raccoon | 4c80017f6e220f46a7cc53234e437ca7ba97bc3639cd961dac22040309ba7a70

Analysis

max time kernel
90s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2023 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7daf07f31b4c9a8f7bebdf7cf06c1de2bffcd2df70f675bcc995906054a77177.exe
Size

408KB
MD5

30e3a74a9d29671b7638499ef5d59053
SHA1

2361cc3085465e3d8e632395b8d5a07ea029c028
SHA256

7daf07f31b4c9a8f7bebdf7cf06c1de2bffcd2df70f675bcc995906054a77177
SHA512

14f0040df92886d90c277076b9e90c015c2daccfa20f25da84146359eebd8c299d3102593fca0f27053fdf1550afc03ce59381b963e0c887def0ea029abdf09e
SSDEEP

6144:xLmBZYc9gTIu3mJ4f5PY+fUXxBN0KOUg0QV3fj1wUcw8tx2/kpZOwBuHBTpOdN87:xLGZCTV/qkjJwUcw8D2/k3OH

Score

10^/10

raccoon 2dbfb7ebbdc8183124d0ac1729de140a stealer

Malware Config

Extracted

Family

raccoon

Botnet

2dbfb7ebbdc8183124d0ac1729de140a

http://45.15.156.62

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

7daf07f31b4c9a8f7bebdf7cf06c1de2bffcd2df70f675bcc995906054a77177.exe

description	pid	process	target process
PID 4880 set thread context of 4744	4880	7daf07f31b4c9a8f7bebdf7cf06c1de2bffcd2df70f675bcc995906054a77177.exe	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

7daf07f31b4c9a8f7bebdf7cf06c1de2bffcd2df70f675bcc995906054a77177.exe

description	pid	process	target process
PID 4880 wrote to memory of 4744	4880	7daf07f31b4c9a8f7bebdf7cf06c1de2bffcd2df70f675bcc995906054a77177.exe	vbc.exe
PID 4880 wrote to memory of 4744	4880	7daf07f31b4c9a8f7bebdf7cf06c1de2bffcd2df70f675bcc995906054a77177.exe	vbc.exe
PID 4880 wrote to memory of 4744	4880	7daf07f31b4c9a8f7bebdf7cf06c1de2bffcd2df70f675bcc995906054a77177.exe	vbc.exe
PID 4880 wrote to memory of 4744	4880	7daf07f31b4c9a8f7bebdf7cf06c1de2bffcd2df70f675bcc995906054a77177.exe	vbc.exe
PID 4880 wrote to memory of 4744	4880	7daf07f31b4c9a8f7bebdf7cf06c1de2bffcd2df70f675bcc995906054a77177.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\7daf07f31b4c9a8f7bebdf7cf06c1de2bffcd2df70f675bcc995906054a77177.exe
"C:\Users\Admin\AppData\Local\Temp\7daf07f31b4c9a8f7bebdf7cf06c1de2bffcd2df70f675bcc995906054a77177.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"
2⤵
PID:4744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4744-132-0x0000000000000000-mapping.dmp

Download
memory/4744-133-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4744-139-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download