Overview

overview

10

Static

static

1

Use_2024_A...1).rar

windows7-x64

10

Use_2024_A...1).rar

windows10-2004-x64

10

Analysis

  • max time kernel
    972s
  • max time network
    975s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    10-05-2023 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Use_2024_As_Passw0rd(1).rar

  • Size

    17.7MB

  • MD5

    21597608583ff900e22d9ef752f89865

  • SHA1

    425686012d63d31aaf20d8bf1ce73dfdda3606e1

  • SHA256

    62eed6ef3881ff1d829b73d374ae9e43ca5ac13fcfa4ed43adb7e4dc45385528

  • SHA512

    c8396d5e4acea54a20436fb71bdf254c35a217ce2fbb65070c48d9cb095169b1ec18654d5592fdda0564188f51cd77031ea2aee3b59a457730b84dede6d88345

  • SSDEEP

    393216:SwrZMzRWjvVp8J+/mcT0QVAr2mEFJEqQLTQXyX6sIxPpXDlxlHgTf+2GT:SwrXjvH8J+5T0rr27FOHpGpXDlHO+2w

Score
10/10
raccoon141e039951f226abafc9f26367487deastealer

Malware Config

Extracted

Family

raccoon

Botnet

141e039951f226abafc9f26367487dea

C2

http://37.220.87.68

http://83.217.11.14

http://94.142.138.125/
xor.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Executes dropped EXE 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Use_2024_As_Passw0rd(1).rar
    1⤵
      PID:4548
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1320
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Use_2024_As_Passw0rd(1)\" -spe -an -ai#7zMap29390:104:7zEvent3781
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4444
      • C:\Users\Admin\Desktop\Use_2024_As_Passw0rd(1)\Use_2024_As_Passw0rd\+Setup.exe
        "C:\Users\Admin\Desktop\Use_2024_As_Passw0rd(1)\Use_2024_As_Passw0rd\+Setup.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:992

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\Use_2024_As_Passw0rd(1)\Use_2024_As_Passw0rd\+Setup.exe
        Filesize

        1550.3MB

        MD5

        6a85c90570758314f45c072f175adbd0

        SHA1

        4754a3f5432ee91ed599a78984249205155f049c

        SHA256

        74632e6b704bd3d49083c829655e50ed962a1849ae79e0349cd920dd847e76d0

        SHA512

        0674ce10c5d024247fdd3ba80f5781ff340c1f09112fba61c055190f771759c02d9635708b7786c1ba9f58dec4433338e94384f82aa796a65899a69a14aa0cd2

        Download Submit
      • C:\Users\Admin\Desktop\Use_2024_As_Passw0rd(1)\Use_2024_As_Passw0rd\+Setup.exe
        Filesize

        1550.3MB

        MD5

        6a85c90570758314f45c072f175adbd0

        SHA1

        4754a3f5432ee91ed599a78984249205155f049c

        SHA256

        74632e6b704bd3d49083c829655e50ed962a1849ae79e0349cd920dd847e76d0

        SHA512

        0674ce10c5d024247fdd3ba80f5781ff340c1f09112fba61c055190f771759c02d9635708b7786c1ba9f58dec4433338e94384f82aa796a65899a69a14aa0cd2

        Download Submit
      • memory/992-195-0x0000000001F60000-0x0000000001F61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/992-196-0x0000000001F70000-0x0000000001F71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/992-197-0x0000000000400000-0x0000000001DFF000-memory.dmp
        Filesize

        26.0MB

        Download