raccoon | 03e96c022c76316f6b1db47895edb89666072c1b7104b863a9d229ea74b2ef0a

Analysis

max time kernel
30s
max time network
42s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 14:16

Target

lwg67u9jwvfexe.exe
Size

800KB
MD5

972abf3179291dfac99397b5ae996365
SHA1

8272904cb904a2c2103106023c039ee8515721e0
SHA256

03e96c022c76316f6b1db47895edb89666072c1b7104b863a9d229ea74b2ef0a
SHA512

c4d778f594de65974e53069a79660d7dc1073d2bceea76bcdf1b9037a5e9d6c5cf013b8b45723a255d9a288fb5edb17d110a8b5fef7818b44b1126135c409c74
SSDEEP

12288:I8v8SqEnVG0PmTh+kAUsdKI7iuNpH7K/:cfh+kfG7Dq

Score

10^/10

Family

raccoon

Botnet

ef0d247d8b1fe318a7366ceff90b173d

http://79.137.207.76:80/

xor.plain

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2036-55-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral1/memory/2036-61-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral1/memory/2036-62-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral1/memory/2012-63-0x0000000000FF0000-0x00000000010E7000-memory.dmp	family_raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

lwg67u9jwvfexe.exe

description pid process target process

PID 2012 set thread context of 2036 2012 lwg67u9jwvfexe.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2004 2012 WerFault.exe lwg67u9jwvfexe.exe

description	pid	process	target process
PID 2012 set thread context of 2036	2012	lwg67u9jwvfexe.exe	AppLaunch.exe

pid	pid_target	process	target process
2004	2012	WerFault.exe	lwg67u9jwvfexe.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

lwg67u9jwvfexe.exe

description	pid	process	target process
PID 2012 wrote to memory of 2036	2012	lwg67u9jwvfexe.exe	AppLaunch.exe
PID 2012 wrote to memory of 2036	2012	lwg67u9jwvfexe.exe	AppLaunch.exe
PID 2012 wrote to memory of 2036	2012	lwg67u9jwvfexe.exe	AppLaunch.exe
PID 2012 wrote to memory of 2036	2012	lwg67u9jwvfexe.exe	AppLaunch.exe
PID 2012 wrote to memory of 2036	2012	lwg67u9jwvfexe.exe	AppLaunch.exe
PID 2012 wrote to memory of 2036	2012	lwg67u9jwvfexe.exe	AppLaunch.exe
PID 2012 wrote to memory of 2036	2012	lwg67u9jwvfexe.exe	AppLaunch.exe
PID 2012 wrote to memory of 2036	2012	lwg67u9jwvfexe.exe	AppLaunch.exe
PID 2012 wrote to memory of 2036	2012	lwg67u9jwvfexe.exe	AppLaunch.exe
PID 2012 wrote to memory of 2004	2012	lwg67u9jwvfexe.exe	WerFault.exe
PID 2012 wrote to memory of 2004	2012	lwg67u9jwvfexe.exe	WerFault.exe
PID 2012 wrote to memory of 2004	2012	lwg67u9jwvfexe.exe	WerFault.exe
PID 2012 wrote to memory of 2004	2012	lwg67u9jwvfexe.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\lwg67u9jwvfexe.exe
"C:\Users\Admin\AppData\Local\Temp\lwg67u9jwvfexe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 92
  2⤵
  - Program crash
  PID:2004

memory/2012-63-0x0000000000FF0000-0x00000000010E7000-memory.dmp

Filesize
988KB

Download
memory/2036-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2036-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2036-59-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2036-61-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2036-62-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download