raccoon | 32eb91bc7933a1e99fb1416e60523ecfde0811e5cdeb74b7877f457bf6dfea3e

General

Target

jre-8u371-windows-i586.exe
Size

56.9MB
MD5

1b10be824ca0b2c31f43d296dc3df490
SHA1

14970b5fec652d066d93a41b84a4361cd798f7bb
SHA256

32eb91bc7933a1e99fb1416e60523ecfde0811e5cdeb74b7877f457bf6dfea3e
SHA512

e7ba353cd2b3a460525c3c5f0c75f042d5208ddd5c3f61b9dfb38f43399160ac0e6f7264d29bdad653d84ea254e1d616b483fa778722d37dbba2824b2f99dc2e
SSDEEP

786432:M5XmTHOmwqBSKNfVY7IU8eAISCuNdhy5NaYDZR8TQipFm4KhF+9cYdNwNkNrcZ:MoumZbNNun8vfbxERTipHdKYdCNk1s

Score

10^/10

raccoon stealer

Malware Config

Extracted

Family

raccoon

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 1 IoCs

Processes:

jre-8u371-windows-i586.exe

pid process

1252 jre-8u371-windows-i586.exe
Loads dropped DLL 1 IoCs

Processes:

jre-8u371-windows-i586.exe

pid process

1560 jre-8u371-windows-i586.exe

pid	process
1252	jre-8u371-windows-i586.exe

pid	process
1560	jre-8u371-windows-i586.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

jre-8u371-windows-i586.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	jre-8u371-windows-i586.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

jre-8u371-windows-i586.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	jre-8u371-windows-i586.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	jre-8u371-windows-i586.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

jre-8u371-windows-i586.exe

pid process

1252 jre-8u371-windows-i586.exe
1252 jre-8u371-windows-i586.exe

pid	process
1252	jre-8u371-windows-i586.exe
1252	jre-8u371-windows-i586.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

jre-8u371-windows-i586.exe

description	pid	process	target process
PID 1560 wrote to memory of 1252	1560	jre-8u371-windows-i586.exe	jre-8u371-windows-i586.exe
PID 1560 wrote to memory of 1252	1560	jre-8u371-windows-i586.exe	jre-8u371-windows-i586.exe
PID 1560 wrote to memory of 1252	1560	jre-8u371-windows-i586.exe	jre-8u371-windows-i586.exe
PID 1560 wrote to memory of 1252	1560	jre-8u371-windows-i586.exe	jre-8u371-windows-i586.exe
PID 1560 wrote to memory of 1252	1560	jre-8u371-windows-i586.exe	jre-8u371-windows-i586.exe
PID 1560 wrote to memory of 1252	1560	jre-8u371-windows-i586.exe	jre-8u371-windows-i586.exe
PID 1560 wrote to memory of 1252	1560	jre-8u371-windows-i586.exe	jre-8u371-windows-i586.exe

C:\Users\Admin\AppData\Local\Temp\jre-8u371-windows-i586.exe
"C:\Users\Admin\AppData\Local\Temp\jre-8u371-windows-i586.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\jds7083474.tmp\jre-8u371-windows-i586.exe
  "C:\Users\Admin\AppData\Local\Temp\jds7083474.tmp\jre-8u371-windows-i586.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jds7083474.tmp\jre-8u371-windows-i586.exe

Filesize
56.6MB

MD5
3861f5205fd11c1bc8e1e3c4303a646c

SHA1
522e7f7d69b9dee671c8b838a968adc69f1bf8bd

SHA256
9c4318199b9cf0ce4587ebb2ef6957445655d4a337d441505e6b1176669bd680

SHA512
41510e66ec594279175c38acf7f07353dfaacf6d7a9b0304d5d730a14b9851150748938866e73862ff1b1f778a9eebfaa6ccb88cd08ccc3f19e0b64d23e7fa76

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7083474.tmp\jre-8u371-windows-i586.exe

Filesize
56.6MB

MD5
3861f5205fd11c1bc8e1e3c4303a646c

SHA1
522e7f7d69b9dee671c8b838a968adc69f1bf8bd

SHA256
9c4318199b9cf0ce4587ebb2ef6957445655d4a337d441505e6b1176669bd680

SHA512
41510e66ec594279175c38acf7f07353dfaacf6d7a9b0304d5d730a14b9851150748938866e73862ff1b1f778a9eebfaa6ccb88cd08ccc3f19e0b64d23e7fa76

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
55d314537546b806c94749e3b26453b3

SHA1
bb8db427128ccc923b966aaab540698264993975

SHA256
5db49f444f1f2835df42523537fcfcf6424f4065317ef1d5eb9d29a3932a00dc

SHA512
a1cb27d0a86f743307a96f80ad3ceff450353f715a2fbd2c0565ef2e1b9140b2994cff10c90317ccb99a6c7f86714aa7f54b391fb6af999b4c19e32a5caf8fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
8762d60f6a2ff6cd9a51a5e245ec1a06

SHA1
f8deb77f2cde4a85f34dd0aba6e64cbc6b1e80a2

SHA256
09626cfb1dc7bc7d907a9846db4160ac86d627a16e6eb2a46e160229bc48d23c

SHA512
c8cd9d7e6640ddf2aeac9ee2c4faaa22a763869047d4ea404e8adab639c0063f5de74ba94a13c3308acfb29d26aab2e95d8e9b78222956eea64fab5aea931f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
4KB

MD5
5257685a687478edb90b634ede6dcc42

SHA1
df99b4d8e8cc29f50fc1ace2f1cea11e72635194

SHA256
c42c66daeeb4db8571f977298ff9e3c07549fa0f6765dcd7146405fbe0fdfa53

SHA512
7bdd07512c8170cdaf423d3272191626f8a7e0a32d9b496855f8a7d8259640fa0c8783e07cf07aa2cb32567e5db0b6dfa9716e9669a38c2e6fb7a1bfaa6dfed3

Download Submit
\Users\Admin\AppData\Local\Temp\jds7083474.tmp\jre-8u371-windows-i586.exe

Filesize
56.6MB

MD5
3861f5205fd11c1bc8e1e3c4303a646c

SHA1
522e7f7d69b9dee671c8b838a968adc69f1bf8bd

SHA256
9c4318199b9cf0ce4587ebb2ef6957445655d4a337d441505e6b1176669bd680

SHA512
41510e66ec594279175c38acf7f07353dfaacf6d7a9b0304d5d730a14b9851150748938866e73862ff1b1f778a9eebfaa6ccb88cd08ccc3f19e0b64d23e7fa76

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads