raccoon | 5352ad7b62ac6a38bf4997ef0934c6cbb5c3c38bf71607bc309db3196ac20e02

General

Target

Use_2024_As_Passw0rd.rar
Size

14.5MB
MD5

564c2166383b77531e66ca6afcd08363
SHA1

11ed086b024681df2a938a90d34bdd77c43fbec3
SHA256

5352ad7b62ac6a38bf4997ef0934c6cbb5c3c38bf71607bc309db3196ac20e02
SHA512

d7fdaf322ebd8027a35558996097e5691f3bc3570dc657b26d88e304d93b7e557340c8b3b9e6ec6fe23b5edc2cefad6b7a0a631c9552958779d351802048ff3b
SSDEEP

393216:6VTmXsw7XdOnCBOZqeztOHzTUgNxuIhjgGqLt2:EaXswhOCg80tkzTp/uSt/

Score

10^/10

raccoon 1a02d3cb5468c8755bd1609c6c7a04ad stealer

Malware Config

Extracted

Family

raccoon

Botnet

1a02d3cb5468c8755bd1609c6c7a04ad

C2

http://37.220.87.68

http://83.217.11.14

http://94.142.138.125/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 1 IoCs

Processes:

+Setup.exe

pid process

1568 +Setup.exe
Loads dropped DLL 3 IoCs

Processes:

+Setup.exe

pid process

1568 +Setup.exe
1568 +Setup.exe
1568 +Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

+Setup.exe

pid process

1568 +Setup.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zG.exe

pid process

1868 7zG.exe

pid	process
1568	+Setup.exe

pid	process
1568	+Setup.exe
1568	+Setup.exe
1568	+Setup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings	rundll32.exe

pid	process
1568	+Setup.exe

pid	process
1868	7zG.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7zG.exe7zG.exe

description	pid	process
Token: SeRestorePrivilege	1868	7zG.exe
Token: 35	1868	7zG.exe
Token: SeSecurityPrivilege	1868	7zG.exe
Token: SeSecurityPrivilege	1868	7zG.exe
Token: SeRestorePrivilege	796	7zG.exe
Token: 35	796	7zG.exe
Token: SeSecurityPrivilege	796	7zG.exe
Token: SeSecurityPrivilege	796	7zG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zG.exe7zG.exe

pid process

1868 7zG.exe
796 7zG.exe

pid	process
1868	7zG.exe
796	7zG.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 864 wrote to memory of 1624	864	cmd.exe	rundll32.exe
PID 864 wrote to memory of 1624	864	cmd.exe	rundll32.exe
PID 864 wrote to memory of 1624	864	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Use_2024_As_Passw0rd.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Use_2024_As_Passw0rd.rar
  2⤵
  - Modifies registry class
  PID:1624

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1324

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Use_2024_As_Passw0rd\" -spe -an -ai#7zMap16692:98:7zEvent19104
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1868

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Use_2024_As_Passw0rd\" -spe -an -ai#7zMap27224:98:7zEvent17678
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:796

C:\Users\Admin\Desktop\Use_2024_As_Passw0rd\+Setup.exe
"C:\Users\Admin\Desktop\Use_2024_As_Passw0rd\+Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Use_2024_As_Passw0rd\+Setup.exe

Filesize
1691.1MB

MD5
b83b6f1697e2ecbb87dcae477e9d9a22

SHA1
eedf7337aca40983a4a0e34f3fe15cbad7b8f081

SHA256
306d942f8ecf8bcfa6bc76168335f708dbe83690fad1f84cb0da28f640f1d8ac

SHA512
947c4110fdea839992c779a574286314632d3463e12fc18ce2eacee1eb6020065254b6af4252bda76fb7c8c8c0d2f12971d7627fad589fb963eebef35b4253ed

Download Submit
C:\Users\Admin\Desktop\Use_2024_As_Passw0rd\+Setup.exe

Filesize
1691.1MB

MD5
b83b6f1697e2ecbb87dcae477e9d9a22

SHA1
eedf7337aca40983a4a0e34f3fe15cbad7b8f081

SHA256
306d942f8ecf8bcfa6bc76168335f708dbe83690fad1f84cb0da28f640f1d8ac

SHA512
947c4110fdea839992c779a574286314632d3463e12fc18ce2eacee1eb6020065254b6af4252bda76fb7c8c8c0d2f12971d7627fad589fb963eebef35b4253ed

Download Submit
\Users\Admin\Desktop\Use_2024_As_Passw0rd\+Setup.exe

Filesize
1691.1MB

MD5
b83b6f1697e2ecbb87dcae477e9d9a22

SHA1
eedf7337aca40983a4a0e34f3fe15cbad7b8f081

SHA256
306d942f8ecf8bcfa6bc76168335f708dbe83690fad1f84cb0da28f640f1d8ac

SHA512
947c4110fdea839992c779a574286314632d3463e12fc18ce2eacee1eb6020065254b6af4252bda76fb7c8c8c0d2f12971d7627fad589fb963eebef35b4253ed

Download Submit
\Users\Admin\Desktop\Use_2024_As_Passw0rd\+Setup.exe

Filesize
1691.1MB

MD5
b83b6f1697e2ecbb87dcae477e9d9a22

SHA1
eedf7337aca40983a4a0e34f3fe15cbad7b8f081

SHA256
306d942f8ecf8bcfa6bc76168335f708dbe83690fad1f84cb0da28f640f1d8ac

SHA512
947c4110fdea839992c779a574286314632d3463e12fc18ce2eacee1eb6020065254b6af4252bda76fb7c8c8c0d2f12971d7627fad589fb963eebef35b4253ed

Download Submit
\Users\Admin\Desktop\Use_2024_As_Passw0rd\+Setup.exe

Filesize
1691.1MB

MD5
b83b6f1697e2ecbb87dcae477e9d9a22

SHA1
eedf7337aca40983a4a0e34f3fe15cbad7b8f081

SHA256
306d942f8ecf8bcfa6bc76168335f708dbe83690fad1f84cb0da28f640f1d8ac

SHA512
947c4110fdea839992c779a574286314632d3463e12fc18ce2eacee1eb6020065254b6af4252bda76fb7c8c8c0d2f12971d7627fad589fb963eebef35b4253ed

Download Submit
memory/1568-144-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1568-145-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1568-146-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1568-147-0x0000000000400000-0x0000000001719000-memory.dmp

Filesize
19.1MB

Download

Analysis

Sharing