raccoon | f325b3ce57189ecab575f5435116e05c1ba4639f3cf8ad8a76557c3b1865c222

Analysis

max time kernel
250s
max time network
263s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2023 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launch3r_3.64_win64_86-setup+manual.exe
Size

2.4MB
MD5

580e2ecf869c49814017ff7f91f8b7bb
SHA1

c8ed15560fd7646fb4877f94b7e2a6159e164d07
SHA256

0611a2575d6551136dcb1179ca9275270d51fffb43fb3af4a148e489ebd65500
SHA512

13e23d95f23d732001811a5b2029f3c626d86097187d168a302af5f15a6f13dafd1063ef2f4a47a7dd8f3327cf0e636988911a8e607d2eee8cf0cc5ac858f07d
SSDEEP

49152:s27jiTjx2gg83SLXAE4BaXsGacFoI08nqjKNpnhK:44g2hXhOunhK

Score

10^/10

raccoon 37a21c0aa81fac5a28180c5ed403e48d infostealer_generic stealer

Malware Config

Extracted

Family

raccoon

Botnet

37a21c0aa81fac5a28180c5ed403e48d

http://94.142.138.31:80/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/672-144-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon

Find unpacked information stealer based on possible SQL query to retrieve broswer data 1 IoCs

Detects infostealer.

infostealer_generic

Processes:

resource	yara_rule
behavioral2/memory/672-144-0x0000000000400000-0x000000000040F000-memory.dmp	infostealer_generic_browser_sql

Loads dropped DLL 1 IoCs

Processes:

dskquoui.exe

pid process

672 dskquoui.exe

pid	process
672	dskquoui.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Launch3r_3.64_win64_86-setup+manual.execmd.exe

description	pid	process	target process
PID 3936 set thread context of 2180	3936	Launch3r_3.64_win64_86-setup+manual.exe	cmd.exe
PID 2180 set thread context of 672	2180	cmd.exe	dskquoui.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Launch3r_3.64_win64_86-setup+manual.execmd.exe

pid process

3936 Launch3r_3.64_win64_86-setup+manual.exe
2180 cmd.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Launch3r_3.64_win64_86-setup+manual.execmd.exe

pid process

3936 Launch3r_3.64_win64_86-setup+manual.exe
2180 cmd.exe
2180 cmd.exe

pid	process
3936	Launch3r_3.64_win64_86-setup+manual.exe
2180	cmd.exe

pid	process
3936	Launch3r_3.64_win64_86-setup+manual.exe
2180	cmd.exe
2180	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Launch3r_3.64_win64_86-setup+manual.execmd.exe

description	pid	process	target process
PID 3936 wrote to memory of 2180	3936	Launch3r_3.64_win64_86-setup+manual.exe	cmd.exe
PID 3936 wrote to memory of 2180	3936	Launch3r_3.64_win64_86-setup+manual.exe	cmd.exe
PID 3936 wrote to memory of 2180	3936	Launch3r_3.64_win64_86-setup+manual.exe	cmd.exe
PID 3936 wrote to memory of 2180	3936	Launch3r_3.64_win64_86-setup+manual.exe	cmd.exe
PID 2180 wrote to memory of 672	2180	cmd.exe	dskquoui.exe
PID 2180 wrote to memory of 672	2180	cmd.exe	dskquoui.exe
PID 2180 wrote to memory of 672	2180	cmd.exe	dskquoui.exe
PID 2180 wrote to memory of 672	2180	cmd.exe	dskquoui.exe
PID 2180 wrote to memory of 672	2180	cmd.exe	dskquoui.exe

C:\Users\Admin\AppData\Local\Temp\Launch3r_3.64_win64_86-setup+manual.exe
"C:\Users\Admin\AppData\Local\Temp\Launch3r_3.64_win64_86-setup+manual.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\dskquoui.exe
    "C:\Users\Admin\AppData\Local\Temp\dskquoui.exe"
    3⤵
    - Loads dropped DLL
    PID:672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4e9a4e9

Filesize
414KB

MD5
17a38af9e579014cbd5a6bbb2ebcbed9

SHA1
400251ce865155ff773ff5d8910b918fad3dad48

SHA256
4f150df600db183c940f86f802e10dc42867e8baf5d24c2cb5c008a54cfc7e22

SHA512
9a2acd20a04790b6f75104d2bf51a094a2f225e3f99acd4fd1df6d2417e40ed2c4a18c776c401a6a352eeccac2478deb7e17bd6828caa12ccb6435ddf55f5483

Download Submit
C:\Users\Admin\AppData\Local\Temp\dskquoui.exe

Filesize
302KB

MD5
e545388198283ddf1427e379fdff0e0a

SHA1
4f34d6e9e4c46198d0a4be91a397642134159cfe

SHA256
cd3c09073a372e3706a2f6e5278532a6e9df7e4919f1ba5f9e5d4643cf05d305

SHA512
48f8576e76c9a8757dddd8b7719200cc0666c221dc7909c19b314766e28728f85e25e9294665099eaaf4eba4dbcc430abbf573d12a1bd627293be950738f75b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dskquoui.exe

Filesize
302KB

MD5
e545388198283ddf1427e379fdff0e0a

SHA1
4f34d6e9e4c46198d0a4be91a397642134159cfe

SHA256
cd3c09073a372e3706a2f6e5278532a6e9df7e4919f1ba5f9e5d4643cf05d305

SHA512
48f8576e76c9a8757dddd8b7719200cc0666c221dc7909c19b314766e28728f85e25e9294665099eaaf4eba4dbcc430abbf573d12a1bd627293be950738f75b7

Download Submit
memory/672-138-0x0000000073FE0000-0x0000000075234000-memory.dmp

Filesize
18.3MB

Download
memory/672-143-0x00007FFF281D0000-0x00007FFF283C5000-memory.dmp

Filesize
2.0MB

Download
memory/672-144-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/672-146-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/2180-135-0x00007FFF281D0000-0x00007FFF283C5000-memory.dmp

Filesize
2.0MB

Download