raccoon | 3099f11a5d7e56fd714b21b76b411de53348237257938be932ed3d4e084d487d

Analysis

max time kernel
1231s
max time network
1236s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
10-05-2023 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PassKey-55551-CompleteFileV8.rar
Size

14.9MB
MD5

00de82c2721f4d97f728febbc4758036
SHA1

528eb4965630e9d051f2c2b3a9ffe6ddb78ffe75
SHA256

3099f11a5d7e56fd714b21b76b411de53348237257938be932ed3d4e084d487d
SHA512

0b9ad8446b9e06215f671875f7b845b6aaf0b3abc45b9ed022922f3a771ccfdfd97486f7d4b4188431b421076e79501b14b1b37e73e4df9076032694a6df1253
SSDEEP

393216:wLq2Hr2ghmHDNHhxhfSXMcgyI8cQWWoPBJl:wLq2SZj5D5Sc0cZW0J

Score

10^/10

raccoon ee2a3d190100b91c20d8bc284238dda6 discovery spyware stealer vmprotect

Malware Config

Extracted

Family

raccoon

Botnet

ee2a3d190100b91c20d8bc284238dda6

http://94.142.138.176/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

setup.exepxH2j9fn.exeTSTheme.exe

pid process

716 setup.exe
968 pxH2j9fn.exe
240 TSTheme.exe
Loads dropped DLL 4 IoCs

Processes:

setup.exe

pid process

716 setup.exe
716 setup.exe
716 setup.exe
716 setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
716	setup.exe
968	pxH2j9fn.exe
240	TSTheme.exe

pid	process
716	setup.exe
716	setup.exe
716	setup.exe
716	setup.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\PassKey-55551-CompleteFileV8\SoftwareSetup\setup.exe	vmprotect
C:\Users\Admin\Desktop\PassKey-55551-CompleteFileV8\SoftwareSetup\setup.exe	vmprotect
behavioral1/memory/716-577-0x0000000000400000-0x0000000000DC0000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

pxH2j9fn.exeTSTheme.exe

pid process

968 pxH2j9fn.exe
968 pxH2j9fn.exe
240 TSTheme.exe
240 TSTheme.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1416 schtasks.exe
516 schtasks.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

setup.exepxH2j9fn.exeTSTheme.exe

pid process

716 setup.exe
716 setup.exe
968 pxH2j9fn.exe
240 TSTheme.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

1720 rundll32.exe

pid	process
968	pxH2j9fn.exe
968	pxH2j9fn.exe
240	TSTheme.exe
240	TSTheme.exe

pid	process
1416	schtasks.exe
516	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings	rundll32.exe

pid	process
716	setup.exe
716	setup.exe
968	pxH2j9fn.exe
240	TSTheme.exe

pid	process
1720	rundll32.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

7zG.exe7zG.exeAUDIODG.EXE

description	pid	process
Token: SeRestorePrivilege	1416	7zG.exe
Token: 35	1416	7zG.exe
Token: SeSecurityPrivilege	1416	7zG.exe
Token: SeSecurityPrivilege	1416	7zG.exe
Token: SeRestorePrivilege	528	7zG.exe
Token: 35	528	7zG.exe
Token: SeSecurityPrivilege	528	7zG.exe
Token: SeSecurityPrivilege	528	7zG.exe
Token: 33	1980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1980	AUDIODG.EXE
Token: 33	1980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1980	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zG.exe7zG.exe

pid process

1416 7zG.exe
528 7zG.exe

pid	process
1416	7zG.exe
528	7zG.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

cmd.exesetup.exepxH2j9fn.exetaskeng.exeTSTheme.exe

description	pid	process	target process
PID 1760 wrote to memory of 1720	1760	cmd.exe	rundll32.exe
PID 1760 wrote to memory of 1720	1760	cmd.exe	rundll32.exe
PID 1760 wrote to memory of 1720	1760	cmd.exe	rundll32.exe
PID 716 wrote to memory of 968	716	setup.exe	pxH2j9fn.exe
PID 716 wrote to memory of 968	716	setup.exe	pxH2j9fn.exe
PID 716 wrote to memory of 968	716	setup.exe	pxH2j9fn.exe
PID 716 wrote to memory of 968	716	setup.exe	pxH2j9fn.exe
PID 968 wrote to memory of 1416	968	pxH2j9fn.exe	schtasks.exe
PID 968 wrote to memory of 1416	968	pxH2j9fn.exe	schtasks.exe
PID 968 wrote to memory of 1416	968	pxH2j9fn.exe	schtasks.exe
PID 968 wrote to memory of 1416	968	pxH2j9fn.exe	schtasks.exe
PID 968 wrote to memory of 1716	968	pxH2j9fn.exe	schtasks.exe
PID 968 wrote to memory of 1716	968	pxH2j9fn.exe	schtasks.exe
PID 968 wrote to memory of 1716	968	pxH2j9fn.exe	schtasks.exe
PID 968 wrote to memory of 1716	968	pxH2j9fn.exe	schtasks.exe
PID 1412 wrote to memory of 240	1412	taskeng.exe	TSTheme.exe
PID 1412 wrote to memory of 240	1412	taskeng.exe	TSTheme.exe
PID 1412 wrote to memory of 240	1412	taskeng.exe	TSTheme.exe
PID 1412 wrote to memory of 240	1412	taskeng.exe	TSTheme.exe
PID 240 wrote to memory of 516	240	TSTheme.exe	schtasks.exe
PID 240 wrote to memory of 516	240	TSTheme.exe	schtasks.exe
PID 240 wrote to memory of 516	240	TSTheme.exe	schtasks.exe
PID 240 wrote to memory of 516	240	TSTheme.exe	schtasks.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PassKey-55551-CompleteFileV8.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PassKey-55551-CompleteFileV8.rar
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1720

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1684

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\PassKey-55551-CompleteFileV8\" -spe -an -ai#7zMap18072:114:7zEvent28995
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1416

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\PassKey-55551-CompleteFileV8\SoftwareSetup\" -spe -an -ai#7zMap23463:142:7zEvent24380
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:528

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Users\Admin\Desktop\PassKey-55551-CompleteFileV8\SoftwareSetup\setup.exe
"C:\Users\Admin\Desktop\PassKey-55551-CompleteFileV8\SoftwareSetup\setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:716

C:\Users\Admin\AppData\Roaming\pxH2j9fn.exe
"C:\Users\Admin\AppData\Roaming\pxH2j9fn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 5 /tn "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe"
3⤵
- Creates scheduled task(s)
PID:1416

C:\Windows\SysWOW64\schtasks.exe
/C /Query /XML /TN "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}"
3⤵
PID:1716

C:\Windows\system32\taskeng.exe
taskeng.exe {321E849F-D423-4777-97CB-4EE05CD4DA7B} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 5 /tn "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe"
3⤵
- Creates scheduled task(s)
PID:516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe
Filesize
6.0MB

MD5
9e457e77d4717ae8594e268a1dbcdd2a

SHA1
bac83b7bccc008ff81794bfeb9aac0fa89ced6d9

SHA256
9e703b2475022b4c5f264774fefb2395e7a66f49d4db7fda9c6c2efe4d45c7c6

SHA512
a082d619d934fd82586d4821197a8feff49cb138de6c402db7c5542616beb50f8285450df244f1305e2e0652e1dcaf854bd9c5e1d96e39a3dc55f710b7fce1a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe
Filesize
6.0MB

MD5
9e457e77d4717ae8594e268a1dbcdd2a

SHA1
bac83b7bccc008ff81794bfeb9aac0fa89ced6d9

SHA256
9e703b2475022b4c5f264774fefb2395e7a66f49d4db7fda9c6c2efe4d45c7c6

SHA512
a082d619d934fd82586d4821197a8feff49cb138de6c402db7c5542616beb50f8285450df244f1305e2e0652e1dcaf854bd9c5e1d96e39a3dc55f710b7fce1a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe
Filesize
6.0MB

MD5
9e457e77d4717ae8594e268a1dbcdd2a

SHA1
bac83b7bccc008ff81794bfeb9aac0fa89ced6d9

SHA256
9e703b2475022b4c5f264774fefb2395e7a66f49d4db7fda9c6c2efe4d45c7c6

SHA512
a082d619d934fd82586d4821197a8feff49cb138de6c402db7c5542616beb50f8285450df244f1305e2e0652e1dcaf854bd9c5e1d96e39a3dc55f710b7fce1a5

Download Submit
C:\Users\Admin\AppData\Roaming\pxH2j9fn.exe
Filesize
6.0MB

MD5
9e457e77d4717ae8594e268a1dbcdd2a

SHA1
bac83b7bccc008ff81794bfeb9aac0fa89ced6d9

SHA256
9e703b2475022b4c5f264774fefb2395e7a66f49d4db7fda9c6c2efe4d45c7c6

SHA512
a082d619d934fd82586d4821197a8feff49cb138de6c402db7c5542616beb50f8285450df244f1305e2e0652e1dcaf854bd9c5e1d96e39a3dc55f710b7fce1a5

Download Submit
C:\Users\Admin\AppData\Roaming\pxH2j9fn.exe
Filesize
6.0MB

MD5
9e457e77d4717ae8594e268a1dbcdd2a

SHA1
bac83b7bccc008ff81794bfeb9aac0fa89ced6d9

SHA256
9e703b2475022b4c5f264774fefb2395e7a66f49d4db7fda9c6c2efe4d45c7c6

SHA512
a082d619d934fd82586d4821197a8feff49cb138de6c402db7c5542616beb50f8285450df244f1305e2e0652e1dcaf854bd9c5e1d96e39a3dc55f710b7fce1a5

Download Submit
C:\Users\Admin\Desktop\PassKey-55551-CompleteFileV8\Read.me.txt
Filesize
134B

MD5
0526157cbd905f657d76123a8933de09

SHA1
776e0095acfc4c91ee22275a0bda1f2487884354

SHA256
9a5a38136e2592d4ffdb4c9f5b3fe29fd7d03ced5600cbe552cfd09013cbd755

SHA512
34aa0749eb45bde35c056f56cf01e4b55e5ed92ff9bc4ca43de3847d685443c3a81c4599050a6ae82b9a977f070285037b63a6ebdbfa56cb987aacfd0b30839a

Download Submit
C:\Users\Admin\Desktop\PassKey-55551-CompleteFileV8\SoftwareSetup.rar
Filesize
14.9MB

MD5
5174ee0c38ddd30697eb4dfbfdb2cc59

SHA1
e21452bda1b5c4e8465b4078ddff112f25d64719

SHA256
e56546d647a97c405d8676cd8ba015e837712a672f543d03b5483150e3a25bb6

SHA512
edf53b0178f7d64c65bf1a1e44d849ea0494ac6dec45ba97afc3671557f606074bfd7fb0dae69aee6f4219a8feee5ec9c99d3ebf969a01ecbe63c0064cbcff14

Download Submit
C:\Users\Admin\Desktop\PassKey-55551-CompleteFileV8\SoftwareSetup\app\LICENSE.txt
Filesize
1KB

MD5
60a3c149b3893fc193db0ca111be5edc

SHA1
cad503fa4ce46d8f41e8036029113dff9bd10710

SHA256
d78528eb53898ff8fcf80986f87ae184c826cdea751d83fe90c5cf1e17142aa6

SHA512
948363eeda08b5395ca52ca49d5a47389ca4abe420a76f3625659b7e30bdc3b5fe37b7ce1a1012c861da3b8a05d5e5c0277d4ef6bee23a1a58d4189ab588ff93

Download Submit
C:\Users\Admin\Desktop\PassKey-55551-CompleteFileV8\SoftwareSetup\setup.exe
Filesize
1190.2MB

MD5
bd70ceadc7da2a573d635390029424fe

SHA1
cdc42f3c6bf3ebee6a1090c535e07a45090b33f4

SHA256
78ecbbf5da44aa120680d595e16db322ecf6b9445f34b344718c95fe6dc03149

SHA512
32193c5de0535b2f75a1ba31a9150ef4f8af2396a26e452c6d377bda4b3301692ed0f32800b5b5589a11a0641b47a8005404a7a5b09437b8e4ae871670791975

Download Submit
C:\Users\Admin\Desktop\PassKey-55551-CompleteFileV8\SoftwareSetup\setup.exe
Filesize
1190.2MB

MD5
bd70ceadc7da2a573d635390029424fe

SHA1
cdc42f3c6bf3ebee6a1090c535e07a45090b33f4

SHA256
78ecbbf5da44aa120680d595e16db322ecf6b9445f34b344718c95fe6dc03149

SHA512
32193c5de0535b2f75a1ba31a9150ef4f8af2396a26e452c6d377bda4b3301692ed0f32800b5b5589a11a0641b47a8005404a7a5b09437b8e4ae871670791975

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Roaming\pxH2j9fn.exe
Filesize
6.0MB

MD5
9e457e77d4717ae8594e268a1dbcdd2a

SHA1
bac83b7bccc008ff81794bfeb9aac0fa89ced6d9

SHA256
9e703b2475022b4c5f264774fefb2395e7a66f49d4db7fda9c6c2efe4d45c7c6

SHA512
a082d619d934fd82586d4821197a8feff49cb138de6c402db7c5542616beb50f8285450df244f1305e2e0652e1dcaf854bd9c5e1d96e39a3dc55f710b7fce1a5

Download Submit
memory/240-650-0x0000000000400000-0x0000000000D62000-memory.dmp

Filesize
9.4MB

Download
memory/716-577-0x0000000000400000-0x0000000000DC0000-memory.dmp

Filesize
9.8MB

Download
memory/716-561-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/716-575-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/716-574-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/716-576-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/716-572-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/716-573-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/716-567-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/716-569-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/716-611-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/716-570-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/716-564-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/716-563-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/716-566-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/716-559-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/716-557-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/716-558-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/716-556-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/716-560-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/968-632-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/968-637-0x0000000000400000-0x0000000000D62000-memory.dmp

Filesize
9.4MB

Download
memory/968-633-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/968-634-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/968-636-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/968-635-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download