raccoon | dcaea3df855bc03a2723979525b63da64e13958a68741ddbe92e183135fc9247

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2023 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

971KB
MD5

c3e9908d1e901feba57d1787d20890bb
SHA1

72411751972fac27bccc40df6daf287893a82a2d
SHA256

dcaea3df855bc03a2723979525b63da64e13958a68741ddbe92e183135fc9247
SHA512

28a6535d4fdf58ebc0dffbc470a3d4dbc8e3c9d8e96c8d471bf69902152d795ab5d5867b8d5a96cdb4a2eb59529b127d233d14e190cb3c4ede3e9d594d411889
SSDEEP

12288:qJjXuA5ao5Xc3Foj2btm0S82Iz89LUzLeGOMFWhLpUrc+nT9vwM5Lru7h2xC+:smBF2C20LDIhLpUI+vHxC+

Score

10^/10

raccoon 3f5db940cf0d55359bd7997f1d8cbde7 stealer

Malware Config

Extracted

Family

raccoon

Botnet

3f5db940cf0d55359bd7997f1d8cbde7

http://91.242.229.237:80/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/212-160-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral2/memory/212-163-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral2/memory/212-164-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1332 set thread context of 212 1332 tmp.exe MsBuild.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tmp.exe

pid process

1332 tmp.exe
1332 tmp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmp.exe

description pid process

Token: SeDebugPrivilege 1332 tmp.exe

description	pid	process	target process
PID 1332 set thread context of 212	1332	tmp.exe	MsBuild.exe

pid	process
1332	tmp.exe
1332	tmp.exe

description	pid	process
Token: SeDebugPrivilege	1332	tmp.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1332 wrote to memory of 2700	1332	tmp.exe	MsBuild.exe
PID 1332 wrote to memory of 2700	1332	tmp.exe	MsBuild.exe
PID 1332 wrote to memory of 2700	1332	tmp.exe	MsBuild.exe
PID 1332 wrote to memory of 212	1332	tmp.exe	MsBuild.exe
PID 1332 wrote to memory of 212	1332	tmp.exe	MsBuild.exe
PID 1332 wrote to memory of 212	1332	tmp.exe	MsBuild.exe
PID 1332 wrote to memory of 212	1332	tmp.exe	MsBuild.exe
PID 1332 wrote to memory of 212	1332	tmp.exe	MsBuild.exe
PID 1332 wrote to memory of 212	1332	tmp.exe	MsBuild.exe
PID 1332 wrote to memory of 212	1332	tmp.exe	MsBuild.exe
PID 1332 wrote to memory of 212	1332	tmp.exe	MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
  2⤵
  PID:212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-160-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/212-164-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/212-163-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1332-146-0x0000000005440000-0x0000000005455000-memory.dmp

Filesize
84KB

Download
memory/1332-150-0x0000000005440000-0x0000000005455000-memory.dmp

Filesize
84KB

Download
memory/1332-140-0x0000000005440000-0x0000000005455000-memory.dmp

Filesize
84KB

Download
memory/1332-142-0x0000000005440000-0x0000000005455000-memory.dmp

Filesize
84KB

Download
memory/1332-144-0x0000000005440000-0x0000000005455000-memory.dmp

Filesize
84KB

Download
memory/1332-133-0x0000000000920000-0x0000000000A16000-memory.dmp

Filesize
984KB

Download
memory/1332-148-0x0000000005440000-0x0000000005455000-memory.dmp

Filesize
84KB

Download
memory/1332-138-0x0000000005440000-0x0000000005455000-memory.dmp

Filesize
84KB

Download
memory/1332-152-0x0000000005440000-0x0000000005455000-memory.dmp

Filesize
84KB

Download
memory/1332-154-0x0000000005440000-0x0000000005455000-memory.dmp

Filesize
84KB

Download
memory/1332-155-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/1332-157-0x0000000005440000-0x0000000005455000-memory.dmp

Filesize
84KB

Download
memory/1332-159-0x0000000005440000-0x0000000005455000-memory.dmp

Filesize
84KB

Download
memory/1332-136-0x0000000005440000-0x0000000005455000-memory.dmp

Filesize
84KB

Download
memory/1332-135-0x0000000005440000-0x0000000005455000-memory.dmp

Filesize
84KB

Download
memory/1332-134-0x0000000005390000-0x000000000542C000-memory.dmp

Filesize
624KB

Download