raccoon | 6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1

General

Target

6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe
Size

3.4MB
MD5

a8c1f96c58503a9c766c7ed239263260
SHA1

37069d83d46b51baceb396c1947891e3974e7594
SHA256

6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1
SHA512

c52b7dd8b56f955f8d88380d718045a02cbd7832caff6941e611465ef54cc8dad680055d9d2abdf27e5d354ebd079547e53ceb8f56e74678b999e0185969cb35
SSDEEP

49152:i+vDJjWt5tw0YCFs7JojDRmrlOt9lSyA8a0c1bEP0EDrmLKW2l6a77Z:i+vDJjWt5tRYTUe0fJKJbpKWi1

Score

10^/10

raccoon f80018d0f7c5463eabb5c698eb201532 stealer

Malware Config

Extracted

Family

raccoon

Botnet

f80018d0f7c5463eabb5c698eb201532

C2

http://5.42.65.18:80/

http://5.42.64.13:80/

http://5.42.65.17:80/

http://5.42.65.12:80/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Executes dropped EXE 1 IoCs

Processes:

sryhcddlhd

pid process

628 sryhcddlhd

pid	process
628	sryhcddlhd

Loads dropped DLL 6 IoCs

Processes:

6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe

pid	process
1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe
1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe
1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe
1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe
1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe
1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe

description	pid	process	target process
PID 1720 set thread context of 628	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	sryhcddlhd

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe

description	pid	process	target process
PID 1720 wrote to memory of 2012	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	rhhfyakiia
PID 1720 wrote to memory of 2012	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	rhhfyakiia
PID 1720 wrote to memory of 2012	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	rhhfyakiia
PID 1720 wrote to memory of 2012	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	rhhfyakiia
PID 1720 wrote to memory of 1484	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	dwxrrgeonc
PID 1720 wrote to memory of 1484	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	dwxrrgeonc
PID 1720 wrote to memory of 1484	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	dwxrrgeonc
PID 1720 wrote to memory of 1484	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	dwxrrgeonc
PID 1720 wrote to memory of 628	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	sryhcddlhd
PID 1720 wrote to memory of 628	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	sryhcddlhd
PID 1720 wrote to memory of 628	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	sryhcddlhd
PID 1720 wrote to memory of 628	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	sryhcddlhd
PID 1720 wrote to memory of 628	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	sryhcddlhd
PID 1720 wrote to memory of 628	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	sryhcddlhd
PID 1720 wrote to memory of 628	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	sryhcddlhd
PID 1720 wrote to memory of 628	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	sryhcddlhd
PID 1720 wrote to memory of 628	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	sryhcddlhd
PID 1720 wrote to memory of 628	1720	6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe	sryhcddlhd

C:\Users\Admin\AppData\Local\Temp\6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe
"C:\Users\Admin\AppData\Local\Temp\6c8a2cea4dbf018262fc7ccf569de510c0a58612806a2be73a68d82f7b05d1c1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\A1BCaB64\rhhfyakiia
  "C:\Users\Admin\AppData\Local\Temp\A1BCaB64\rhhfyakiia"
  2⤵
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\3DBb\dwxrrgeonc
  "C:\Users\Admin\AppData\Local\Temp\3DBb\dwxrrgeonc"
  2⤵
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\63ddBbacBa\sryhcddlhd
  "C:\Users\Admin\AppData\Local\Temp\63ddBbacBa\sryhcddlhd"
  2⤵
  - Executes dropped EXE
  PID:628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\63ddBbacBa\sryhcddlhd

Filesize
1.4MB

MD5
aeb47b393079d8c92169f1ef88dd5696

SHA1
633602bae798867894494717268ca818f923ca18

SHA256
d83494cfb155056118365455f5396401e97bd50a156242f2b5025a44c67095b1

SHA512
7ed48d1bf7e514a736a34842a5a3ed18ade06a304b45c0520bd15c53cb95a8bf997c073030a88c1133c7df6e5ad08f44fe1a89ee90c79499e6fd54ce3fcd1ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1BCaB64\rhhfyakiia

Filesize
1.4MB

MD5
aeb47b393079d8c92169f1ef88dd5696

SHA1
633602bae798867894494717268ca818f923ca18

SHA256
d83494cfb155056118365455f5396401e97bd50a156242f2b5025a44c67095b1

SHA512
7ed48d1bf7e514a736a34842a5a3ed18ade06a304b45c0520bd15c53cb95a8bf997c073030a88c1133c7df6e5ad08f44fe1a89ee90c79499e6fd54ce3fcd1ba0

Download Submit
\Users\Admin\AppData\Local\Temp\3DBb\dwxrrgeonc

Filesize
1.4MB

MD5
aeb47b393079d8c92169f1ef88dd5696

SHA1
633602bae798867894494717268ca818f923ca18

SHA256
d83494cfb155056118365455f5396401e97bd50a156242f2b5025a44c67095b1

SHA512
7ed48d1bf7e514a736a34842a5a3ed18ade06a304b45c0520bd15c53cb95a8bf997c073030a88c1133c7df6e5ad08f44fe1a89ee90c79499e6fd54ce3fcd1ba0

Download Submit
\Users\Admin\AppData\Local\Temp\3DBb\dwxrrgeonc

Filesize
1.4MB

MD5
aeb47b393079d8c92169f1ef88dd5696

SHA1
633602bae798867894494717268ca818f923ca18

SHA256
d83494cfb155056118365455f5396401e97bd50a156242f2b5025a44c67095b1

SHA512
7ed48d1bf7e514a736a34842a5a3ed18ade06a304b45c0520bd15c53cb95a8bf997c073030a88c1133c7df6e5ad08f44fe1a89ee90c79499e6fd54ce3fcd1ba0

Download Submit
\Users\Admin\AppData\Local\Temp\63ddBbacBa\sryhcddlhd

Filesize
1.4MB

MD5
aeb47b393079d8c92169f1ef88dd5696

SHA1
633602bae798867894494717268ca818f923ca18

SHA256
d83494cfb155056118365455f5396401e97bd50a156242f2b5025a44c67095b1

SHA512
7ed48d1bf7e514a736a34842a5a3ed18ade06a304b45c0520bd15c53cb95a8bf997c073030a88c1133c7df6e5ad08f44fe1a89ee90c79499e6fd54ce3fcd1ba0

Download Submit
\Users\Admin\AppData\Local\Temp\63ddBbacBa\sryhcddlhd

Filesize
1.4MB

MD5
aeb47b393079d8c92169f1ef88dd5696

SHA1
633602bae798867894494717268ca818f923ca18

SHA256
d83494cfb155056118365455f5396401e97bd50a156242f2b5025a44c67095b1

SHA512
7ed48d1bf7e514a736a34842a5a3ed18ade06a304b45c0520bd15c53cb95a8bf997c073030a88c1133c7df6e5ad08f44fe1a89ee90c79499e6fd54ce3fcd1ba0

Download Submit
\Users\Admin\AppData\Local\Temp\A1BCaB64\rhhfyakiia

Filesize
1.4MB

MD5
aeb47b393079d8c92169f1ef88dd5696

SHA1
633602bae798867894494717268ca818f923ca18

SHA256
d83494cfb155056118365455f5396401e97bd50a156242f2b5025a44c67095b1

SHA512
7ed48d1bf7e514a736a34842a5a3ed18ade06a304b45c0520bd15c53cb95a8bf997c073030a88c1133c7df6e5ad08f44fe1a89ee90c79499e6fd54ce3fcd1ba0

Download Submit
\Users\Admin\AppData\Local\Temp\A1BCaB64\rhhfyakiia

Filesize
1.4MB

MD5
aeb47b393079d8c92169f1ef88dd5696

SHA1
633602bae798867894494717268ca818f923ca18

SHA256
d83494cfb155056118365455f5396401e97bd50a156242f2b5025a44c67095b1

SHA512
7ed48d1bf7e514a736a34842a5a3ed18ade06a304b45c0520bd15c53cb95a8bf997c073030a88c1133c7df6e5ad08f44fe1a89ee90c79499e6fd54ce3fcd1ba0

Download Submit
memory/628-81-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/628-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/628-82-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/628-79-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/628-83-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/628-85-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/628-80-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/628-88-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/628-89-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/628-90-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads