raccoon | 95d646959e53e56f07dad3309366b8e9ce6355881ceeeac17e4254fbc1d2f30e

Analysis

max time kernel
144s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2023 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample/Pre_Satup1_Activate.exe
Size

66.0MB
MD5

60c266e24923ebb2f88f2e29d45cc553
SHA1

893fa582caeca62faf5fccce950f5b654ef339c5
SHA256

d2a63c6d9cdda0bc062b61cf77d84259c451edfed1a01401e519bc75cfff7e8e
SHA512

e2c87a7c2fa8a3f07fff03505592c74a5528249c40e40573deb2a5dfc2961a99ac6f4d28324982555f7296d706901940f66e6a85e25a4492d42f1e674943fd15
SSDEEP

12288:cTSptB012lD9Gx/4fj0gcSyGD8Apjl4IWQAqOs/Dq1tXLi1CBpojCSguSYrsE1EP:cTam2bGwPc651uI9BCXhcjCSRrNgougc

Score

10^/10

raccoon 5ec3a3775a41038ee7acd6146ee95411 stealer

Malware Config

Extracted

Family

raccoon

Botnet

5ec3a3775a41038ee7acd6146ee95411

http://94.142.138.6:80/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4848-209-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral2/memory/4848-212-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon

Executes dropped EXE 2 IoCs

Processes:

Blowjob.pifBlowjob.pif

pid process

2272 Blowjob.pif
4848 Blowjob.pif
Suspicious use of SetThreadContext 1 IoCs

Processes:

Blowjob.pif

description pid process target process

PID 2272 set thread context of 4848 2272 Blowjob.pif Blowjob.pif
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1068 PING.EXE

pid	process
2272	Blowjob.pif
4848	Blowjob.pif

description	pid	process	target process
PID 2272 set thread context of 4848	2272	Blowjob.pif	Blowjob.pif

pid	process
1068	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exeBlowjob.pif

pid	process
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
4408	powershell.exe
4408	powershell.exe
4408	powershell.exe
2272	Blowjob.pif
2272	Blowjob.pif
2272	Blowjob.pif
2272	Blowjob.pif
2272	Blowjob.pif
2272	Blowjob.pif
2272	Blowjob.pif
2272	Blowjob.pif
2272	Blowjob.pif
2272	Blowjob.pif
2272	Blowjob.pif
2272	Blowjob.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 5096 powershell.exe
Token: SeDebugPrivilege 4408 powershell.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Blowjob.pif

pid process

2272 Blowjob.pif
2272 Blowjob.pif
2272 Blowjob.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Blowjob.pif

pid process

2272 Blowjob.pif
2272 Blowjob.pif
2272 Blowjob.pif

description	pid	process
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe

pid	process
2272	Blowjob.pif
2272	Blowjob.pif
2272	Blowjob.pif

pid	process
2272	Blowjob.pif
2272	Blowjob.pif
2272	Blowjob.pif

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Pre_Satup1_Activate.execmd.execmd.exeBlowjob.pif

description	pid	process	target process
PID 2156 wrote to memory of 2464	2156	Pre_Satup1_Activate.exe	cmd.exe
PID 2156 wrote to memory of 2464	2156	Pre_Satup1_Activate.exe	cmd.exe
PID 2156 wrote to memory of 2464	2156	Pre_Satup1_Activate.exe	cmd.exe
PID 2464 wrote to memory of 2016	2464	cmd.exe	cmd.exe
PID 2464 wrote to memory of 2016	2464	cmd.exe	cmd.exe
PID 2464 wrote to memory of 2016	2464	cmd.exe	cmd.exe
PID 2016 wrote to memory of 5096	2016	cmd.exe	powershell.exe
PID 2016 wrote to memory of 5096	2016	cmd.exe	powershell.exe
PID 2016 wrote to memory of 5096	2016	cmd.exe	powershell.exe
PID 2016 wrote to memory of 4408	2016	cmd.exe	powershell.exe
PID 2016 wrote to memory of 4408	2016	cmd.exe	powershell.exe
PID 2016 wrote to memory of 4408	2016	cmd.exe	powershell.exe
PID 2016 wrote to memory of 3804	2016	cmd.exe	findstr.exe
PID 2016 wrote to memory of 3804	2016	cmd.exe	findstr.exe
PID 2016 wrote to memory of 3804	2016	cmd.exe	findstr.exe
PID 2016 wrote to memory of 2272	2016	cmd.exe	Blowjob.pif
PID 2016 wrote to memory of 2272	2016	cmd.exe	Blowjob.pif
PID 2016 wrote to memory of 2272	2016	cmd.exe	Blowjob.pif
PID 2016 wrote to memory of 1068	2016	cmd.exe	PING.EXE
PID 2016 wrote to memory of 1068	2016	cmd.exe	PING.EXE
PID 2016 wrote to memory of 1068	2016	cmd.exe	PING.EXE
PID 2272 wrote to memory of 4848	2272	Blowjob.pif	Blowjob.pif
PID 2272 wrote to memory of 4848	2272	Blowjob.pif	Blowjob.pif
PID 2272 wrote to memory of 4848	2272	Blowjob.pif	Blowjob.pif
PID 2272 wrote to memory of 4848	2272	Blowjob.pif	Blowjob.pif
PID 2272 wrote to memory of 4848	2272	Blowjob.pif	Blowjob.pif

C:\Users\Admin\AppData\Local\Temp\sample\Pre_Satup1_Activate.exe
"C:\Users\Admin\AppData\Local\Temp\sample\Pre_Satup1_Activate.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd /k cmd < Childhood & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell get-process avastui
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5096
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell get-process avgui
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4408
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^Productive$" Aerospace
      4⤵
      PID:3804
  - - C:\Users\Admin\AppData\Local\Temp\825\16720\Blowjob.pif
      16720\\Blowjob.pif 16720\\f
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Users\Admin\AppData\Local\Temp\825\16720\Blowjob.pif
        
        C:\Users\Admin\AppData\Local\Temp\825\16720\Blowjob.pif
        5⤵
        Executes dropped EXE
        
        PID:4848
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6ff3226b548dfd0118c8f6c1f17b7896

SHA1
71038f2c89bd488bfa14ba4c9a0ecc973069fa70

SHA256
eda8d57286ab021f67078dc86cff7c652301882145f06c8dcdb7ebe3eea51c71

SHA512
0a00b885a5aa39d91e5c35c12945b5c81f5f225ad88eda80a31e78c8525594041474064fbd5677df3578ec258b0fa7fb385c35309a9d68f32a3d61633f17a70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\825\16720\Blowjob.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\825\16720\Blowjob.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\825\Aerospace

Filesize
925KB

MD5
1c4982e3438944b8f83aa65724f12b76

SHA1
3c7fa8789c4cd7b86cbe9fb0a085458d5ab3585a

SHA256
d731b0fff7bcf675ce80b199815e1ff9811d034de50b06c2a9d896b9d40a36c3

SHA512
51992edcf7e4724efce1f1b2bd8e283214bd5c96befc0846601cbfab2add493dd5f976405f946b0e84337de7dfa8714cc1015363e5379c91392344da6a7e207f

Download Submit
C:\Users\Admin\AppData\Local\Temp\825\Aluminum

Filesize
46KB

MD5
94635f41a6d8323d39af6c6c30c14be8

SHA1
250a7adb4a9121a9af4d7a9f56499983991060ff

SHA256
f523777f4bf7ce6848149ea6e36b25bc8b5e03769928dfadc9e7b792de703e27

SHA512
180b285821520d74c2f7eaa22386c9ab7df68148f3a737016dbc5c7aeec504d903e58caf91a8f73cc1487f8f905bc725fd0b29bdd8a7f9b6b22b237f0353e7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\825\Childhood

Filesize
13KB

MD5
4247653db82d81645c04ee8f612d05b7

SHA1
2f3afb842618e52a0f8bac6d7e8cfb2fa42e91a7

SHA256
df9b5274ee9c66fa4d4551e7d66395943994dc860741eb94a51d3063a85bb841

SHA512
e7eb936c2e4e2d7e3472696a8ed617958f66698deef0effe6737e95851b8d3176ff47ba684ec7bf985328f1688da6476052a87a535a0d9c644a73692fecb0b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\825\Contacting

Filesize
187KB

MD5
fa31f412920d519afaecad841072504b

SHA1
4e9561eead20180093cf6564574260347b5d3b0f

SHA256
6f7c2154e61367b69705a39444a6dd2c57bf4d89053bfa139cb4b0fd394f78c5

SHA512
61027b511727640bf9ad74a64832f81847486b06faea3e21171f0959b6944d8b7f21be9612bcdd76de88d31db396874eb1a1476961e56b24b7f89d5090b4dd1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\825\Highlight

Filesize
169KB

MD5
366ac942bcc13df2a659e99d771cfa23

SHA1
1c05b41b499575268d53b853fce1b2e33905d81d

SHA256
ca3100d92e490e4d8e3ca1642a04f91eb1cac397315df925e4e9c479b18eccd1

SHA512
97c75d23e47cf74ac6cb7a553216d9729dacfcaafeef6e0a96004cd137645c5521b6a2b8eccce7b283995a64a4032f8453b0f8016a073fb0bad89c30bc5cf9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\825\Locking

Filesize
42KB

MD5
4f59d5842829df2a71803b8334985746

SHA1
2c6d6086e89ffd0fb3e64b16326965cd32acfbe4

SHA256
1700de9665f7eab043f28d0e0f5d4039563d8ea3a82fa7684b17fce7a4f9b196

SHA512
42c10c60c0e7ddd4432c1dad949af9486f481ba2c6ee60c2afff8f652dee2ce04044d2aeea72cd50b54c78fd12d103d795633b30f37222f3b3dc0fb6ada9c537

Download Submit
C:\Users\Admin\AppData\Local\Temp\825\Musical

Filesize
126KB

MD5
b51a2fc6340983230de33717788065ad

SHA1
a07177941a3e58e74bba75c2d333340b72184a62

SHA256
276143873dc0b0e7b40d264ae8f60bc7b98a3e5654a72a687c1a05fd9f6126b7

SHA512
9ed6036a1e22ab5d1ee16f323eb4a0dae503ee981c4c993093bb8f00938f04f80db0f7dcc0ff5583df5332eb3d8294976fa0b9e988a7716ad3bb437d7316eb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\825\Posing

Filesize
145KB

MD5
d9277462c4ea61fd77c3c56728aaaf6a

SHA1
58201d9466d4b00627c939b5531fe1eff679de3e

SHA256
414df9b35c79ae6697ea0808ee40874e8a7df371f5d97be2d2180cc2faa5fa92

SHA512
e52ccdcedc4765ede457cc199c7433d30b7267f54093a6a3b41d381865b52f167dcf5237191a9c4ace3ba80c8ed91e7c883efca6e1b64f5e9685f7504db9f642

Download Submit
C:\Users\Admin\AppData\Local\Temp\825\Potential

Filesize
184KB

MD5
17b163c694a038d993e023e318419fd1

SHA1
1ef91e8100a43d5c1019ba2e3cfd740ffa934bf7

SHA256
5377299d5f0e37733fdd06eb23d9de452d52cc1819e335e36b5a6125e03666d4

SHA512
d0a40fe63b7562c0da2a533e228418affa2ca3ba12f0d883fd49d883bb88676d5ac2dd8ae288e35c6ba0327dbb8b78e1cf100b3e3ee1884cfcf54ec6f782dad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\825\Sports

Filesize
26KB

MD5
4bf552b7fed09347ebdb1d07d73d0218

SHA1
70085fafc53a37d1224e5a833f7276fcd583c3f4

SHA256
2b3f69926a2358a2467bf23918128656deb52692e1d6847d8a8557a7186d8147

SHA512
538d236a8d7a741a65110244afcfff1ef79a5eaee751bc09830555ca89974a5e532892b45eb6d2371fd9ee375124180fc0eea7dd804169c0305698428a20205d

Download Submit
C:\Users\Admin\AppData\Local\Temp\825\Uni

Filesize
474KB

MD5
561f5ee5d0a483b1adac9f617ed0769f

SHA1
72ff4f89f24a84a3b0b59bad1e5f8473d0bd02d7

SHA256
0f724983027f0af1088e30c71b20be81445ea3c9345e67cfba54ca4bc9a42a34

SHA512
bdde12beb18f7e2e005fe385d9277ac19d7f9d079e466cab6f3484b9eeab01ba59976c9812b4054cda155286294e8fdf1037673424121daa7d593d3c21bd0cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i2quusd5.e2j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2156-144-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2156-166-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2156-133-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2156-206-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2156-139-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2156-137-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2272-207-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/4408-175-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/4408-176-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4408-177-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4408-189-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/4848-212-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4848-209-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/5096-153-0x00000000053B0000-0x00000000053D2000-memory.dmp

Filesize
136KB

Download
memory/5096-173-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/5096-170-0x00000000079E0000-0x0000000007F84000-memory.dmp

Filesize
5.6MB

Download
memory/5096-169-0x00000000068C0000-0x00000000068E2000-memory.dmp

Filesize
136KB

Download
memory/5096-168-0x0000000006870000-0x000000000688A000-memory.dmp

Filesize
104KB

Download
memory/5096-167-0x0000000007390000-0x0000000007426000-memory.dmp

Filesize
600KB

Download
memory/5096-165-0x00000000063A0000-0x00000000063BE000-memory.dmp

Filesize
120KB

Download
memory/5096-155-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/5096-154-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/5096-152-0x0000000005450000-0x0000000005A78000-memory.dmp

Filesize
6.2MB

Download
memory/5096-151-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/5096-150-0x0000000004DE0000-0x0000000004E16000-memory.dmp

Filesize
216KB

Download
memory/5096-149-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/5096-148-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download