raccoon | 32eb91bc7933a1e99fb1416e60523ecfde0811e5cdeb74b7877f457bf6dfea3e

General

Target

1b10be824ca0b2c31f43d296dc3df490.exe
Size

56.9MB
MD5

1b10be824ca0b2c31f43d296dc3df490
SHA1

14970b5fec652d066d93a41b84a4361cd798f7bb
SHA256

32eb91bc7933a1e99fb1416e60523ecfde0811e5cdeb74b7877f457bf6dfea3e
SHA512

e7ba353cd2b3a460525c3c5f0c75f042d5208ddd5c3f61b9dfb38f43399160ac0e6f7264d29bdad653d84ea254e1d616b483fa778722d37dbba2824b2f99dc2e
SSDEEP

786432:M5XmTHOmwqBSKNfVY7IU8eAISCuNdhy5NaYDZR8TQipFm4KhF+9cYdNwNkNrcZ:MoumZbNNun8vfbxERTipHdKYdCNk1s

Score

10^/10

raccoon stealer

Malware Config

Extracted

Family

raccoon

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 1 IoCs

Processes:

1b10be824ca0b2c31f43d296dc3df490.exe

pid process

1728 1b10be824ca0b2c31f43d296dc3df490.exe
Loads dropped DLL 1 IoCs

Processes:

1b10be824ca0b2c31f43d296dc3df490.exe

pid process

1388 1b10be824ca0b2c31f43d296dc3df490.exe

pid	process
1728	1b10be824ca0b2c31f43d296dc3df490.exe

pid	process
1388	1b10be824ca0b2c31f43d296dc3df490.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

1b10be824ca0b2c31f43d296dc3df490.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	1b10be824ca0b2c31f43d296dc3df490.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1b10be824ca0b2c31f43d296dc3df490.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	1b10be824ca0b2c31f43d296dc3df490.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	1b10be824ca0b2c31f43d296dc3df490.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1b10be824ca0b2c31f43d296dc3df490.exe

pid process

1728 1b10be824ca0b2c31f43d296dc3df490.exe
1728 1b10be824ca0b2c31f43d296dc3df490.exe

pid	process
1728	1b10be824ca0b2c31f43d296dc3df490.exe
1728	1b10be824ca0b2c31f43d296dc3df490.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

1b10be824ca0b2c31f43d296dc3df490.exe

description	pid	process	target process
PID 1388 wrote to memory of 1728	1388	1b10be824ca0b2c31f43d296dc3df490.exe	1b10be824ca0b2c31f43d296dc3df490.exe
PID 1388 wrote to memory of 1728	1388	1b10be824ca0b2c31f43d296dc3df490.exe	1b10be824ca0b2c31f43d296dc3df490.exe
PID 1388 wrote to memory of 1728	1388	1b10be824ca0b2c31f43d296dc3df490.exe	1b10be824ca0b2c31f43d296dc3df490.exe
PID 1388 wrote to memory of 1728	1388	1b10be824ca0b2c31f43d296dc3df490.exe	1b10be824ca0b2c31f43d296dc3df490.exe
PID 1388 wrote to memory of 1728	1388	1b10be824ca0b2c31f43d296dc3df490.exe	1b10be824ca0b2c31f43d296dc3df490.exe
PID 1388 wrote to memory of 1728	1388	1b10be824ca0b2c31f43d296dc3df490.exe	1b10be824ca0b2c31f43d296dc3df490.exe
PID 1388 wrote to memory of 1728	1388	1b10be824ca0b2c31f43d296dc3df490.exe	1b10be824ca0b2c31f43d296dc3df490.exe

C:\Users\Admin\AppData\Local\Temp\1b10be824ca0b2c31f43d296dc3df490.exe
"C:\Users\Admin\AppData\Local\Temp\1b10be824ca0b2c31f43d296dc3df490.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\jds7084957.tmp\1b10be824ca0b2c31f43d296dc3df490.exe
  "C:\Users\Admin\AppData\Local\Temp\jds7084957.tmp\1b10be824ca0b2c31f43d296dc3df490.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jds7084957.tmp\1b10be824ca0b2c31f43d296dc3df490.exe

Filesize
56.6MB

MD5
3861f5205fd11c1bc8e1e3c4303a646c

SHA1
522e7f7d69b9dee671c8b838a968adc69f1bf8bd

SHA256
9c4318199b9cf0ce4587ebb2ef6957445655d4a337d441505e6b1176669bd680

SHA512
41510e66ec594279175c38acf7f07353dfaacf6d7a9b0304d5d730a14b9851150748938866e73862ff1b1f778a9eebfaa6ccb88cd08ccc3f19e0b64d23e7fa76

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7084957.tmp\1b10be824ca0b2c31f43d296dc3df490.exe

Filesize
56.6MB

MD5
3861f5205fd11c1bc8e1e3c4303a646c

SHA1
522e7f7d69b9dee671c8b838a968adc69f1bf8bd

SHA256
9c4318199b9cf0ce4587ebb2ef6957445655d4a337d441505e6b1176669bd680

SHA512
41510e66ec594279175c38acf7f07353dfaacf6d7a9b0304d5d730a14b9851150748938866e73862ff1b1f778a9eebfaa6ccb88cd08ccc3f19e0b64d23e7fa76

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
f8b76baa80c7663758e17ac240d8566b

SHA1
cd573ec322f500cc179734706044634959449863

SHA256
38a00c73a477d4de9f361682a2489e3742f1b3ada723b06e61171c80002568e5

SHA512
fd667cd6f1d6c2d39d7fb4b7ee5c002a6380808a221f0bcbd696b6f3f34e7b7106c458f563c49b3d1fe4c5c2d37ab866a87fcb23e945a981f8c9b6619dac0008

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
f8b76baa80c7663758e17ac240d8566b

SHA1
cd573ec322f500cc179734706044634959449863

SHA256
38a00c73a477d4de9f361682a2489e3742f1b3ada723b06e61171c80002568e5

SHA512
fd667cd6f1d6c2d39d7fb4b7ee5c002a6380808a221f0bcbd696b6f3f34e7b7106c458f563c49b3d1fe4c5c2d37ab866a87fcb23e945a981f8c9b6619dac0008

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
5KB

MD5
337972ff7429453a00839a431b913478

SHA1
5b8fc980ba64590e6946a01252d3db8245af8855

SHA256
bd5b4ac382f720816081ca6772fb8ef2721c9c2ddcc25f46b04eb7129ebfe7dc

SHA512
7d7b65d5e2df5876b00a15f36b659b64851e1b235f1718c0c2edb5f172d3d26fdacd651955d36265da8867433b0a2932f7e2db56f66151433d70ea36f6501f58

Download Submit
\Users\Admin\AppData\Local\Temp\jds7084957.tmp\1b10be824ca0b2c31f43d296dc3df490.exe

Filesize
56.6MB

MD5
3861f5205fd11c1bc8e1e3c4303a646c

SHA1
522e7f7d69b9dee671c8b838a968adc69f1bf8bd

SHA256
9c4318199b9cf0ce4587ebb2ef6957445655d4a337d441505e6b1176669bd680

SHA512
41510e66ec594279175c38acf7f07353dfaacf6d7a9b0304d5d730a14b9851150748938866e73862ff1b1f778a9eebfaa6ccb88cd08ccc3f19e0b64d23e7fa76

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads