raccoon | dcaea3df855bc03a2723979525b63da64e13958a68741ddbe92e183135fc9247

Analysis

max time kernel
41s
max time network
55s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10-07-2023 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcaea3df855bc03a272397952.exe
Size

971KB
MD5

c3e9908d1e901feba57d1787d20890bb
SHA1

72411751972fac27bccc40df6daf287893a82a2d
SHA256

dcaea3df855bc03a2723979525b63da64e13958a68741ddbe92e183135fc9247
SHA512

28a6535d4fdf58ebc0dffbc470a3d4dbc8e3c9d8e96c8d471bf69902152d795ab5d5867b8d5a96cdb4a2eb59529b127d233d14e190cb3c4ede3e9d594d411889
SSDEEP

12288:qJjXuA5ao5Xc3Foj2btm0S82Iz89LUzLeGOMFWhLpUrc+nT9vwM5Lru7h2xC+:smBF2C20LDIhLpUI+vHxC+

Score

10^/10

raccoon 3f5db940cf0d55359bd7997f1d8cbde7 stealer

Malware Config

Extracted

Family

raccoon

Botnet

3f5db940cf0d55359bd7997f1d8cbde7

http://91.242.229.237:80/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3020-84-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral1/memory/3020-86-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral1/memory/3020-88-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral1/memory/3020-89-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

dcaea3df855bc03a272397952.exe

description pid process target process

PID 2360 set thread context of 3020 2360 dcaea3df855bc03a272397952.exe MsBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dcaea3df855bc03a272397952.exe

description pid process

Token: SeDebugPrivilege 2360 dcaea3df855bc03a272397952.exe

description	pid	process	target process
PID 2360 set thread context of 3020	2360	dcaea3df855bc03a272397952.exe	MsBuild.exe

description	pid	process
Token: SeDebugPrivilege	2360	dcaea3df855bc03a272397952.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

dcaea3df855bc03a272397952.exe

description	pid	process	target process
PID 2360 wrote to memory of 3020	2360	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 2360 wrote to memory of 3020	2360	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 2360 wrote to memory of 3020	2360	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 2360 wrote to memory of 3020	2360	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 2360 wrote to memory of 3020	2360	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 2360 wrote to memory of 3020	2360	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 2360 wrote to memory of 3020	2360	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 2360 wrote to memory of 3020	2360	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 2360 wrote to memory of 3020	2360	dcaea3df855bc03a272397952.exe	MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\dcaea3df855bc03a272397952.exe
"C:\Users\Admin\AppData\Local\Temp\dcaea3df855bc03a272397952.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
  2⤵
  PID:3020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2360-54-0x0000000000370000-0x0000000000466000-memory.dmp

Filesize
984KB

Download
memory/2360-55-0x0000000000340000-0x0000000000368000-memory.dmp

Filesize
160KB

Download
memory/2360-56-0x0000000000670000-0x000000000068C000-memory.dmp

Filesize
112KB

Download
memory/2360-57-0x0000000000670000-0x0000000000685000-memory.dmp

Filesize
84KB

Download
memory/2360-58-0x0000000000670000-0x0000000000685000-memory.dmp

Filesize
84KB

Download
memory/2360-60-0x0000000000670000-0x0000000000685000-memory.dmp

Filesize
84KB

Download
memory/2360-64-0x0000000000670000-0x0000000000685000-memory.dmp

Filesize
84KB

Download
memory/2360-62-0x0000000000670000-0x0000000000685000-memory.dmp

Filesize
84KB

Download
memory/2360-70-0x0000000000670000-0x0000000000685000-memory.dmp

Filesize
84KB

Download
memory/2360-68-0x0000000000670000-0x0000000000685000-memory.dmp

Filesize
84KB

Download
memory/2360-66-0x0000000000670000-0x0000000000685000-memory.dmp

Filesize
84KB

Download
memory/2360-74-0x0000000000670000-0x0000000000685000-memory.dmp

Filesize
84KB

Download
memory/2360-72-0x0000000000670000-0x0000000000685000-memory.dmp

Filesize
84KB

Download
memory/2360-78-0x0000000000670000-0x0000000000685000-memory.dmp

Filesize
84KB

Download
memory/2360-76-0x0000000000670000-0x0000000000685000-memory.dmp

Filesize
84KB

Download
memory/2360-80-0x0000000000670000-0x0000000000685000-memory.dmp

Filesize
84KB

Download
memory/3020-81-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3020-82-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3020-83-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3020-84-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3020-85-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3020-86-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3020-88-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3020-89-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download