raccoon | 62eed6ef3881ff1d829b73d374ae9e43ca5ac13fcfa4ed43adb7e4dc45385528

Analysis

max time kernel
884s
max time network
893s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
10-05-2023 22:15

Target

Use_2024_As_Passw0rd(1).rar
Size

17.7MB
MD5

21597608583ff900e22d9ef752f89865
SHA1

425686012d63d31aaf20d8bf1ce73dfdda3606e1
SHA256

62eed6ef3881ff1d829b73d374ae9e43ca5ac13fcfa4ed43adb7e4dc45385528
SHA512

c8396d5e4acea54a20436fb71bdf254c35a217ce2fbb65070c48d9cb095169b1ec18654d5592fdda0564188f51cd77031ea2aee3b59a457730b84dede6d88345
SSDEEP

393216:SwrZMzRWjvVp8J+/mcT0QVAr2mEFJEqQLTQXyX6sIxPpXDlxlHgTf+2GT:SwrXjvH8J+5T0rr27FOHpGpXDlHO+2w

Score

10^/10

Family

raccoon

Botnet

141e039951f226abafc9f26367487dea

http://37.220.87.68

http://83.217.11.14

http://94.142.138.125/

xor.plain

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 1 IoCs

Processes:

+Setup.exe

pid process

1280 +Setup.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

+Setup.exe

pid process

1280 +Setup.exe
1280 +Setup.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

+Setup.exe

pid process

1280 +Setup.exe

pid	process
1280	+Setup.exe

pid	process
1280	+Setup.exe
1280	+Setup.exe

pid	process
1280	+Setup.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7zG.exeAUDIODG.EXE

description	pid	process
Token: SeRestorePrivilege	672	7zG.exe
Token: 35	672	7zG.exe
Token: SeSecurityPrivilege	672	7zG.exe
Token: SeSecurityPrivilege	672	7zG.exe
Token: 33	944	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	944	AUDIODG.EXE
Token: 33	944	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	944	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

672 7zG.exe

pid	process
672	7zG.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Use_2024_As_Passw0rd(1).rar
1⤵
PID:1984

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1676

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x55c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Users\Admin\Desktop\Use_2024_As_Passw0rd(1)\Use_2024_As_Passw0rd\+Setup.exe

Filesize
1550.3MB

MD5
6a85c90570758314f45c072f175adbd0

SHA1
4754a3f5432ee91ed599a78984249205155f049c

SHA256
74632e6b704bd3d49083c829655e50ed962a1849ae79e0349cd920dd847e76d0

SHA512
0674ce10c5d024247fdd3ba80f5781ff340c1f09112fba61c055190f771759c02d9635708b7786c1ba9f58dec4433338e94384f82aa796a65899a69a14aa0cd2

Download Submit
C:\Users\Admin\Desktop\Use_2024_As_Passw0rd(1)\Use_2024_As_Passw0rd\+Setup.exe

Filesize
1550.3MB

MD5
6a85c90570758314f45c072f175adbd0

SHA1
4754a3f5432ee91ed599a78984249205155f049c

SHA256
74632e6b704bd3d49083c829655e50ed962a1849ae79e0349cd920dd847e76d0

SHA512
0674ce10c5d024247fdd3ba80f5781ff340c1f09112fba61c055190f771759c02d9635708b7786c1ba9f58dec4433338e94384f82aa796a65899a69a14aa0cd2

Download Submit
memory/1280-117-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1280-116-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1280-118-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1280-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1280-121-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1280-120-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1280-122-0x0000000000400000-0x0000000001DFF000-memory.dmp

Filesize
26.0MB

Download