Extracted

• • Target

    download

  • Size

    2KB

  • MD5

    634af4851107a6c5b793239729b6face

  • SHA1

    4fd32fee94a9cf61c6dfaff372b202cdcb5cf07b

  • SHA256

    d562afaf0b39a01e09ebf1baf671ce163d68cf522ea5bcb5221fa8f4b2029db9

  • SHA512

    cbffe53df60ca53c0aa4ac7a8d5aa8143bf58edd2ebe65d06fccb3bfa527662b1e5dc7aff87976d96389d6a664b2763379a1f2be16846ba0b30d5c94bb05176b

  Score

  10^/10

  raccoondiscoveryevasionpersistencestealertrojanupx

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon

  • Blocklisted process makes network request

  • Contacts a large (585) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Downloads MZ/PE file

  • Modifies Installed Components in the registry

    persistence

  • Modifies Windows Firewall

    evasion

  • Sets file execution options in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Registers COM server for autorun

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1