raccoon | 6148a04932be8b508c730fae9b7a8b67d96bd5bd21801a047e34a8e819a55c62

Analysis

max time kernel
94s
max time network
135s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18-04-2023 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Expert-PC-2023.exe
Size

730.9MB
MD5

1cc87e637e55a2e6a88c745855423045
SHA1

7e837f0a6854e6f0b68f417bb8f5f8dc2daeee23
SHA256

6148a04932be8b508c730fae9b7a8b67d96bd5bd21801a047e34a8e819a55c62
SHA512

c23bce8c05365d9e626f2b6d49e3d74608c55a31977eaa01981962f105abed5a3c30ebd18a3a0c5c8bdb29c9746227ce063a093964edf367262bfab27bfd2827
SSDEEP

196608:UUJOFXQovEaJV73j5m9iepb+EDGVV3hCKboTEWMw6FO5+3Z4KW:UEfovJ13jk9Xp+VVRJbdwRiDW

Score

10^/10

raccoon 9429a6d92284fd6d41daa221d04032be discovery spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

9429a6d92284fd6d41daa221d04032be

http://212.113.119.153/

http://77.91.84.147/

http://212.113.119.35/

http://79.137.248.245/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
956	yz5QbPVN.exe
884	4IxLg0UY.exe
1056	88jgdhdI.exe

Loads dropped DLL 6 IoCs

pid	Process
2032	Expert-PC-2023.exe
2032	Expert-PC-2023.exe
2032	Expert-PC-2023.exe
2032	Expert-PC-2023.exe
2032	Expert-PC-2023.exe
2032	Expert-PC-2023.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 1928	956	yz5QbPVN.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1896	1928	WerFault.exe	30

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Expert-PC-2023.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Expert-PC-2023.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2032	Expert-PC-2023.exe
1056	88jgdhdI.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 956	2032	Expert-PC-2023.exe	28
PID 2032 wrote to memory of 956	2032	Expert-PC-2023.exe	28
PID 2032 wrote to memory of 956	2032	Expert-PC-2023.exe	28
PID 2032 wrote to memory of 956	2032	Expert-PC-2023.exe	28
PID 2032 wrote to memory of 884	2032	Expert-PC-2023.exe	31
PID 2032 wrote to memory of 884	2032	Expert-PC-2023.exe	31
PID 2032 wrote to memory of 884	2032	Expert-PC-2023.exe	31
PID 2032 wrote to memory of 884	2032	Expert-PC-2023.exe	31
PID 956 wrote to memory of 1928	956	yz5QbPVN.exe	30
PID 956 wrote to memory of 1928	956	yz5QbPVN.exe	30
PID 956 wrote to memory of 1928	956	yz5QbPVN.exe	30
PID 956 wrote to memory of 1928	956	yz5QbPVN.exe	30
PID 956 wrote to memory of 1928	956	yz5QbPVN.exe	30
PID 956 wrote to memory of 1928	956	yz5QbPVN.exe	30
PID 956 wrote to memory of 1928	956	yz5QbPVN.exe	30
PID 956 wrote to memory of 1928	956	yz5QbPVN.exe	30
PID 956 wrote to memory of 1928	956	yz5QbPVN.exe	30
PID 1928 wrote to memory of 1896	1928	AppLaunch.exe	32
PID 1928 wrote to memory of 1896	1928	AppLaunch.exe	32
PID 1928 wrote to memory of 1896	1928	AppLaunch.exe	32
PID 1928 wrote to memory of 1896	1928	AppLaunch.exe	32
PID 1928 wrote to memory of 1896	1928	AppLaunch.exe	32
PID 1928 wrote to memory of 1896	1928	AppLaunch.exe	32
PID 1928 wrote to memory of 1896	1928	AppLaunch.exe	32
PID 2032 wrote to memory of 1056	2032	Expert-PC-2023.exe	33
PID 2032 wrote to memory of 1056	2032	Expert-PC-2023.exe	33
PID 2032 wrote to memory of 1056	2032	Expert-PC-2023.exe	33
PID 2032 wrote to memory of 1056	2032	Expert-PC-2023.exe	33

C:\Users\Admin\AppData\Local\Temp\Expert-PC-2023.exe
"C:\Users\Admin\AppData\Local\Temp\Expert-PC-2023.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\LocalLow\yz5QbPVN.exe
  "C:\Users\Admin\AppData\LocalLow\yz5QbPVN.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 684
      4⤵
      Program crash
      PID:1896
- C:\Users\Admin\AppData\Roaming\4IxLg0UY.exe
  "C:\Users\Admin\AppData\Roaming\4IxLg0UY.exe"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Users\Admin\AppData\Local\Temp\88jgdhdI.exe
  "C:\Users\Admin\AppData\Local\Temp\88jgdhdI.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\yz5QbPVN.exe

Filesize
308KB

MD5
d368e0e221d5e7daf9d4dc2825136dac

SHA1
448008dbad33ef3dc02431b7f7e7fb7ffb6e1e40

SHA256
d981feca3b0fb43369c3b0fdbb5e4fe6d66631ca6bdb706e8e52a4e849f484da

SHA512
75ab7f199b06a0d36d10c8602cb45df3bdced1c6239be7a5af3a10332b5c8a4e0d9c4477af0880d78b6e77679d7bc96cb441ca49e8f77572b9811fc19321c17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\88jgdhdI.exe

Filesize
277.6MB

MD5
4d6da7e30acaf3216b0c89fbe4bc1fd1

SHA1
60dfcdbf1d5782bf831ce76532ae479b8d547e53

SHA256
c79690aa69adfc71315c88f66dcece3d1ab07821ff02294effc41b4427a6d7f7

SHA512
e23350d0e672f5ad0fd4482551ce0b1186a5d1a98edab2d16f8a076078a8d39a211e0b26db7543b2e5ae724217e78d810306f094bf190d840d7669f005a57642

Download Submit
C:\Users\Admin\AppData\Local\Temp\88jgdhdI.exe

Filesize
256.8MB

MD5
2d37a52665c9296c6eec1f92c5c9da6b

SHA1
caae55ce6d92935a6c818860c6ada8ed5da12c00

SHA256
b990d589316a037c9fe16adb85e9dafd9b85749a3259cc58e7fe67fe3009e89e

SHA512
32b51ee498a60881b1d928f9da072f6f46ff2fdf9e2180b78382b6c4dcb9ac8639ca554aceacc47cd587c6db31576fe30d899996437e6ff0ceb9b42e175a8f1d

Download Submit
C:\Users\Admin\AppData\Roaming\4IxLg0UY.exe

Filesize
48KB

MD5
a23629286d856fa79cdf0d0012746bd7

SHA1
f5879c4d4506f750fe2cc510c8aedf5a6db462d6

SHA256
b7ff7973cae49e3e8bafe21ee7b7c7a6b713c2893cefa844c5f4ff134403118a

SHA512
99ea72147871288d65bc817d960c42a1e3f64dc29f972dd094fbea2f3764cadbec6470efe1458844653f87fa8aff862e91b83cc4c84632f69b8fa5685f1c7cde

Download Submit
C:\Users\Admin\AppData\Roaming\4IxLg0UY.exe

Filesize
48KB

MD5
a23629286d856fa79cdf0d0012746bd7

SHA1
f5879c4d4506f750fe2cc510c8aedf5a6db462d6

SHA256
b7ff7973cae49e3e8bafe21ee7b7c7a6b713c2893cefa844c5f4ff134403118a

SHA512
99ea72147871288d65bc817d960c42a1e3f64dc29f972dd094fbea2f3764cadbec6470efe1458844653f87fa8aff862e91b83cc4c84632f69b8fa5685f1c7cde

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\LocalLow\yz5QbPVN.exe

Filesize
308KB

MD5
d368e0e221d5e7daf9d4dc2825136dac

SHA1
448008dbad33ef3dc02431b7f7e7fb7ffb6e1e40

SHA256
d981feca3b0fb43369c3b0fdbb5e4fe6d66631ca6bdb706e8e52a4e849f484da

SHA512
75ab7f199b06a0d36d10c8602cb45df3bdced1c6239be7a5af3a10332b5c8a4e0d9c4477af0880d78b6e77679d7bc96cb441ca49e8f77572b9811fc19321c17a

Download Submit
\Users\Admin\AppData\Local\Temp\88jgdhdI.exe

Filesize
261.4MB

MD5
9067775bdd0011e6dbb9e07471be14e3

SHA1
c542963881ce9d1f0d73b8cd28fa19f5dcc4d5a3

SHA256
33a3b0e3df96fc295a6d844585cf3858d906d9e3d33ca8284b9e1e139ec077e6

SHA512
11502c6e5589eebb9931b253d7d816693a4957e52c33ef50eb817238819e41c48fb4aa09a50284e9cd98a7b6c480a1e0656b0ba48592370354e636bbcbf21c67

Download Submit
\Users\Admin\AppData\Roaming\4IxLg0UY.exe

Filesize
48KB

MD5
a23629286d856fa79cdf0d0012746bd7

SHA1
f5879c4d4506f750fe2cc510c8aedf5a6db462d6

SHA256
b7ff7973cae49e3e8bafe21ee7b7c7a6b713c2893cefa844c5f4ff134403118a

SHA512
99ea72147871288d65bc817d960c42a1e3f64dc29f972dd094fbea2f3764cadbec6470efe1458844653f87fa8aff862e91b83cc4c84632f69b8fa5685f1c7cde

Download Submit
memory/884-138-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/884-133-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download
memory/884-143-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/884-142-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/884-140-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/884-137-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/884-135-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1056-170-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1056-167-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1056-169-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1056-173-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1056-163-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1056-175-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1056-176-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1056-177-0x0000000000A80000-0x0000000001521000-memory.dmp

Filesize
10.6MB

Download
memory/1056-166-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1056-172-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1056-164-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1056-157-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1056-158-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1056-159-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1056-160-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1056-161-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1056-162-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1928-136-0x0000000007380000-0x00000000073C0000-memory.dmp

Filesize
256KB

Download
memory/1928-122-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1928-132-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1928-130-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1928-128-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1928-124-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2032-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2032-56-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2032-57-0x0000000000400000-0x00000000016F9000-memory.dmp

Filesize
19.0MB

Download
memory/2032-55-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2032-91-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download