raccoon | 8279812ab08bff33c9cc0286bdd17a440964f98aedce3d5c184527e9d1a97fdc

Analysis

max time kernel
109s
max time network
135s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-04-2023 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Free-2O23_S0Ft__Se-tup.exe
Size

730.3MB
MD5

85a38f0f83dcd71f4024fa8f4bf9410a
SHA1

263d357e11319518fa9279005430fadf10ae3eb0
SHA256

8279812ab08bff33c9cc0286bdd17a440964f98aedce3d5c184527e9d1a97fdc
SHA512

3eea7c9bb2bb2af9d5a4e05f7e30e92f7172cd1787685a1d62515f0be9de674174dc543bb16e7da80e1fb09bb2d2e18463f0f61fb5a9c7f99276da698dd87ee8
SSDEEP

196608:tEZSGTKbYGgxc13v4BNIP1vYyXYox8YPZFxhiN779hiDmwg/EVdQ0n/:te9TKbYGgxCv4BN4DXXPC7iDm/cQU/

Score

10^/10

raccoon 467a953db8cf896cec6946f6144f8158 discovery spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

467a953db8cf896cec6946f6144f8158

http://79.137.206.158/

http://79.137.248.245/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1816	g8khRxY5.exe
1600	avd05jw5.exe
588	ZB8kY788.exe

Loads dropped DLL 6 IoCs

pid	Process
1276	Free-2O23_S0Ft__Se-tup.exe
1276	Free-2O23_S0Ft__Se-tup.exe
1276	Free-2O23_S0Ft__Se-tup.exe
1276	Free-2O23_S0Ft__Se-tup.exe
1276	Free-2O23_S0Ft__Se-tup.exe
1276	Free-2O23_S0Ft__Se-tup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
588	ZB8kY788.exe
588	ZB8kY788.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1816 set thread context of 1280	1816	g8khRxY5.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Free-2O23_S0Ft__Se-tup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Free-2O23_S0Ft__Se-tup.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1276	Free-2O23_S0Ft__Se-tup.exe
588	ZB8kY788.exe
1280	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	AppLaunch.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 1816	1276	Free-2O23_S0Ft__Se-tup.exe	29
PID 1276 wrote to memory of 1816	1276	Free-2O23_S0Ft__Se-tup.exe	29
PID 1276 wrote to memory of 1816	1276	Free-2O23_S0Ft__Se-tup.exe	29
PID 1276 wrote to memory of 1816	1276	Free-2O23_S0Ft__Se-tup.exe	29
PID 1816 wrote to memory of 1280	1816	g8khRxY5.exe	31
PID 1816 wrote to memory of 1280	1816	g8khRxY5.exe	31
PID 1816 wrote to memory of 1280	1816	g8khRxY5.exe	31
PID 1816 wrote to memory of 1280	1816	g8khRxY5.exe	31
PID 1816 wrote to memory of 1280	1816	g8khRxY5.exe	31
PID 1816 wrote to memory of 1280	1816	g8khRxY5.exe	31
PID 1816 wrote to memory of 1280	1816	g8khRxY5.exe	31
PID 1816 wrote to memory of 1280	1816	g8khRxY5.exe	31
PID 1816 wrote to memory of 1280	1816	g8khRxY5.exe	31
PID 1276 wrote to memory of 1600	1276	Free-2O23_S0Ft__Se-tup.exe	32
PID 1276 wrote to memory of 1600	1276	Free-2O23_S0Ft__Se-tup.exe	32
PID 1276 wrote to memory of 1600	1276	Free-2O23_S0Ft__Se-tup.exe	32
PID 1276 wrote to memory of 1600	1276	Free-2O23_S0Ft__Se-tup.exe	32
PID 1276 wrote to memory of 588	1276	Free-2O23_S0Ft__Se-tup.exe	34
PID 1276 wrote to memory of 588	1276	Free-2O23_S0Ft__Se-tup.exe	34
PID 1276 wrote to memory of 588	1276	Free-2O23_S0Ft__Se-tup.exe	34
PID 1276 wrote to memory of 588	1276	Free-2O23_S0Ft__Se-tup.exe	34

C:\Users\Admin\AppData\Local\Temp\Free-2O23_S0Ft__Se-tup.exe
"C:\Users\Admin\AppData\Local\Temp\Free-2O23_S0Ft__Se-tup.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Roaming\g8khRxY5.exe
  "C:\Users\Admin\AppData\Roaming\g8khRxY5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- C:\Users\Admin\AppData\Roaming\avd05jw5.exe
  "C:\Users\Admin\AppData\Roaming\avd05jw5.exe"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Users\Admin\AppData\Roaming\ZB8kY788.exe
  "C:\Users\Admin\AppData\Roaming\ZB8kY788.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ZB8kY788.exe

Filesize
7.5MB

MD5
fb0deff37fe12bbc4f0c1fe21e2d15ef

SHA1
180325b8b6e64638e167601c67cd9c53331ba9f6

SHA256
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

SHA512
9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d

Download Submit
C:\Users\Admin\AppData\Roaming\ZB8kY788.exe

Filesize
7.5MB

MD5
fb0deff37fe12bbc4f0c1fe21e2d15ef

SHA1
180325b8b6e64638e167601c67cd9c53331ba9f6

SHA256
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

SHA512
9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d

Download Submit
C:\Users\Admin\AppData\Roaming\avd05jw5.exe

Filesize
48KB

MD5
a23629286d856fa79cdf0d0012746bd7

SHA1
f5879c4d4506f750fe2cc510c8aedf5a6db462d6

SHA256
b7ff7973cae49e3e8bafe21ee7b7c7a6b713c2893cefa844c5f4ff134403118a

SHA512
99ea72147871288d65bc817d960c42a1e3f64dc29f972dd094fbea2f3764cadbec6470efe1458844653f87fa8aff862e91b83cc4c84632f69b8fa5685f1c7cde

Download Submit
C:\Users\Admin\AppData\Roaming\avd05jw5.exe

Filesize
48KB

MD5
a23629286d856fa79cdf0d0012746bd7

SHA1
f5879c4d4506f750fe2cc510c8aedf5a6db462d6

SHA256
b7ff7973cae49e3e8bafe21ee7b7c7a6b713c2893cefa844c5f4ff134403118a

SHA512
99ea72147871288d65bc817d960c42a1e3f64dc29f972dd094fbea2f3764cadbec6470efe1458844653f87fa8aff862e91b83cc4c84632f69b8fa5685f1c7cde

Download Submit
C:\Users\Admin\AppData\Roaming\g8khRxY5.exe

Filesize
309KB

MD5
556695e9c3421bca48a6035290030974

SHA1
1befa908e188cefa9e487f1149f3ed06d20708e1

SHA256
fb5a4495ff5a622d64bcb90b7d65f6278e5e8c5e6c53589321b72454c7ced196

SHA512
617f666b89748c2b68f881f09b90da4992f11dadef873fd0f4211d2fc8a6f075ddf68b539e098ac8af438c8e76413a25937b610085162f90f8a162b7ed2bf256

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Roaming\ZB8kY788.exe

Filesize
7.5MB

MD5
fb0deff37fe12bbc4f0c1fe21e2d15ef

SHA1
180325b8b6e64638e167601c67cd9c53331ba9f6

SHA256
ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

SHA512
9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d

Download Submit
\Users\Admin\AppData\Roaming\avd05jw5.exe

Filesize
48KB

MD5
a23629286d856fa79cdf0d0012746bd7

SHA1
f5879c4d4506f750fe2cc510c8aedf5a6db462d6

SHA256
b7ff7973cae49e3e8bafe21ee7b7c7a6b713c2893cefa844c5f4ff134403118a

SHA512
99ea72147871288d65bc817d960c42a1e3f64dc29f972dd094fbea2f3764cadbec6470efe1458844653f87fa8aff862e91b83cc4c84632f69b8fa5685f1c7cde

Download Submit
\Users\Admin\AppData\Roaming\g8khRxY5.exe

Filesize
309KB

MD5
556695e9c3421bca48a6035290030974

SHA1
1befa908e188cefa9e487f1149f3ed06d20708e1

SHA256
fb5a4495ff5a622d64bcb90b7d65f6278e5e8c5e6c53589321b72454c7ced196

SHA512
617f666b89748c2b68f881f09b90da4992f11dadef873fd0f4211d2fc8a6f075ddf68b539e098ac8af438c8e76413a25937b610085162f90f8a162b7ed2bf256

Download Submit
memory/588-173-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/588-164-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/588-187-0x00000000008F0000-0x000000000149B000-memory.dmp

Filesize
11.7MB

Download
memory/588-186-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/588-185-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/588-183-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/588-182-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/588-180-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/588-179-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/588-177-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/588-176-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/588-174-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/588-171-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/588-170-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/588-168-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/588-167-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/588-166-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/588-165-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1276-56-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1276-75-0x0000000000400000-0x00000000015C3000-memory.dmp

Filesize
17.8MB

Download
memory/1276-58-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1276-70-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1276-71-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1276-73-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1276-57-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1276-68-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1276-54-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1276-60-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1276-144-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/1276-74-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1276-59-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1276-67-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1276-65-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1276-64-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1276-55-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1276-61-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1276-62-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1280-134-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1280-135-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1280-139-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1280-141-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1280-142-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1280-154-0x0000000007120000-0x0000000007160000-memory.dmp

Filesize
256KB

Download
memory/1600-155-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/1600-151-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/1600-190-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/1600-191-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/1600-192-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/1600-193-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download