 -ip 4976
1⤵
PID:3572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4976-132-0x0000000000AD3000-0x0000000000B23000-memory.dmp

Filesize
320KB

Download
memory/4976-133-0x0000000000880000-0x0000000000912000-memory.dmp

Filesize
584KB

Download
memory/4976-134-0x0000000000400000-0x0000000000880000-memory.dmp

Filesize
4.5MB

Download