raccoon | 04cb991f7c25f60abc3773ccdc93595c272f0471b04fabf574839ac023b66989 | Triage

Submit
Reports

Overview

overview

Static

static

1

readerdc64...ll.exe

windows7-x64

3

readerdc64...ll.exe

windows10-2004-x64

Resubmissions

08-02-2023 13:40

230208-qyl7raae7z 10

Sharing

General

Target

readerdc64_it_hi_mdr_install.exe
Size

1.2MB
Sample

230208-qyl7raae7z
MD5

8abb981279dad6371ad9526d9fcd5df8
SHA1

571d964f8d27859c0773c7747378b4c0139fffca
SHA256

04cb991f7c25f60abc3773ccdc93595c272f0471b04fabf574839ac023b66989
SHA512

d3ab76a2b35d92ce26b09d6f4f3579f3825ca1f21a71ab8ae24ad5b2266914489584c1d4af82996527757729cbdb7c6e2c1a63ad10b5bef3d3a6ae1731348817
SSDEEP

24576:pwMt9/dQCf51s2CF0ZwSr2bVwVuXE9WdHwTqC6po9kKSRnIN4Y:CMt9FQCz+EwSr2bQUdQB32INx

Score

10^/10

raccoon evasion persistence stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

readerdc64_it_hi_mdr_install.exe

Resource

win7-20221111-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

readerdc64_it_hi_mdr_install.exe

Resource

win10v2004-20220812-en

raccoon evasion persistence stealer trojan

windows10-2004-x64

30 signatures

150 seconds

Malware Config

Extracted

Family

raccoon

rc4.plain

Targets

- Target
  
  readerdc64_it_hi_mdr_install.exe
- Size
  
  1.2MB
- MD5
  
  8abb981279dad6371ad9526d9fcd5df8
- SHA1
  
  571d964f8d27859c0773c7747378b4c0139fffca
- SHA256
  
  04cb991f7c25f60abc3773ccdc93595c272f0471b04fabf574839ac023b66989
- SHA512
  
  d3ab76a2b35d92ce26b09d6f4f3579f3825ca1f21a71ab8ae24ad5b2266914489584c1d4af82996527757729cbdb7c6e2c1a63ad10b5bef3d3a6ae1731348817
- SSDEEP
  
  24576:pwMt9/dQCf51s2CF0ZwSr2bVwVuXE9WdHwTqC6po9kKSRnIN4Y:CMt9FQCz+EwSr2bQUdQB32INx
Score

10^/10

raccoon evasion persistence stealer trojan
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Modifies Installed Components in the registry
  persistence
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

raccoonevasionpersistencestealertrojan

© 2018-2024

Terms | Privacy