Analysis
-
max time kernel
129s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
31-01-2023 01:25
Behavioral task
behavioral1
Sample
Raccoon Stealer Builder.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Raccoon Stealer Builder.exe
Resource
win10v2004-20220812-en
General
-
Target
Raccoon Stealer Builder.exe
-
Size
239KB
-
MD5
0de94fc3e5f5e0e34d26abef5d3d6d2b
-
SHA1
23c26448be63a797e4b0166d6919ae9402aba6cc
-
SHA256
5d98c3afedbff733afeabec59003a7a952d2e09fd5179fa71d0745454ee59699
-
SHA512
bf6b2cfae5819c84e75bfb30193038d21fae0fdef82f91251bef904940bf8a866ad0ddd97980548400b83c08b0d4622b1f7a3f852b087d13a4f925ffe339950b
-
SSDEEP
3072:7+bZPfpKU+oF9a3voehFxtyI75ytEa+LFFCxge1nw1TV/oOWk:abpfpKU+u9obr70+ZmgoOWk
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/952-54-0x0000000000A90000-0x0000000000AD0000-memory.dmp disable_win_def -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/952-54-0x0000000000A90000-0x0000000000AD0000-memory.dmp family_stormkitty -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Raccoon Stealer Builder.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvidiaDValueOn = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Local Drivers\\DriversUpdateProcess_x64.exe" Raccoon Stealer Builder.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1128 952 WerFault.exe Raccoon Stealer Builder.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Raccoon Stealer Builder.exedescription pid process Token: SeDebugPrivilege 952 Raccoon Stealer Builder.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Raccoon Stealer Builder.exedescription pid process target process PID 952 wrote to memory of 1128 952 Raccoon Stealer Builder.exe WerFault.exe PID 952 wrote to memory of 1128 952 Raccoon Stealer Builder.exe WerFault.exe PID 952 wrote to memory of 1128 952 Raccoon Stealer Builder.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Raccoon Stealer Builder.exe"C:\Users\Admin\AppData\Local\Temp\Raccoon Stealer Builder.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 952 -s 10162⤵
- Program crash