raccoon | 5352ad7b62ac6a38bf4997ef0934c6cbb5c3c38bf71607bc309db3196ac20e02

Analysis

max time kernel
969s
max time network
1230s
platform
windows10-2004_x64
resource
win10v2004-20230221-es
resource tags

arch:x64arch:x86image:win10v2004-20230221-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
10-05-2023 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Use_2024_As_Passw0rd.rar
Size

14.5MB
MD5

564c2166383b77531e66ca6afcd08363
SHA1

11ed086b024681df2a938a90d34bdd77c43fbec3
SHA256

5352ad7b62ac6a38bf4997ef0934c6cbb5c3c38bf71607bc309db3196ac20e02
SHA512

d7fdaf322ebd8027a35558996097e5691f3bc3570dc657b26d88e304d93b7e557340c8b3b9e6ec6fe23b5edc2cefad6b7a0a631c9552958779d351802048ff3b
SSDEEP

393216:6VTmXsw7XdOnCBOZqeztOHzTUgNxuIhjgGqLt2:EaXswhOCg80tkzTp/uSt/

Score

10^/10

raccoon 1a02d3cb5468c8755bd1609c6c7a04ad stealer

Malware Config

Extracted

Family

raccoon

Botnet

1a02d3cb5468c8755bd1609c6c7a04ad

http://37.220.87.68

http://83.217.11.14

http://94.142.138.125/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 2 IoCs

Processes:

+Setup.exe+Setup.exe

pid process

404 +Setup.exe
1936 +Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
404	+Setup.exe
1936	+Setup.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

+Setup.exe+Setup.exe

pid process

404 +Setup.exe
404 +Setup.exe
1936 +Setup.exe
1936 +Setup.exe

pid	process
404	+Setup.exe
404	+Setup.exe
1936	+Setup.exe
1936	+Setup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	3552	7zG.exe
Token: 35	3552	7zG.exe
Token: SeSecurityPrivilege	3552	7zG.exe
Token: SeSecurityPrivilege	3552	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

3552 7zG.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

2000 OpenWith.exe

pid	process
3552	7zG.exe

pid	process
2000	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Use_2024_As_Passw0rd.rar
1⤵
- Modifies registry class
PID:2124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2944

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Use_2024_As_Passw0rd\" -spe -an -ai#7zMap27451:98:7zEvent1528
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3552

C:\Users\Admin\Desktop\Use_2024_As_Passw0rd\+Setup.exe
"C:\Users\Admin\Desktop\Use_2024_As_Passw0rd\+Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:404

C:\Users\Admin\Desktop\Use_2024_As_Passw0rd\+Setup.exe
"C:\Users\Admin\Desktop\Use_2024_As_Passw0rd\+Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Use_2024_As_Passw0rd\+Setup.exe

Filesize
1691.1MB

MD5
b83b6f1697e2ecbb87dcae477e9d9a22

SHA1
eedf7337aca40983a4a0e34f3fe15cbad7b8f081

SHA256
306d942f8ecf8bcfa6bc76168335f708dbe83690fad1f84cb0da28f640f1d8ac

SHA512
947c4110fdea839992c779a574286314632d3463e12fc18ce2eacee1eb6020065254b6af4252bda76fb7c8c8c0d2f12971d7627fad589fb963eebef35b4253ed

Download Submit
C:\Users\Admin\Desktop\Use_2024_As_Passw0rd\+Setup.exe

Filesize
1691.1MB

MD5
b83b6f1697e2ecbb87dcae477e9d9a22

SHA1
eedf7337aca40983a4a0e34f3fe15cbad7b8f081

SHA256
306d942f8ecf8bcfa6bc76168335f708dbe83690fad1f84cb0da28f640f1d8ac

SHA512
947c4110fdea839992c779a574286314632d3463e12fc18ce2eacee1eb6020065254b6af4252bda76fb7c8c8c0d2f12971d7627fad589fb963eebef35b4253ed

Download Submit
C:\Users\Admin\Desktop\Use_2024_As_Passw0rd\+Setup.exe

Filesize
1691.1MB

MD5
b83b6f1697e2ecbb87dcae477e9d9a22

SHA1
eedf7337aca40983a4a0e34f3fe15cbad7b8f081

SHA256
306d942f8ecf8bcfa6bc76168335f708dbe83690fad1f84cb0da28f640f1d8ac

SHA512
947c4110fdea839992c779a574286314632d3463e12fc18ce2eacee1eb6020065254b6af4252bda76fb7c8c8c0d2f12971d7627fad589fb963eebef35b4253ed

Download Submit
memory/404-195-0x0000000001760000-0x0000000001761000-memory.dmp

Filesize
4KB

Download
memory/404-196-0x0000000000400000-0x0000000001719000-memory.dmp

Filesize
19.1MB

Download
memory/1936-199-0x0000000001870000-0x0000000001871000-memory.dmp

Filesize
4KB

Download
memory/1936-200-0x0000000000400000-0x0000000001719000-memory.dmp

Filesize
19.1MB

Download