raccoon | 52f7559453685d0c3f7c133af17d39ae40b09f403b792e1065d2529a5b6c3992 | Triage

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2023 22:00

Sharing

Report Analysis Logs

General

Target

tmp.exe
Size

1.1MB
MD5

849ca256b617969e263ac005d1657fee
SHA1

429e8f10e14fd11d7b15715689a86b1e4f0275c4
SHA256

52f7559453685d0c3f7c133af17d39ae40b09f403b792e1065d2529a5b6c3992
SHA512

f120471e04b0c2312fcb630874d314338e68488512ceeedc260312c4ba570b367f602e44c26a756c64e5f84e75f69c66643433f836a7be481a6e2f2cb74c2dc5
SSDEEP

6144:EhQs0F6/DrcrgG5WwO4dqAO0y/Qas3CKcgnTIxViT1qH0WUi+gCsoSvi:EhQsP/DrcrgcUGyngTIs1q5boSvi

Score

10^/10

raccoon b11c37ed36597cb6d2adb8b6280a6e12 stealer

Malware Config

Extracted

Family

raccoon

Botnet

b11c37ed36597cb6d2adb8b6280a6e12

C2

http://94.142.138.32

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 4496 set thread context of 1888 4496 tmp.exe InstallUtil.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4436 4496 WerFault.exe tmp.exe
1408 4496 WerFault.exe tmp.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 4496 wrote to memory of 1368	4496	tmp.exe	InstallUtil.exe
PID 4496 wrote to memory of 1368	4496	tmp.exe	InstallUtil.exe
PID 4496 wrote to memory of 1368	4496	tmp.exe	InstallUtil.exe
PID 4496 wrote to memory of 1368	4496	tmp.exe	InstallUtil.exe
PID 4496 wrote to memory of 1888	4496	tmp.exe	InstallUtil.exe
PID 4496 wrote to memory of 1888	4496	tmp.exe	InstallUtil.exe
PID 4496 wrote to memory of 1888	4496	tmp.exe	InstallUtil.exe
PID 4496 wrote to memory of 1888	4496	tmp.exe	InstallUtil.exe
PID 4496 wrote to memory of 1888	4496	tmp.exe	InstallUtil.exe
PID 4496 wrote to memory of 1888	4496	tmp.exe	InstallUtil.exe
PID 4496 wrote to memory of 1888	4496	tmp.exe	InstallUtil.exe
PID 4496 wrote to memory of 1888	4496	tmp.exe	InstallUtil.exe
PID 4496 wrote to memory of 1888	4496	tmp.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 272
2⤵
- Program crash
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 296
2⤵
- Program crash
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4496 -ip 4496
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4496 -ip 4496
1⤵
PID:3484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1888-133-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1888-135-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1888-136-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download