Analysis
-
max time kernel
129s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2023 01:25
Behavioral task
behavioral1
Sample
Raccoon Stealer Builder.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Raccoon Stealer Builder.exe
Resource
win10v2004-20220812-en
General
-
Target
Raccoon Stealer Builder.exe
-
Size
239KB
-
MD5
0de94fc3e5f5e0e34d26abef5d3d6d2b
-
SHA1
23c26448be63a797e4b0166d6919ae9402aba6cc
-
SHA256
5d98c3afedbff733afeabec59003a7a952d2e09fd5179fa71d0745454ee59699
-
SHA512
bf6b2cfae5819c84e75bfb30193038d21fae0fdef82f91251bef904940bf8a866ad0ddd97980548400b83c08b0d4622b1f7a3f852b087d13a4f925ffe339950b
-
SSDEEP
3072:7+bZPfpKU+oF9a3voehFxtyI75ytEa+LFFCxge1nw1TV/oOWk:abpfpKU+u9obr70+ZmgoOWk
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/1104-132-0x0000000000480000-0x00000000004C0000-memory.dmp disable_win_def -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1104-132-0x0000000000480000-0x00000000004C0000-memory.dmp family_stormkitty -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 checkip.dyndns.org -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5112 1104 WerFault.exe Raccoon Stealer Builder.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Raccoon Stealer Builder.exedescription pid process Token: SeDebugPrivilege 1104 Raccoon Stealer Builder.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Raccoon Stealer Builder.exe"C:\Users\Admin\AppData\Local\Temp\Raccoon Stealer Builder.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1104 -s 14562⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 428 -p 1104 -ip 11041⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1104-132-0x0000000000480000-0x00000000004C0000-memory.dmpFilesize
256KB
-
memory/1104-133-0x00007FFE53930000-0x00007FFE543F1000-memory.dmpFilesize
10.8MB
-
memory/1104-134-0x00007FFE53930000-0x00007FFE543F1000-memory.dmpFilesize
10.8MB
-
memory/1104-135-0x00007FFE53930000-0x00007FFE543F1000-memory.dmpFilesize
10.8MB