raccoon | bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268

Analysis

max time kernel
106s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2023 16:51

Target

tmp.exe
Size

394KB
MD5

d74c5647d791583241baa5061e0063c9
SHA1

e404c6041dca2f3b767231e38dfca8faecca10ca
SHA256

bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268
SHA512

7a60a3dc49c64f35a7d9b8838e45cb687f023778f65feb3c89d2465306bf1bfc300022e0ac1fbc7c2f5f8c69ce6b2bf78cabf2519a0919552d14ea4734ab579e
SSDEEP

12288:rkNkHyWEXeqvQYVby7+OLn2yTp/uzdGDHpc:skDqvQYV+qOL2y9/uzdGL

Score

10^/10

Family

raccoon

Botnet

6c8968d2498b99bf2d581580178f5f14

http://krrkrkrgsa.ink/

rc4.plain

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 3404 set thread context of 1876 3404 tmp.exe jsc.exe

description	pid	process	target process
PID 3404 set thread context of 1876	3404	tmp.exe	jsc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmp.exe

description pid process

Token: SeDebugPrivilege 3404 tmp.exe

description	pid	process
Token: SeDebugPrivilege	3404	tmp.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 3404 wrote to memory of 212	3404	tmp.exe	SMSvcHost.exe
PID 3404 wrote to memory of 212	3404	tmp.exe	SMSvcHost.exe
PID 3404 wrote to memory of 4000	3404	tmp.exe	aspnet_state.exe
PID 3404 wrote to memory of 4000	3404	tmp.exe	aspnet_state.exe
PID 3404 wrote to memory of 216	3404	tmp.exe	RegSvcs.exe
PID 3404 wrote to memory of 216	3404	tmp.exe	RegSvcs.exe
PID 3404 wrote to memory of 220	3404	tmp.exe	ilasm.exe
PID 3404 wrote to memory of 220	3404	tmp.exe	ilasm.exe
PID 3404 wrote to memory of 4516	3404	tmp.exe	ngen.exe
PID 3404 wrote to memory of 4516	3404	tmp.exe	ngen.exe
PID 3404 wrote to memory of 1456	3404	tmp.exe	RegAsm.exe
PID 3404 wrote to memory of 1456	3404	tmp.exe	RegAsm.exe
PID 3404 wrote to memory of 1360	3404	tmp.exe	Microsoft.Workflow.Compiler.exe
PID 3404 wrote to memory of 1360	3404	tmp.exe	Microsoft.Workflow.Compiler.exe
PID 3404 wrote to memory of 916	3404	tmp.exe	AddInProcess.exe
PID 3404 wrote to memory of 916	3404	tmp.exe	AddInProcess.exe
PID 3404 wrote to memory of 1876	3404	tmp.exe	jsc.exe
PID 3404 wrote to memory of 1876	3404	tmp.exe	jsc.exe
PID 3404 wrote to memory of 1876	3404	tmp.exe	jsc.exe
PID 3404 wrote to memory of 1876	3404	tmp.exe	jsc.exe
PID 3404 wrote to memory of 1876	3404	tmp.exe	jsc.exe
PID 3404 wrote to memory of 1876	3404	tmp.exe	jsc.exe
PID 3404 wrote to memory of 1876	3404	tmp.exe	jsc.exe
PID 3404 wrote to memory of 1876	3404	tmp.exe	jsc.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
2⤵
PID:212

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
2⤵
PID:4000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
2⤵
PID:216

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
2⤵
PID:220

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
2⤵
PID:4516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
2⤵
PID:1456

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
2⤵
PID:916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
2⤵
PID:1360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
PID:1876

memory/1876-134-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1876-135-0x00000000004088ED-mapping.dmp

Download
memory/1876-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1876-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1876-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3404-132-0x00000229BB440000-0x00000229BB4A8000-memory.dmp

Filesize
416KB

Download
memory/3404-133-0x00007FF8F91E0000-0x00007FF8F9CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3404-137-0x00007FF8F91E0000-0x00007FF8F9CA1000-memory.dmp

Filesize
10.8MB

Download