Overview

overview

10

Static

static

7

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    99s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2023 07:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    6.7MB

  • MD5

    7fdff809af7d3b25c76709165a78a89e

  • SHA1

    6a62910a88111aad6a22924a8e1d1a35626f6bee

  • SHA256

    e1689f695b580c88f6b58274cfed905541749bd86f9f3cd95b70ae22387313ca

  • SHA512

    925fbf207a628989230ccbdb16e41eb8a54c9df801e05f4a3ee71d8f66557e97fdef7453b89f50f73d8ef812edb7ff43178a367a4f1f67b901ef1972cb35f950

  • SSDEEP

    98304:yQG23fmewHtW7ZgPsy8WtNyDqmNiRMkJlSqxegWtIoZv082OQvG5N8pbso2x+x:jaQy86+iRM8EIegG/ZvhWrgj6

Score
10/10
raccoon417f00e313b534b6267434933616178bevasionstealerthemidatrojan

Malware Config

Extracted

Family

raccoon

Botnet

417f00e313b534b6267434933616178b

C2

http://193.149.185.171

http://193.149.180.60

http://193.149.187.34
xor.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer payload 3 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4428
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      2⤵
        PID:1352
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        2⤵
          PID:2736

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2736-144-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2736-147-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2736-148-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4428-133-0x0000000000EE0000-0x0000000001F10000-memory.dmp

        Filesize

        16.2MB

        Download

      • memory/4428-135-0x0000000000EE0000-0x0000000001F10000-memory.dmp

        Filesize

        16.2MB

        Download

      • memory/4428-136-0x00007FFD00000000-0x00007FFD00002000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4428-138-0x00007FFD00030000-0x00007FFD00031000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-139-0x00007FFD00000000-0x00007FFD00002000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4428-141-0x0000000000EE0000-0x0000000001F10000-memory.dmp

        Filesize

        16.2MB

        Download

      • memory/4428-142-0x0000000000EE0000-0x0000000001F10000-memory.dmp

        Filesize

        16.2MB

        Download

      • memory/4428-143-0x000001F32F1F0000-0x000001F32F200000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4428-150-0x0000000000EE0000-0x0000000001F10000-memory.dmp

        Filesize

        16.2MB

        Download