raccoon | 03e96c022c76316f6b1db47895edb89666072c1b7104b863a9d229ea74b2ef0a

Analysis

max time kernel
33s
max time network
58s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
01-07-2023 08:29

Target

lwg67u9jwvf.exe
Size

800KB
MD5

972abf3179291dfac99397b5ae996365
SHA1

8272904cb904a2c2103106023c039ee8515721e0
SHA256

03e96c022c76316f6b1db47895edb89666072c1b7104b863a9d229ea74b2ef0a
SHA512

c4d778f594de65974e53069a79660d7dc1073d2bceea76bcdf1b9037a5e9d6c5cf013b8b45723a255d9a288fb5edb17d110a8b5fef7818b44b1126135c409c74
SSDEEP

12288:I8v8SqEnVG0PmTh+kAUsdKI7iuNpH7K/:cfh+kfG7Dq

Score

10^/10

Family

raccoon

Botnet

ef0d247d8b1fe318a7366ceff90b173d

http://79.137.207.76:80/

xor.plain

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1540-55-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral1/memory/1540-61-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral1/memory/1540-62-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral1/memory/1556-63-0x0000000000C60000-0x0000000000D57000-memory.dmp	family_raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

lwg67u9jwvf.exe

description pid process target process

PID 1556 set thread context of 1540 1556 lwg67u9jwvf.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1260 1556 WerFault.exe lwg67u9jwvf.exe

description	pid	process	target process
PID 1556 set thread context of 1540	1556	lwg67u9jwvf.exe	AppLaunch.exe

pid	pid_target	process	target process
1260	1556	WerFault.exe	lwg67u9jwvf.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

lwg67u9jwvf.exe

description	pid	process	target process
PID 1556 wrote to memory of 1540	1556	lwg67u9jwvf.exe	AppLaunch.exe
PID 1556 wrote to memory of 1540	1556	lwg67u9jwvf.exe	AppLaunch.exe
PID 1556 wrote to memory of 1540	1556	lwg67u9jwvf.exe	AppLaunch.exe
PID 1556 wrote to memory of 1540	1556	lwg67u9jwvf.exe	AppLaunch.exe
PID 1556 wrote to memory of 1540	1556	lwg67u9jwvf.exe	AppLaunch.exe
PID 1556 wrote to memory of 1540	1556	lwg67u9jwvf.exe	AppLaunch.exe
PID 1556 wrote to memory of 1540	1556	lwg67u9jwvf.exe	AppLaunch.exe
PID 1556 wrote to memory of 1540	1556	lwg67u9jwvf.exe	AppLaunch.exe
PID 1556 wrote to memory of 1540	1556	lwg67u9jwvf.exe	AppLaunch.exe
PID 1556 wrote to memory of 1260	1556	lwg67u9jwvf.exe	WerFault.exe
PID 1556 wrote to memory of 1260	1556	lwg67u9jwvf.exe	WerFault.exe
PID 1556 wrote to memory of 1260	1556	lwg67u9jwvf.exe	WerFault.exe
PID 1556 wrote to memory of 1260	1556	lwg67u9jwvf.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\lwg67u9jwvf.exe
"C:\Users\Admin\AppData\Local\Temp\lwg67u9jwvf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 92
  2⤵
  - Program crash
  PID:1260

memory/1540-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1540-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1540-59-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1540-61-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1540-62-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1556-63-0x0000000000C60000-0x0000000000D57000-memory.dmp

Filesize
988KB

Download