raccoon | bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268

General

Target

tmp.exe
Size

394KB
MD5

d74c5647d791583241baa5061e0063c9
SHA1

e404c6041dca2f3b767231e38dfca8faecca10ca
SHA256

bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268
SHA512

7a60a3dc49c64f35a7d9b8838e45cb687f023778f65feb3c89d2465306bf1bfc300022e0ac1fbc7c2f5f8c69ce6b2bf78cabf2519a0919552d14ea4734ab579e
SSDEEP

12288:rkNkHyWEXeqvQYVby7+OLn2yTp/uzdGDHpc:skDqvQYV+qOL2y9/uzdGL

Score

10^/10

raccoon 6c8968d2498b99bf2d581580178f5f14 stealer

Malware Config

Extracted

Family

raccoon

Botnet

6c8968d2498b99bf2d581580178f5f14

C2

http://krrkrkrgsa.ink/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 3036 set thread context of 4732 3036 tmp.exe jsc.exe

description	pid	process	target process
PID 3036 set thread context of 4732	3036	tmp.exe	jsc.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

tmp.exe

pid	process
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe
3036	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmp.exe

description pid process

Token: SeDebugPrivilege 3036 tmp.exe

description	pid	process
Token: SeDebugPrivilege	3036	tmp.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 3036 wrote to memory of 3076	3036	tmp.exe	Microsoft.Workflow.Compiler.exe
PID 3036 wrote to memory of 3076	3036	tmp.exe	Microsoft.Workflow.Compiler.exe
PID 3036 wrote to memory of 3308	3036	tmp.exe	DataSvcUtil.exe
PID 3036 wrote to memory of 3308	3036	tmp.exe	DataSvcUtil.exe
PID 3036 wrote to memory of 1380	3036	tmp.exe	AddInUtil.exe
PID 3036 wrote to memory of 1380	3036	tmp.exe	AddInUtil.exe
PID 3036 wrote to memory of 4412	3036	tmp.exe	cvtres.exe
PID 3036 wrote to memory of 4412	3036	tmp.exe	cvtres.exe
PID 3036 wrote to memory of 1504	3036	tmp.exe	ServiceModelReg.exe
PID 3036 wrote to memory of 1504	3036	tmp.exe	ServiceModelReg.exe
PID 3036 wrote to memory of 448	3036	tmp.exe	RegSvcs.exe
PID 3036 wrote to memory of 448	3036	tmp.exe	RegSvcs.exe
PID 3036 wrote to memory of 1956	3036	tmp.exe	MSBuild.exe
PID 3036 wrote to memory of 1956	3036	tmp.exe	MSBuild.exe
PID 3036 wrote to memory of 1804	3036	tmp.exe	ngentask.exe
PID 3036 wrote to memory of 1804	3036	tmp.exe	ngentask.exe
PID 3036 wrote to memory of 3524	3036	tmp.exe	AddInProcess32.exe
PID 3036 wrote to memory of 3524	3036	tmp.exe	AddInProcess32.exe
PID 3036 wrote to memory of 3524	3036	tmp.exe	AddInProcess32.exe
PID 3036 wrote to memory of 3528	3036	tmp.exe	aspnet_compiler.exe
PID 3036 wrote to memory of 3528	3036	tmp.exe	aspnet_compiler.exe
PID 3036 wrote to memory of 1484	3036	tmp.exe	vbc.exe
PID 3036 wrote to memory of 1484	3036	tmp.exe	vbc.exe
PID 3036 wrote to memory of 3756	3036	tmp.exe	WsatConfig.exe
PID 3036 wrote to memory of 3756	3036	tmp.exe	WsatConfig.exe
PID 3036 wrote to memory of 984	3036	tmp.exe	SMSvcHost.exe
PID 3036 wrote to memory of 984	3036	tmp.exe	SMSvcHost.exe
PID 3036 wrote to memory of 4732	3036	tmp.exe	jsc.exe
PID 3036 wrote to memory of 4732	3036	tmp.exe	jsc.exe
PID 3036 wrote to memory of 4732	3036	tmp.exe	jsc.exe
PID 3036 wrote to memory of 4732	3036	tmp.exe	jsc.exe
PID 3036 wrote to memory of 4732	3036	tmp.exe	jsc.exe
PID 3036 wrote to memory of 4732	3036	tmp.exe	jsc.exe
PID 3036 wrote to memory of 4732	3036	tmp.exe	jsc.exe
PID 3036 wrote to memory of 4732	3036	tmp.exe	jsc.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
2⤵
PID:3076

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
2⤵
PID:3308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
2⤵
PID:1380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
2⤵
PID:4412

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
2⤵
PID:1504

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
2⤵
PID:448

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
2⤵
PID:1956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
2⤵
PID:1804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
2⤵
PID:3524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:3528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
2⤵
PID:1484

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
2⤵
PID:3756

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
2⤵
PID:984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
PID:4732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3036-133-0x0000014DDBD40000-0x0000014DDBDA8000-memory.dmp

Filesize
416KB

Download
memory/3036-134-0x0000014DDD9E0000-0x0000014DDD9F0000-memory.dmp

Filesize
64KB

Download
memory/4732-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4732-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4732-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing