raccoon | dcaea3df855bc03a2723979525b63da64e13958a68741ddbe92e183135fc9247

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcaea3df855bc03a272397952.exe
Size

971KB
MD5

c3e9908d1e901feba57d1787d20890bb
SHA1

72411751972fac27bccc40df6daf287893a82a2d
SHA256

dcaea3df855bc03a2723979525b63da64e13958a68741ddbe92e183135fc9247
SHA512

28a6535d4fdf58ebc0dffbc470a3d4dbc8e3c9d8e96c8d471bf69902152d795ab5d5867b8d5a96cdb4a2eb59529b127d233d14e190cb3c4ede3e9d594d411889
SSDEEP

12288:qJjXuA5ao5Xc3Foj2btm0S82Iz89LUzLeGOMFWhLpUrc+nT9vwM5Lru7h2xC+:smBF2C20LDIhLpUI+vHxC+

Score

10^/10

raccoon 3f5db940cf0d55359bd7997f1d8cbde7 stealer

Malware Config

Extracted

Family

raccoon

Botnet

3f5db940cf0d55359bd7997f1d8cbde7

http://91.242.229.237:80/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2976-159-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral2/memory/2976-162-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral2/memory/2976-163-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

dcaea3df855bc03a272397952.exe

description pid process target process

PID 4252 set thread context of 2976 4252 dcaea3df855bc03a272397952.exe MsBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dcaea3df855bc03a272397952.exe

description pid process

Token: SeDebugPrivilege 4252 dcaea3df855bc03a272397952.exe

description	pid	process	target process
PID 4252 set thread context of 2976	4252	dcaea3df855bc03a272397952.exe	MsBuild.exe

description	pid	process
Token: SeDebugPrivilege	4252	dcaea3df855bc03a272397952.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dcaea3df855bc03a272397952.exe

description	pid	process	target process
PID 4252 wrote to memory of 2976	4252	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 4252 wrote to memory of 2976	4252	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 4252 wrote to memory of 2976	4252	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 4252 wrote to memory of 2976	4252	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 4252 wrote to memory of 2976	4252	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 4252 wrote to memory of 2976	4252	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 4252 wrote to memory of 2976	4252	dcaea3df855bc03a272397952.exe	MsBuild.exe
PID 4252 wrote to memory of 2976	4252	dcaea3df855bc03a272397952.exe	MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\dcaea3df855bc03a272397952.exe
"C:\Users\Admin\AppData\Local\Temp\dcaea3df855bc03a272397952.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
  2⤵
  PID:2976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2976-159-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2976-163-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2976-162-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4252-146-0x0000000005420000-0x0000000005435000-memory.dmp

Filesize
84KB

Download
memory/4252-150-0x0000000005420000-0x0000000005435000-memory.dmp

Filesize
84KB

Download
memory/4252-140-0x0000000005420000-0x0000000005435000-memory.dmp

Filesize
84KB

Download
memory/4252-142-0x0000000005420000-0x0000000005435000-memory.dmp

Filesize
84KB

Download
memory/4252-144-0x0000000005420000-0x0000000005435000-memory.dmp

Filesize
84KB

Download
memory/4252-133-0x0000000000990000-0x0000000000A86000-memory.dmp

Filesize
984KB

Download
memory/4252-148-0x0000000005420000-0x0000000005435000-memory.dmp

Filesize
84KB

Download
memory/4252-138-0x0000000005420000-0x0000000005435000-memory.dmp

Filesize
84KB

Download
memory/4252-152-0x0000000005420000-0x0000000005435000-memory.dmp

Filesize
84KB

Download
memory/4252-154-0x0000000005420000-0x0000000005435000-memory.dmp

Filesize
84KB

Download
memory/4252-156-0x0000000005420000-0x0000000005435000-memory.dmp

Filesize
84KB

Download
memory/4252-158-0x0000000005420000-0x0000000005435000-memory.dmp

Filesize
84KB

Download
memory/4252-135-0x0000000005420000-0x0000000005435000-memory.dmp

Filesize
84KB

Download
memory/4252-136-0x0000000005420000-0x0000000005435000-memory.dmp

Filesize
84KB

Download
memory/4252-134-0x0000000005490000-0x000000000552C000-memory.dmp

Filesize
624KB

Download