raccoon | ec77d8e5e9ad405e74bc0780d1fd6b4070dfd155a0556ef3288ac493a1f28448

General

Target

43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe
Size

8.4MB
MD5

dcbe1dec97959e20853fd760b6900c01
SHA1

e8429524690350ca306badc5db81fa1e4c8becf1
SHA256

43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908
SHA512

c27b6f7d2d15228dd7bf5ffb996b4e4c800758114fad653ea6107605b23d73184b78ef410eee422ea5668a431c949c913ae17ded5de2760f61b436336436b013
SSDEEP

98304:AnEzmlSLRyvNFTeM9jgDubUynvFq5xS8Rr7pLfZNlT3/Msj:AES2Ryv/TU6bnvARr77/Msj

Score

10^/10

raccoon stealer

Malware Config

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

.NET Reactor proctector 36 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/628-54-0x0000000000CE0000-0x0000000001556000-memory.dmp	net_reactor
behavioral1/memory/628-55-0x00000000003F0000-0x000000000047E000-memory.dmp	net_reactor
behavioral1/memory/628-57-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-59-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-56-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-61-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-63-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-65-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-67-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-71-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-73-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-69-0x000000001B590000-0x000000001B610000-memory.dmp	net_reactor
behavioral1/memory/628-75-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-77-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-79-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-81-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-83-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-85-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-87-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-89-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-91-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-93-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-95-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-97-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-99-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-101-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-103-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-105-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-107-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-109-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-111-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-113-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-115-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-117-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-119-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor
behavioral1/memory/628-121-0x00000000003F0000-0x0000000000478000-memory.dmp	net_reactor

Suspicious use of SetThreadContext 1 IoCs

Processes:

43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe

description	pid	process	target process
PID 628 set thread context of 1824	628	43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe

description pid process

Token: SeDebugPrivilege 628 43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe

description	pid	process
Token: SeDebugPrivilege	628	43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe

description	pid	process	target process
PID 628 wrote to memory of 1824	628	43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe	InstallUtil.exe
PID 628 wrote to memory of 1824	628	43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe	InstallUtil.exe
PID 628 wrote to memory of 1824	628	43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe	InstallUtil.exe
PID 628 wrote to memory of 1824	628	43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe	InstallUtil.exe
PID 628 wrote to memory of 1824	628	43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe	InstallUtil.exe
PID 628 wrote to memory of 1824	628	43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe	InstallUtil.exe
PID 628 wrote to memory of 1824	628	43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe	InstallUtil.exe
PID 628 wrote to memory of 1824	628	43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe	InstallUtil.exe
PID 628 wrote to memory of 1824	628	43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe	InstallUtil.exe
PID 628 wrote to memory of 1824	628	43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe	InstallUtil.exe
PID 628 wrote to memory of 1824	628	43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe	InstallUtil.exe
PID 628 wrote to memory of 1824	628	43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe
"C:\Users\Admin\AppData\Local\Temp\43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:1824

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/628-54-0x0000000000CE0000-0x0000000001556000-memory.dmp

Filesize
8.5MB

Download
memory/628-55-0x00000000003F0000-0x000000000047E000-memory.dmp

Filesize
568KB

Download
memory/628-57-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-59-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-56-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-61-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-63-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-65-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-67-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-71-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-70-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/628-73-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-69-0x000000001B590000-0x000000001B610000-memory.dmp

Filesize
512KB

Download
memory/628-75-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-77-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-79-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-81-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-83-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-85-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-87-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-89-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-91-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-93-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-95-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-97-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-99-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-101-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-103-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-105-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-107-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-109-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-111-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-113-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-115-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-117-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-119-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-121-0x00000000003F0000-0x0000000000478000-memory.dmp

Filesize
544KB

Download
memory/628-1522-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads