raccoon | 249ef6343e3a6316852abefe7c73400b57ff7204a05ff46011a00847ba52053e

General

Target

a02exe.exe
Size

6.0MB
MD5

7aa1b586401a170e3326782cce367025
SHA1

2ef37a3ecd522e5f954fca4eae4eb2c75bf155eb
SHA256

249ef6343e3a6316852abefe7c73400b57ff7204a05ff46011a00847ba52053e
SHA512

3e674e6c80f725ce6cb785089e9dd7e14961f6e32c6305b73baa945c7572b4857af2fb406df9f6c4632b1cb1ebb5ffdbf5173ee98d0c5678ddfc94f8d5f8cd60
SSDEEP

98304:2pReUPZtlw98TK6xFlbX6ujDqb2lyMJA1VHByvPk2xGtrNZMHQr8dFh5dQ5:N4Nwz6rlKu6bYfJApYk2cJAQwd5C

Score

10^/10

raccoon ad37f95ba4ec1fb964492c1f20f7a9ef stealer vmprotect

Malware Config

Extracted

Family

raccoon

Botnet

ad37f95ba4ec1fb964492c1f20f7a9ef

C2

http://45.144.28.189:80

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2.1.1.exe	family_raccoon
C:\Users\Admin\AppData\Local\Temp\2.1.1.exe	family_raccoon

Executes dropped EXE 2 IoCs

Processes:

2.1.1.exewfplwfs.exe

pid process

1828 2.1.1.exe
2852 wfplwfs.exe

pid	process
1828	2.1.1.exe
2852	wfplwfs.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe	vmprotect
behavioral2/memory/2852-151-0x0000000000400000-0x0000000000D47000-memory.dmp	vmprotect

Suspicious use of SetThreadContext 1 IoCs

Processes:

wfplwfs.exe

description pid process target process

PID 2852 set thread context of 4304 2852 wfplwfs.exe rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

wfplwfs.exe

description ioc process

File created C:\Windows\Tasks\9998883f67d1c9fa.job wfplwfs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1112 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

wfplwfs.exe

pid process

2852 wfplwfs.exe
2852 wfplwfs.exe
2852 wfplwfs.exe
2852 wfplwfs.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

rundll32.exe

pid process

4304 rundll32.exe
4304 rundll32.exe
4304 rundll32.exe

description	pid	process	target process
PID 2852 set thread context of 4304	2852	wfplwfs.exe	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\9998883f67d1c9fa.job	wfplwfs.exe

pid	process
1112	PING.EXE

pid	process
2852	wfplwfs.exe
2852	wfplwfs.exe
2852	wfplwfs.exe
2852	wfplwfs.exe

pid	process
4304	rundll32.exe
4304	rundll32.exe
4304	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

a02exe.execmd.exewfplwfs.exe

description	pid	process	target process
PID 4896 wrote to memory of 1828	4896	a02exe.exe	2.1.1.exe
PID 4896 wrote to memory of 1828	4896	a02exe.exe	2.1.1.exe
PID 4896 wrote to memory of 1828	4896	a02exe.exe	2.1.1.exe
PID 4896 wrote to memory of 2852	4896	a02exe.exe	wfplwfs.exe
PID 4896 wrote to memory of 2852	4896	a02exe.exe	wfplwfs.exe
PID 4896 wrote to memory of 2852	4896	a02exe.exe	wfplwfs.exe
PID 4896 wrote to memory of 3656	4896	a02exe.exe	cmd.exe
PID 4896 wrote to memory of 3656	4896	a02exe.exe	cmd.exe
PID 4896 wrote to memory of 3656	4896	a02exe.exe	cmd.exe
PID 3656 wrote to memory of 1112	3656	cmd.exe	PING.EXE
PID 3656 wrote to memory of 1112	3656	cmd.exe	PING.EXE
PID 3656 wrote to memory of 1112	3656	cmd.exe	PING.EXE
PID 2852 wrote to memory of 1312	2852	wfplwfs.exe	rundll32.exe
PID 2852 wrote to memory of 1312	2852	wfplwfs.exe	rundll32.exe
PID 2852 wrote to memory of 1312	2852	wfplwfs.exe	rundll32.exe
PID 2852 wrote to memory of 4304	2852	wfplwfs.exe	rundll32.exe
PID 2852 wrote to memory of 4304	2852	wfplwfs.exe	rundll32.exe
PID 2852 wrote to memory of 4304	2852	wfplwfs.exe	rundll32.exe
PID 2852 wrote to memory of 4304	2852	wfplwfs.exe	rundll32.exe
PID 2852 wrote to memory of 4304	2852	wfplwfs.exe	rundll32.exe
PID 2852 wrote to memory of 4304	2852	wfplwfs.exe	rundll32.exe
PID 2852 wrote to memory of 4304	2852	wfplwfs.exe	rundll32.exe
PID 2852 wrote to memory of 4304	2852	wfplwfs.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a02exe.exe
"C:\Users\Admin\AppData\Local\Temp\a02exe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
  C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
  C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\a02exe.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.1.1.exe

Filesize
478KB

MD5
eb75a43690afdea95c83ba331de640b7

SHA1
b65715468e185c3b54b60e075459a5f8b6e9c0f7

SHA256
21df0ff4710ab3ea44a1950745f9c71f3098bce46c5b0a7e86ba2777810ae855

SHA512
781a0b3fd4afecad6e4acf6cea53377b6c2d883fa9f14290f9530f7824fb4c1a89831edd2b67740392390bb984d530e1a34bcd45d350cec8341a8ffc55c01a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.1.1.exe

Filesize
478KB

MD5
eb75a43690afdea95c83ba331de640b7

SHA1
b65715468e185c3b54b60e075459a5f8b6e9c0f7

SHA256
21df0ff4710ab3ea44a1950745f9c71f3098bce46c5b0a7e86ba2777810ae855

SHA512
781a0b3fd4afecad6e4acf6cea53377b6c2d883fa9f14290f9530f7824fb4c1a89831edd2b67740392390bb984d530e1a34bcd45d350cec8341a8ffc55c01a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
5.4MB

MD5
00e390a1205827d15fd6d72fab3a463c

SHA1
3e38479211e619072fe75ab2dfc6bc4202bd597b

SHA256
9702a7ef479fee80accfa9c9394511b504e50b840e65063a41b8c97511e8cf6c

SHA512
dd3533e62d82f683c5011a22629c4c9747b0634ffa3aee4c78195aceb9d85070705d14c25cf1df8c8098a385b5216b114d000169e50083162df86612d30cfc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe

Filesize
5.4MB

MD5
00e390a1205827d15fd6d72fab3a463c

SHA1
3e38479211e619072fe75ab2dfc6bc4202bd597b

SHA256
9702a7ef479fee80accfa9c9394511b504e50b840e65063a41b8c97511e8cf6c

SHA512
dd3533e62d82f683c5011a22629c4c9747b0634ffa3aee4c78195aceb9d85070705d14c25cf1df8c8098a385b5216b114d000169e50083162df86612d30cfc72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\index.html

Filesize
1KB

MD5
12cf60e57791e7a8bd78033c9f308931

SHA1
f6c8a295064f7fa8553295e3cd8a9c62352f7c2c

SHA256
2f9f2fe135d66c296ab6071d01529623bac31d4a63ab073be3c6c1e20d34f50a

SHA512
72735d76803980afe7260d713a377f82316fa24109f1d2767b352984aa53d4a5e441a89d99aa3fdb32042dcb61b43d88465272bc98552892747829d7986cf3b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\logo.png

Filesize
2KB

MD5
561a5a310ac6505c1dc2029a61632617

SHA1
f267ab458ec5d0f008a235461e466b1fd3ed14ee

SHA256
b41bd7c17b6bdfe6ae0d0dbbb5ce92fd38c4696833ae3333a1d81cf7e38d6e35

SHA512
4edb7ef8313e20bbc73fd96207c2076ce3bac0754a92bb00aff0259ffe1adf6f7e4d6917e7815fd643139a08bd4a0f325f66982378f94483ce1ee0924df6d3c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\qrcode.png

Filesize
1KB

MD5
e86f97eafd4497387e8aa1ce4a8a009e

SHA1
20b3ca7856f4332c6a764613e47a01bbfb52eac7

SHA256
3f39265762541d0f1c5a907b91c7bbdd5a6eca591f45205a17da7efddd94d9a4

SHA512
e62f64dca0a2221ce6d46765586e7672ec90a0bd107fe2be8400ed9a486f6044bf320c63b2c68780466a11e988b89e12a42147734ca9126a2aa37bca679e5494

Download Submit
memory/2852-148-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/2852-147-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/2852-149-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2852-150-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2852-151-0x0000000000400000-0x0000000000D47000-memory.dmp

Filesize
9.3MB

Download
memory/2852-146-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2852-145-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/2852-144-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/4304-158-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4304-160-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4304-166-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads