raccoon | 357fa83576ea6b70d17a9a22c049065817b89edad52a7a4cdcb4d2e9e0f9a0e0

Analysis

max time kernel
1590s
max time network
1604s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
02/04/2023, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SetupFile.exe
Size

1023.0MB
MD5

3cd7c34bdce2201ec403163fa34bc67e
SHA1

87f1dd22c67315d6a823b244d6fe72758273c45a
SHA256

6d67096d24aef535924b065b49bc2f8b8dbe717d7e4ecae4e5daa45dcc2e193d
SHA512

c6c78986eb86ad2793215b187829d8b760047344ac6dfc9d5e38cc84035f7c20cd3c92435cce4b81157f0e4d942fdd97bbe9417a5241312399502f0ab585ef8d
SSDEEP

196608:NYzLzScvgh3AADZ7sMHEXBhb8Jrznl32LUTxqLrkSdNMjGYQcH7WTyCWxxPajesG:mjScvgh3A4dLHEx0rILKxC3+bGy96eyg

Score

10^/10

raccoon 23883deb102ef0839fbfe8fcef1a5fc7 discovery spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

23883deb102ef0839fbfe8fcef1a5fc7

http://37.220.87.68

http://83.217.11.10

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
536	5b52fjld.exe
2012	57g8CE60.exe

Loads dropped DLL 6 IoCs

pid	Process
2032	SetupFile.exe
2032	SetupFile.exe
2032	SetupFile.exe
2032	SetupFile.exe
2032	SetupFile.exe
2032	SetupFile.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2032	SetupFile.exe
2032	SetupFile.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2032	SetupFile.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 536	2032	SetupFile.exe	30
PID 2032 wrote to memory of 536	2032	SetupFile.exe	30
PID 2032 wrote to memory of 536	2032	SetupFile.exe	30
PID 2032 wrote to memory of 536	2032	SetupFile.exe	30
PID 2032 wrote to memory of 2012	2032	SetupFile.exe	32
PID 2032 wrote to memory of 2012	2032	SetupFile.exe	32
PID 2032 wrote to memory of 2012	2032	SetupFile.exe	32
PID 2032 wrote to memory of 2012	2032	SetupFile.exe	32
PID 2012 wrote to memory of 1976	2012	57g8CE60.exe	33
PID 2012 wrote to memory of 1976	2012	57g8CE60.exe	33
PID 2012 wrote to memory of 1976	2012	57g8CE60.exe	33
PID 1976 wrote to memory of 1416	1976	cmd.exe	35
PID 1976 wrote to memory of 1416	1976	cmd.exe	35
PID 1976 wrote to memory of 1416	1976	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\SetupFile.exe
"C:\Users\Admin\AppData\Local\Temp\SetupFile.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Roaming\5b52fjld.exe
  "C:\Users\Admin\AppData\Roaming\5b52fjld.exe"
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Users\Admin\AppData\Roaming\57g8CE60.exe
  "C:\Users\Admin\AppData\Roaming\57g8CE60.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\57g8CE60.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\57g8CE60.exe

Filesize
13.9MB

MD5
809fd08e5f79d466a9246b7a793f691d

SHA1
3256eca2d1638d421bc53cbfcca50effc18b5cec

SHA256
b532572f5b6417a242309c4a1bf5eef3eac6070626df9dd5b23c89d81592e2d8

SHA512
93192b344bc02daa6b81e0ea8b009ffe8e193ec2561678620e0efde39b4a0b43b00db4c1bea5a1859318bb91d3d66fc806130cee139b7b2d6a7951401d329c53

Download Submit
C:\Users\Admin\AppData\Roaming\57g8CE60.exe

Filesize
13.9MB

MD5
809fd08e5f79d466a9246b7a793f691d

SHA1
3256eca2d1638d421bc53cbfcca50effc18b5cec

SHA256
b532572f5b6417a242309c4a1bf5eef3eac6070626df9dd5b23c89d81592e2d8

SHA512
93192b344bc02daa6b81e0ea8b009ffe8e193ec2561678620e0efde39b4a0b43b00db4c1bea5a1859318bb91d3d66fc806130cee139b7b2d6a7951401d329c53

Download Submit
C:\Users\Admin\AppData\Roaming\5b52fjld.exe

Filesize
7.2MB

MD5
4e6c10540850ea6bfcd8fdba3c3df0f4

SHA1
a98a2d7269ba9547370178a3cf9b35a80e14e81c

SHA256
03c2a0d8b45ecc1f906e074effed6c268df1689067ae30c1504f5b9026c021fa

SHA512
dde387edb78136654850e7aa98fabc189250e92973b503ce91561aad806fdc8f3b81eec1d9abb908a326a3057258ad9526356b83eac26db49517234a173a048d

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Roaming\57g8CE60.exe

Filesize
13.9MB

MD5
809fd08e5f79d466a9246b7a793f691d

SHA1
3256eca2d1638d421bc53cbfcca50effc18b5cec

SHA256
b532572f5b6417a242309c4a1bf5eef3eac6070626df9dd5b23c89d81592e2d8

SHA512
93192b344bc02daa6b81e0ea8b009ffe8e193ec2561678620e0efde39b4a0b43b00db4c1bea5a1859318bb91d3d66fc806130cee139b7b2d6a7951401d329c53

Download Submit
\Users\Admin\AppData\Roaming\57g8CE60.exe

Filesize
13.9MB

MD5
809fd08e5f79d466a9246b7a793f691d

SHA1
3256eca2d1638d421bc53cbfcca50effc18b5cec

SHA256
b532572f5b6417a242309c4a1bf5eef3eac6070626df9dd5b23c89d81592e2d8

SHA512
93192b344bc02daa6b81e0ea8b009ffe8e193ec2561678620e0efde39b4a0b43b00db4c1bea5a1859318bb91d3d66fc806130cee139b7b2d6a7951401d329c53

Download Submit
\Users\Admin\AppData\Roaming\5b52fjld.exe

Filesize
7.2MB

MD5
4e6c10540850ea6bfcd8fdba3c3df0f4

SHA1
a98a2d7269ba9547370178a3cf9b35a80e14e81c

SHA256
03c2a0d8b45ecc1f906e074effed6c268df1689067ae30c1504f5b9026c021fa

SHA512
dde387edb78136654850e7aa98fabc189250e92973b503ce91561aad806fdc8f3b81eec1d9abb908a326a3057258ad9526356b83eac26db49517234a173a048d

Download Submit
memory/536-113-0x0000000005680000-0x000000000573E000-memory.dmp

Filesize
760KB

Download
memory/536-119-0x0000000005680000-0x000000000573E000-memory.dmp

Filesize
760KB

Download
memory/536-118-0x0000000005680000-0x000000000573E000-memory.dmp

Filesize
760KB

Download
memory/536-117-0x0000000005680000-0x000000000573E000-memory.dmp

Filesize
760KB

Download
memory/536-115-0x0000000005680000-0x000000000573E000-memory.dmp

Filesize
760KB

Download
memory/536-116-0x0000000005680000-0x000000000573E000-memory.dmp

Filesize
760KB

Download
memory/536-114-0x0000000005680000-0x000000000573E000-memory.dmp

Filesize
760KB

Download
memory/2012-112-0x0000000000D90000-0x0000000001BE0000-memory.dmp

Filesize
14.3MB

Download
memory/2032-58-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2032-55-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2032-54-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2032-56-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2032-57-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2032-94-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/2032-59-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2032-60-0x0000000000400000-0x0000000001CB1000-memory.dmp

Filesize
24.7MB

Download