raccoon | 9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2023 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
Size

3.5MB
MD5

7aa8353d95576dfdd42d2382ffe0e626
SHA1

9798cd96ca573c6f54fc84611cfc4a7802212dea
SHA256

9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77
SHA512

f536592a62c5b510f05dc05b866c59557a7246052605551d364c4c1a9d9f8b94f01dbd3cf8526e4a5bded4dd81791923f14f424310d712306b523c3aca8bbc64
SSDEEP

24576:yqCSpM9XJSnFTGkzgB3uz60e5Lb1HCfLSovTaCqbvF+WKzQqW/pt64Y5v7QHuHOa:yqCgHny3COVb1HCfLpv

Score

10^/10

raccoon fa72f4c1fbe65cee8651140fd47267ba stealer

Malware Config

Extracted

Family

raccoon

Botnet

fa72f4c1fbe65cee8651140fd47267ba

http://193.142.147.59:80

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4112-1467-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral1/memory/4112-1470-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon

Suspicious use of SetThreadContext 1 IoCs

Processes:

9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe

description	pid	process	target process
PID 1864 set thread context of 4112	1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe

pid	process
1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe

description pid process

Token: SeDebugPrivilege 1864 9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe

description	pid	process
Token: SeDebugPrivilege	1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe

description	pid	process	target process
PID 1864 wrote to memory of 3324	1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
PID 1864 wrote to memory of 3324	1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
PID 1864 wrote to memory of 3324	1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
PID 1864 wrote to memory of 4112	1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
PID 1864 wrote to memory of 4112	1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
PID 1864 wrote to memory of 4112	1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
PID 1864 wrote to memory of 4112	1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
PID 1864 wrote to memory of 4112	1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
PID 1864 wrote to memory of 4112	1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
PID 1864 wrote to memory of 4112	1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
PID 1864 wrote to memory of 4112	1864	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe	9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe

C:\Users\Admin\AppData\Local\Temp\9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
"C:\Users\Admin\AppData\Local\Temp\9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
  C:\Users\Admin\AppData\Local\Temp\9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
  2⤵
  PID:3324
- C:\Users\Admin\AppData\Local\Temp\9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
  C:\Users\Admin\AppData\Local\Temp\9d05e8ef93511f02e7f0d270402b37658817a2d233f9cd12b40b87d4a4af7a77.exe
  2⤵
  PID:4112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1864-173-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-1469-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/1864-135-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/1864-133-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/1864-137-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-139-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-141-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-143-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-145-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-147-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-149-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-151-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-153-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-155-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-157-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-159-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-161-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-177-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-167-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-165-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-169-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-171-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-136-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-134-0x00000000001A0000-0x0000000000526000-memory.dmp

Filesize
3.5MB

Download
memory/1864-163-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-179-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-181-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-183-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-185-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-187-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-189-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-191-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-193-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-195-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-197-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-199-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-1458-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/1864-1459-0x0000000005420000-0x00000000054B2000-memory.dmp

Filesize
584KB

Download
memory/1864-1460-0x00000000054C0000-0x0000000005526000-memory.dmp

Filesize
408KB

Download
memory/1864-1461-0x0000000005E80000-0x0000000006424000-memory.dmp

Filesize
5.6MB

Download
memory/1864-1462-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/1864-175-0x0000000004F00000-0x0000000004FC7000-memory.dmp

Filesize
796KB

Download
memory/1864-1468-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/4112-1467-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4112-1470-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download