raccoon | 8a1197f828988b534acf6542b5ee75239c35fc94aeeee293e45d1d01d512b29d

General

Target

b002e90f98f6643ade82b4d657b920bc.exe
Size

1.6MB
MD5

b002e90f98f6643ade82b4d657b920bc
SHA1

2c56bae21ca4cc1d16c58a7f53add0a8ac54fa57
SHA256

8a1197f828988b534acf6542b5ee75239c35fc94aeeee293e45d1d01d512b29d
SHA512

c0870f71a2d237f90a0bbf982fb69bae82391efb1bb0806af557a406d1d23ec7838e52ab4c8d8144feeec24cd827e78e1506310eab2b1fc831aef17f8cefa87c
SSDEEP

24576:+7hfMeJ3ruTTdFkaasfMLAjJvrypuvGPp+2dhvj8OjzEJjug8q6x5h5T7U9NKLTj:YhfMeVrulF3LCJue5z8OjIJJi

Score

10^/10

raccoon rhadamanthys eb3a206cd939601b2a6d00ea009a6d7e stealer

Malware Config

Extracted

Family

raccoon

Botnet

eb3a206cd939601b2a6d00ea009a6d7e

C2

http://195.123.241.57/

rc4.plain

Signatures

Detect rhadamanthys stealer shellcode 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3280-149-0x0000000002D10000-0x0000000002D2D000-memory.dmp	family_rhadamanthys
behavioral2/memory/3280-150-0x0000000003230000-0x0000000004230000-memory.dmp	family_rhadamanthys

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

b002e90f98f6643ade82b4d657b920bc.exe

description pid process target process

PID 4588 created 2944 4588 b002e90f98f6643ade82b4d657b920bc.exe taskhostw.exe
Loads dropped DLL 1 IoCs

Processes:

b002e90f98f6643ade82b4d657b920bc.exe

pid process

4588 b002e90f98f6643ade82b4d657b920bc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

fontview.exe

pid process

3280 fontview.exe
3280 fontview.exe
3280 fontview.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

b002e90f98f6643ade82b4d657b920bc.exe

description pid process target process

PID 4588 set thread context of 4324 4588 b002e90f98f6643ade82b4d657b920bc.exe ngentask.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3144 4588 WerFault.exe b002e90f98f6643ade82b4d657b920bc.exe
2340 4588 WerFault.exe b002e90f98f6643ade82b4d657b920bc.exe

description	pid	process	target process
PID 4588 created 2944	4588	b002e90f98f6643ade82b4d657b920bc.exe	taskhostw.exe

pid	process
3280	fontview.exe
3280	fontview.exe
3280	fontview.exe

description	pid	process	target process
PID 4588 set thread context of 4324	4588	b002e90f98f6643ade82b4d657b920bc.exe	ngentask.exe

pid	pid_target	process	target process
3144	4588	WerFault.exe	b002e90f98f6643ade82b4d657b920bc.exe
2340	4588	WerFault.exe	b002e90f98f6643ade82b4d657b920bc.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fontview.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	fontview.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

b002e90f98f6643ade82b4d657b920bc.exe

pid	process
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe
4588	b002e90f98f6643ade82b4d657b920bc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fontview.exe

description pid process

Token: SeShutdownPrivilege 3280 fontview.exe
Token: SeCreatePagefilePrivilege 3280 fontview.exe

description	pid	process
Token: SeShutdownPrivilege	3280	fontview.exe
Token: SeCreatePagefilePrivilege	3280	fontview.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b002e90f98f6643ade82b4d657b920bc.exe

description	pid	process	target process
PID 4588 wrote to memory of 4324	4588	b002e90f98f6643ade82b4d657b920bc.exe	ngentask.exe
PID 4588 wrote to memory of 4324	4588	b002e90f98f6643ade82b4d657b920bc.exe	ngentask.exe
PID 4588 wrote to memory of 4324	4588	b002e90f98f6643ade82b4d657b920bc.exe	ngentask.exe
PID 4588 wrote to memory of 4324	4588	b002e90f98f6643ade82b4d657b920bc.exe	ngentask.exe
PID 4588 wrote to memory of 4324	4588	b002e90f98f6643ade82b4d657b920bc.exe	ngentask.exe
PID 4588 wrote to memory of 3280	4588	b002e90f98f6643ade82b4d657b920bc.exe	fontview.exe
PID 4588 wrote to memory of 3280	4588	b002e90f98f6643ade82b4d657b920bc.exe	fontview.exe
PID 4588 wrote to memory of 3280	4588	b002e90f98f6643ade82b4d657b920bc.exe	fontview.exe
PID 4588 wrote to memory of 3280	4588	b002e90f98f6643ade82b4d657b920bc.exe	fontview.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2944

C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Users\Admin\AppData\Local\Temp\b002e90f98f6643ade82b4d657b920bc.exe
"C:\Users\Admin\AppData\Local\Temp\b002e90f98f6643ade82b4d657b920bc.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 580
2⤵
- Program crash
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 572
2⤵
- Program crash
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4588 -ip 4588
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4588 -ip 4588
1⤵
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240681218.dll
Filesize
335KB

MD5
f56b1b3fe0c50c6ed0fad54627df7a9a

SHA1
05742c9ad28475c7afdd3d6a63dd9200fc0b9f72

SHA256
e8f71da41bbc272ef84589a7575b13b8b5d6d5d01796b3af033682657263c53b

SHA512
fde2089bcdf19cdb9d27763e4d3294a0e42cd0a3132463636610d85c3903b885be6142d3b42204e89b76b5595e8b132580c8a5c60ced96d042ad96bcfe29b1c9

Download Submit
memory/3280-149-0x0000000002D10000-0x0000000002D2D000-memory.dmp

Filesize
116KB

Download
memory/3280-146-0x0000000000F70000-0x0000000000FA5000-memory.dmp

Filesize
212KB

Download
memory/3280-143-0x0000000000F70000-0x0000000000FA5000-memory.dmp

Filesize
212KB

Download
memory/3280-144-0x0000000000000000-mapping.dmp

Download
memory/3280-152-0x0000000000F70000-0x0000000000FA5000-memory.dmp

Filesize
212KB

Download
memory/3280-150-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/3280-148-0x00000000013D5000-0x00000000013D7000-memory.dmp

Filesize
8KB

Download
memory/3280-147-0x00000000013D4000-0x00000000013D7000-memory.dmp

Filesize
12KB

Download
memory/4324-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4324-145-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4324-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4324-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4324-136-0x0000000000000000-mapping.dmp

Download
memory/4588-153-0x0000000002DD0000-0x0000000002F25000-memory.dmp

Filesize
1.3MB

Download
memory/4588-135-0x000000000E410000-0x000000000E531000-memory.dmp

Filesize
1.1MB

Download
memory/4588-133-0x0000000002DD0000-0x0000000002F25000-memory.dmp

Filesize
1.3MB

Download
memory/4588-132-0x0000000002DD0000-0x0000000002F25000-memory.dmp

Filesize
1.3MB

Download
memory/4588-134-0x000000000E410000-0x000000000E531000-memory.dmp

Filesize
1.1MB

Download
memory/4588-151-0x000000000E410000-0x000000000E531000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads