raccoon | a040c35ef32cbe289d5bc2b8014adcb961ab3aed1e2873d1f2e335933e97927b

Analysis

max time kernel
31s
max time network
43s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
26-06-2023 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

114319af1b37e7a22a3fd57d722e7f7a.bin.exe
Size

508KB
MD5

114319af1b37e7a22a3fd57d722e7f7a
SHA1

c39e805df8a43f140ae3af3ae72d6b62c9106bc9
SHA256

a040c35ef32cbe289d5bc2b8014adcb961ab3aed1e2873d1f2e335933e97927b
SHA512

b655367e07eb81ba21b215ca6140a038c0850a05be97d7a1e0381865a099e4250ca4045bfaf9852bfb2854ffa96107383568c38b901e1e63f3f14f439f1e7f37
SSDEEP

12288:ntH5NLaAdDhAAEIFcWX+t4o763GgB5KEA8GsEiybiL:ntH5sAdXEIFcUo763XxbEiyM

Score

10^/10

raccoon stealer

Malware Config

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 6 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX0\2.1.1.1.exe	family_raccoon
\Users\Admin\AppData\Local\Temp\RarSFX0\2.1.1.1.exe	family_raccoon
\Users\Admin\AppData\Local\Temp\RarSFX0\2.1.1.1.exe	family_raccoon
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.1.1.1.exe	family_raccoon
\Users\Admin\AppData\Local\Temp\RarSFX0\2.1.1.1.exe	family_raccoon
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.1.1.1.exe	family_raccoon

Executes dropped EXE 2 IoCs

Processes:

2.1.1.1.exe2.1.1.1.exe

pid process

468 2.1.1.1.exe
1416 2.1.1.1.exe
Loads dropped DLL 4 IoCs

Processes:

2.1.1.1.exe

pid process

468 2.1.1.1.exe
468 2.1.1.1.exe
468 2.1.1.1.exe
468 2.1.1.1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
468	2.1.1.1.exe
1416	2.1.1.1.exe

pid	process
468	2.1.1.1.exe
468	2.1.1.1.exe
468	2.1.1.1.exe
468	2.1.1.1.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

114319af1b37e7a22a3fd57d722e7f7a.bin.execmd.exe2.1.1.1.exe

description	pid	process	target process
PID 872 wrote to memory of 844	872	114319af1b37e7a22a3fd57d722e7f7a.bin.exe	cmd.exe
PID 872 wrote to memory of 844	872	114319af1b37e7a22a3fd57d722e7f7a.bin.exe	cmd.exe
PID 872 wrote to memory of 844	872	114319af1b37e7a22a3fd57d722e7f7a.bin.exe	cmd.exe
PID 872 wrote to memory of 844	872	114319af1b37e7a22a3fd57d722e7f7a.bin.exe	cmd.exe
PID 844 wrote to memory of 468	844	cmd.exe	2.1.1.1.exe
PID 844 wrote to memory of 468	844	cmd.exe	2.1.1.1.exe
PID 844 wrote to memory of 468	844	cmd.exe	2.1.1.1.exe
PID 844 wrote to memory of 468	844	cmd.exe	2.1.1.1.exe
PID 468 wrote to memory of 1416	468	2.1.1.1.exe	2.1.1.1.exe
PID 468 wrote to memory of 1416	468	2.1.1.1.exe	2.1.1.1.exe
PID 468 wrote to memory of 1416	468	2.1.1.1.exe	2.1.1.1.exe
PID 468 wrote to memory of 1416	468	2.1.1.1.exe	2.1.1.1.exe

C:\Users\Admin\AppData\Local\Temp\114319af1b37e7a22a3fd57d722e7f7a.bin.exe
"C:\Users\Admin\AppData\Local\Temp\114319af1b37e7a22a3fd57d722e7f7a.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\2.1.1.1.exe
    2.1.1.1.exe -pAlex.199455alex.199455 -dC:\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.1.1.1.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.1.1.1.exe"
      4⤵
      Executes dropped EXE
      PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2.1.1.1.exe

Filesize
338KB

MD5
9f7c947242b7ce3f185b04713d86d127

SHA1
ab270f914dec3eece3131dfbd5d22cad87f42ab9

SHA256
cd61404e2f0c45db3598d29e0d194b57905cb6dd9c55e5775fc10b1a46bfe993

SHA512
573ffbdbedbe18a24fad9a78d4704226b46928eca8edb945a9824293a66631752fcc449717ed46d6152d923537178bb74731f163f433d7152b721b9151f45a22

Download Submit
C:\2.1.1.1.exe

Filesize
338KB

MD5
9f7c947242b7ce3f185b04713d86d127

SHA1
ab270f914dec3eece3131dfbd5d22cad87f42ab9

SHA256
cd61404e2f0c45db3598d29e0d194b57905cb6dd9c55e5775fc10b1a46bfe993

SHA512
573ffbdbedbe18a24fad9a78d4704226b46928eca8edb945a9824293a66631752fcc449717ed46d6152d923537178bb74731f163f433d7152b721b9151f45a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.1.1.1.exe

Filesize
50KB

MD5
3357867b4c095d1cf04d3d648eed5b4c

SHA1
4463030c518306e8eb1f811e3fefde96fbf57fe2

SHA256
75ac5377b0ba78771b4f352edb5ea243b2fb478f3cbe9e94ea559150125af13d

SHA512
3592c20a31541385238faebee0d7618ebd2a1cf58eb625585c2033586be0d2db5b671117a00989d633c44acdcc52c0a78a27fdd8e9a50da27792dbc88cc70f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.1.1.1.exe

Filesize
50KB

MD5
3357867b4c095d1cf04d3d648eed5b4c

SHA1
4463030c518306e8eb1f811e3fefde96fbf57fe2

SHA256
75ac5377b0ba78771b4f352edb5ea243b2fb478f3cbe9e94ea559150125af13d

SHA512
3592c20a31541385238faebee0d7618ebd2a1cf58eb625585c2033586be0d2db5b671117a00989d633c44acdcc52c0a78a27fdd8e9a50da27792dbc88cc70f67

Download Submit
C:\start.bat

Filesize
42B

MD5
c18e7402bfc924e0e3ef7c92b4d6db50

SHA1
e185027b2988cec5a919f72f79e42c17c7201297

SHA256
5fd3394e00feef9fc0c970fd02c2f91057e92ad8970559704ae3224968192c9e

SHA512
73ecaa2b760cbd11f24fd58f8f5c3dea947cfc7e58c9ef098b304a141062456982f93104b6fa16df212c8464a20daf029503f7752cd8e77e52b2aca027f05479

Download Submit
C:\start.bat

Filesize
42B

MD5
c18e7402bfc924e0e3ef7c92b4d6db50

SHA1
e185027b2988cec5a919f72f79e42c17c7201297

SHA256
5fd3394e00feef9fc0c970fd02c2f91057e92ad8970559704ae3224968192c9e

SHA512
73ecaa2b760cbd11f24fd58f8f5c3dea947cfc7e58c9ef098b304a141062456982f93104b6fa16df212c8464a20daf029503f7752cd8e77e52b2aca027f05479

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2.1.1.1.exe

Filesize
50KB

MD5
3357867b4c095d1cf04d3d648eed5b4c

SHA1
4463030c518306e8eb1f811e3fefde96fbf57fe2

SHA256
75ac5377b0ba78771b4f352edb5ea243b2fb478f3cbe9e94ea559150125af13d

SHA512
3592c20a31541385238faebee0d7618ebd2a1cf58eb625585c2033586be0d2db5b671117a00989d633c44acdcc52c0a78a27fdd8e9a50da27792dbc88cc70f67

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2.1.1.1.exe

Filesize
50KB

MD5
3357867b4c095d1cf04d3d648eed5b4c

SHA1
4463030c518306e8eb1f811e3fefde96fbf57fe2

SHA256
75ac5377b0ba78771b4f352edb5ea243b2fb478f3cbe9e94ea559150125af13d

SHA512
3592c20a31541385238faebee0d7618ebd2a1cf58eb625585c2033586be0d2db5b671117a00989d633c44acdcc52c0a78a27fdd8e9a50da27792dbc88cc70f67

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2.1.1.1.exe

Filesize
50KB

MD5
3357867b4c095d1cf04d3d648eed5b4c

SHA1
4463030c518306e8eb1f811e3fefde96fbf57fe2

SHA256
75ac5377b0ba78771b4f352edb5ea243b2fb478f3cbe9e94ea559150125af13d

SHA512
3592c20a31541385238faebee0d7618ebd2a1cf58eb625585c2033586be0d2db5b671117a00989d633c44acdcc52c0a78a27fdd8e9a50da27792dbc88cc70f67

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2.1.1.1.exe

Filesize
50KB

MD5
3357867b4c095d1cf04d3d648eed5b4c

SHA1
4463030c518306e8eb1f811e3fefde96fbf57fe2

SHA256
75ac5377b0ba78771b4f352edb5ea243b2fb478f3cbe9e94ea559150125af13d

SHA512
3592c20a31541385238faebee0d7618ebd2a1cf58eb625585c2033586be0d2db5b671117a00989d633c44acdcc52c0a78a27fdd8e9a50da27792dbc88cc70f67

Download Submit