raccoon | 85bfbde0fd013241fd5ed1f099874814c813d4ac968d6ce8e0be93e8b07e3918

General

Target

Set-up.exe
Size

815.4MB
MD5

8d09a44d7b7ecdc7acb2aad0376a38c6
SHA1

91ba128382958716bae664ff0af101da6d44be3c
SHA256

85bfbde0fd013241fd5ed1f099874814c813d4ac968d6ce8e0be93e8b07e3918
SHA512

4afa4befb406bf174384869b9514a5e74a4ce6b1d3f5978d9fec42ca2d04487f17661fd817caa14725f309844d3b0879861eb503521a30ec72ca25ff64218b2a
SSDEEP

98304:cTxPupJkmHmooywZfLGc6D6yT+nHZH6JnIRLfZNlT3/Msj:cTAkaoBxLc6lnHZH6Y/Msj

Score

10^/10

raccoon stealer

Malware Config

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

.NET Reactor proctector 35 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/1536-54-0x0000000000FD0000-0x0000000001846000-memory.dmp	net_reactor
behavioral1/memory/1536-57-0x00000000003F0000-0x000000000047E000-memory.dmp	net_reactor
behavioral1/memory/1536-58-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-59-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-61-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-63-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-65-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-67-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-71-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-69-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-73-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-77-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-75-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-85-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-83-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-81-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-79-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-87-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-89-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-91-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-93-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-95-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-97-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-99-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-103-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-101-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-105-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-107-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-111-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-109-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-113-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-119-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-117-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-121-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/1536-115-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor

Suspicious use of SetThreadContext 1 IoCs

Processes:

Set-up.exe

description pid process target process

PID 1536 set thread context of 672 1536 Set-up.exe InstallUtil.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Set-up.exe

description pid process

Token: SeDebugPrivilege 1536 Set-up.exe

description	pid	process	target process
PID 1536 set thread context of 672	1536	Set-up.exe	InstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1536	Set-up.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Set-up.exe

description	pid	process	target process
PID 1536 wrote to memory of 672	1536	Set-up.exe	InstallUtil.exe
PID 1536 wrote to memory of 672	1536	Set-up.exe	InstallUtil.exe
PID 1536 wrote to memory of 672	1536	Set-up.exe	InstallUtil.exe
PID 1536 wrote to memory of 672	1536	Set-up.exe	InstallUtil.exe
PID 1536 wrote to memory of 672	1536	Set-up.exe	InstallUtil.exe
PID 1536 wrote to memory of 672	1536	Set-up.exe	InstallUtil.exe
PID 1536 wrote to memory of 672	1536	Set-up.exe	InstallUtil.exe
PID 1536 wrote to memory of 672	1536	Set-up.exe	InstallUtil.exe
PID 1536 wrote to memory of 672	1536	Set-up.exe	InstallUtil.exe
PID 1536 wrote to memory of 672	1536	Set-up.exe	InstallUtil.exe
PID 1536 wrote to memory of 672	1536	Set-up.exe	InstallUtil.exe
PID 1536 wrote to memory of 672	1536	Set-up.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:672

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1536-54-0x0000000000FD0000-0x0000000001846000-memory.dmp

Filesize
8.5MB

Download
memory/1536-56-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1536-55-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/1536-57-0x00000000003F0000-0x000000000047E000-memory.dmp

Filesize
568KB

Download
memory/1536-58-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-59-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-61-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-63-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-65-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-67-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-71-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-69-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-73-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-77-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-75-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-85-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-83-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-81-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-79-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-87-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-89-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-91-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-93-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-95-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-97-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-99-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-103-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-101-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-105-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-107-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-111-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-109-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-113-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-119-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-117-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-121-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-115-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/1536-1522-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing