raccoon | 5e2e0fc2557c1471e5fda621f70cc560b1a589d7e91479cced85ca3c36830f8f

Analysis

max time kernel
1236s
max time network
1239s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
10-05-2023 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Open_Setup_Use_2023_As_PassWord.rar
Size

17.7MB
MD5

ec63229d00684415d591cef854167dd2
SHA1

73afa5c05b2cb0c3a9d0ca279e610f24c10968b5
SHA256

5e2e0fc2557c1471e5fda621f70cc560b1a589d7e91479cced85ca3c36830f8f
SHA512

9b3541f4d9eb6d7a54a37371492e559cbe1281f79d042829a60f2a96148762361ea33e6030574433153025c964956cface47bdcc6f4130e53973081d33bf507b
SSDEEP

393216:uaMZMSMm7fFnlDU6iqvz0DVjzeqDJdQIWOgSn5xMuortdTKX7Ev7QPXYVqbJ:uaClf/w6h709RDJxL5GsI7QgAl

Score

10^/10

raccoon 8ed6e26daba8160b1050248b4a36291b stealer

Malware Config

Extracted

Family

raccoon

Botnet

8ed6e26daba8160b1050248b4a36291b

http://37.220.87.69

http://83.217.11.13

http://94.142.138.126/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 1 IoCs

Processes:

+Setup.exe

pid process

4904 +Setup.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

+Setup.exe

pid process

4904 +Setup.exe
4904 +Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4904	+Setup.exe

pid	process
4904	+Setup.exe
4904	+Setup.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

+Setup.exe

pid process

4904 +Setup.exe
4904 +Setup.exe

pid	process
4904	+Setup.exe
4904	+Setup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	2260	7zG.exe
Token: 35	2260	7zG.exe
Token: SeSecurityPrivilege	2260	7zG.exe
Token: SeSecurityPrivilege	2260	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

2260 7zG.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4576 OpenWith.exe

pid	process
2260	7zG.exe

pid	process
4576	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Open_Setup_Use_2023_As_PassWord.rar
1⤵
- Modifies registry class
PID:1612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2840

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\" -spe -an -ai#7zMap9420:120:7zEvent22468
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2260

C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exe
"C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exe

Filesize
1550.3MB

MD5
ddb9346458f3d52e9cd7311ebba05621

SHA1
a7a1e5285e89f76e6977bb2f933261ed0dec28b0

SHA256
15dcfa1f09c09d785366153b395424b866cd3dd89378175919f5c16ef228c2cc

SHA512
e372c4f6d4060044e7b9067f5f6bc17cc001d5259267521be7adc45c922c7142df3c51559587db8c714d67e8db0cd7efa4296f7e79cc322b621859ed1c693b14

Download Submit
C:\Users\Admin\Desktop\Open_Setup_Use_2023_As_PassWord\+Setup.exe

Filesize
1550.3MB

MD5
ddb9346458f3d52e9cd7311ebba05621

SHA1
a7a1e5285e89f76e6977bb2f933261ed0dec28b0

SHA256
15dcfa1f09c09d785366153b395424b866cd3dd89378175919f5c16ef228c2cc

SHA512
e372c4f6d4060044e7b9067f5f6bc17cc001d5259267521be7adc45c922c7142df3c51559587db8c714d67e8db0cd7efa4296f7e79cc322b621859ed1c693b14

Download Submit
memory/4904-197-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/4904-198-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/4904-199-0x0000000000400000-0x0000000001DF6000-memory.dmp

Filesize
26.0MB

Download