raccoon | ceb0b34bf3d2f9ef826aefe57e9f1c599925a5c57cb35425a5af808c5f1a979b

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2023 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77fe3e6231388c1b5c97c89044117aa5.exe
Size

1.1MB
MD5

77fe3e6231388c1b5c97c89044117aa5
SHA1

42fe4de17b9121fd7364eaccbd0f1e356424f520
SHA256

ceb0b34bf3d2f9ef826aefe57e9f1c599925a5c57cb35425a5af808c5f1a979b
SHA512

9266e30f5a70ff824f1d266172dbc1cc3074d6b58722010c1451203b223cdaf9f33e811187fe7a57aa147714869044e9358faac63c904dbf4d1dd37dc17f400d
SSDEEP

24576:Lki4YGb0KwdK2JZMHyfv5Y5uqwgRDOiz4nBY:Lki4V0VDUIy5X9RDOk4ni

Score

10^/10

raccoon 3fcb8af1f84748c4ea416ee206ea216c stealer

Malware Config

Extracted

Family

raccoon

Botnet

3fcb8af1f84748c4ea416ee206ea216c

http://84.246.85.83:80/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2212-218-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral2/memory/2212-221-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon

Executes dropped EXE 3 IoCs

Processes:

Di.pifDi.pifDi.pif

pid process

396 Di.pif
3500 Di.pif
2212 Di.pif
Suspicious use of SetThreadContext 1 IoCs

Processes:

Di.pif

description pid process target process

PID 396 set thread context of 2212 396 Di.pif Di.pif
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2152 PING.EXE

pid	process
396	Di.pif
3500	Di.pif
2212	Di.pif

description	pid	process	target process
PID 396 set thread context of 2212	396	Di.pif	Di.pif

pid	process
2152	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exeDi.pif

pid	process
3660	powershell.exe
3660	powershell.exe
3660	powershell.exe
2200	powershell.exe
2200	powershell.exe
2200	powershell.exe
5084	powershell.exe
5084	powershell.exe
5084	powershell.exe
5084	powershell.exe
396	Di.pif
396	Di.pif
396	Di.pif
396	Di.pif
396	Di.pif
396	Di.pif
396	Di.pif
396	Di.pif
396	Di.pif
396	Di.pif
396	Di.pif
396	Di.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3660 powershell.exe
Token: SeDebugPrivilege 2200 powershell.exe
Token: SeDebugPrivilege 5084 powershell.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Di.pif

pid process

396 Di.pif
396 Di.pif
396 Di.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Di.pif

pid process

396 Di.pif
396 Di.pif
396 Di.pif

description	pid	process
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe

pid	process
396	Di.pif
396	Di.pif
396	Di.pif

pid	process
396	Di.pif
396	Di.pif
396	Di.pif

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

77fe3e6231388c1b5c97c89044117aa5.execmd.execmd.exeDi.pif

description	pid	process	target process
PID 1348 wrote to memory of 4440	1348	77fe3e6231388c1b5c97c89044117aa5.exe	cmd.exe
PID 1348 wrote to memory of 4440	1348	77fe3e6231388c1b5c97c89044117aa5.exe	cmd.exe
PID 1348 wrote to memory of 4440	1348	77fe3e6231388c1b5c97c89044117aa5.exe	cmd.exe
PID 4440 wrote to memory of 5064	4440	cmd.exe	cmd.exe
PID 4440 wrote to memory of 5064	4440	cmd.exe	cmd.exe
PID 4440 wrote to memory of 5064	4440	cmd.exe	cmd.exe
PID 5064 wrote to memory of 3660	5064	cmd.exe	powershell.exe
PID 5064 wrote to memory of 3660	5064	cmd.exe	powershell.exe
PID 5064 wrote to memory of 3660	5064	cmd.exe	powershell.exe
PID 5064 wrote to memory of 2200	5064	cmd.exe	powershell.exe
PID 5064 wrote to memory of 2200	5064	cmd.exe	powershell.exe
PID 5064 wrote to memory of 2200	5064	cmd.exe	powershell.exe
PID 5064 wrote to memory of 5084	5064	cmd.exe	powershell.exe
PID 5064 wrote to memory of 5084	5064	cmd.exe	powershell.exe
PID 5064 wrote to memory of 5084	5064	cmd.exe	powershell.exe
PID 5064 wrote to memory of 4000	5064	cmd.exe	findstr.exe
PID 5064 wrote to memory of 4000	5064	cmd.exe	findstr.exe
PID 5064 wrote to memory of 4000	5064	cmd.exe	findstr.exe
PID 5064 wrote to memory of 396	5064	cmd.exe	Di.pif
PID 5064 wrote to memory of 396	5064	cmd.exe	Di.pif
PID 5064 wrote to memory of 396	5064	cmd.exe	Di.pif
PID 5064 wrote to memory of 2152	5064	cmd.exe	PING.EXE
PID 5064 wrote to memory of 2152	5064	cmd.exe	PING.EXE
PID 5064 wrote to memory of 2152	5064	cmd.exe	PING.EXE
PID 396 wrote to memory of 3500	396	Di.pif	Di.pif
PID 396 wrote to memory of 3500	396	Di.pif	Di.pif
PID 396 wrote to memory of 3500	396	Di.pif	Di.pif
PID 396 wrote to memory of 2212	396	Di.pif	Di.pif
PID 396 wrote to memory of 2212	396	Di.pif	Di.pif
PID 396 wrote to memory of 2212	396	Di.pif	Di.pif
PID 396 wrote to memory of 2212	396	Di.pif	Di.pif
PID 396 wrote to memory of 2212	396	Di.pif	Di.pif

C:\Users\Admin\AppData\Local\Temp\77fe3e6231388c1b5c97c89044117aa5.exe
"C:\Users\Admin\AppData\Local\Temp\77fe3e6231388c1b5c97c89044117aa5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /k cmd < Risks & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell get-process avastui
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3660
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell get-process avgui
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2200
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell get-process nswscsvc
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5084
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^Retain$" Stephanie
      4⤵
      PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\34969\8582\Di.pif
      8582\\Di.pif 8582\\Y
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Users\Admin\AppData\Local\Temp\34969\8582\Di.pif
        
        C:\Users\Admin\AppData\Local\Temp\34969\8582\Di.pif
        5⤵
        Executes dropped EXE
        
        PID:3500
    - - C:\Users\Admin\AppData\Local\Temp\34969\8582\Di.pif
        
        C:\Users\Admin\AppData\Local\Temp\34969\8582\Di.pif
        5⤵
        Executes dropped EXE
        
        PID:2212
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
11ed4d9dd4e6451bc2933c209fa61eff

SHA1
cd20651e7917eb4effebc15c110ccb50add57325

SHA256
d7a582e214405acef85f17bb1461e1e35a3b34fe0c92c1d1d64508ea58c54867

SHA512
81372a632a014ac33aa2ab453ad50a4842e65631a5a68ebfd6307678ce0fcbaf8565b99ca4bc0472b6831cd90c8aa33697a1da0a6d2da86ed1bbb6c933da0c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
70f4299646b5de0143328d64c0ed3c23

SHA1
40bf86e0415cda42317cadb23c7cc64768f782b5

SHA256
0125b96e8bb0753e3ef2d23562134697b3ad9a19fb63dfd0b1bc11fda794e9d6

SHA512
fb2f16dfe35d77065d92275367185b5ec01fec9ccc29a11cf3c3ed4c063625ffa70728b2b4ad9c67737bf6687e7c87a8185176269c8f8e08d717196601f7bcff

Download Submit
C:\Users\Admin\AppData\Local\Temp\34969\8582\Di.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\34969\8582\Di.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\34969\8582\Di.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\34969\Angel

Filesize
95KB

MD5
204a246b961be1ad6c2dfb05ef5997b5

SHA1
4b9376e2d8df20a58284ff69d39dce6a92300ff8

SHA256
89b215b4982a65bd97da54668aa49d0b88afacbf50cbc49c67ae5cfdb4c71586

SHA512
eed767d24d80382b738d34a6e46c916143fdff60aaf0cac95fbb28c60d2209ad08e0bcde5acefae825e2d059bdee8c53fd6d7865645f01c922e1b2f5f3607692

Download Submit
C:\Users\Admin\AppData\Local\Temp\34969\Light

Filesize
139KB

MD5
0f7652c0f09ebe01fac15e9c9c9e8be4

SHA1
c23bebf27bd0a82f0903b720d63f4b9030bef57c

SHA256
f6c7d3ee5cd0f43415292445370770b2a88b628d243e5625de6361b6747c331d

SHA512
4b841996b21cdff293b7b8e11e5312b6489b2823017ff4fa6d401941357539d99982d1fd5142bddc5e1c935cedb97aebe9ca2f27410f944e82280caa569ff468

Download Submit
C:\Users\Admin\AppData\Local\Temp\34969\Modem

Filesize
196KB

MD5
59f4bbd37f0937efe52011f3e2f4529b

SHA1
359c27741ac289f26dbc20ddafa07c2af5336e20

SHA256
69dee46d6cab092e8c170452b31ef389a72df1609dc1e69e003dc7725f5d0603

SHA512
01a7e2b3cc39c342906331c9b3c814ca2945bb459bf5f508ca9330604624d6194ec8e15bec1a281b8727b70d34abc770b495f17eb505aad7e6efac6f8d32a8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\34969\Mt

Filesize
134KB

MD5
9bf1293fea0b793f7e86adb548142bbc

SHA1
d49023a25c92c679bf1dafebf9b90841bc213667

SHA256
7e2ba0092cf43e1005e2b4537f907bc37242eadb97557780daf7996cc1a8b2ba

SHA512
d9a4b5d70874c91777ba797885ee8433b800ea158f24b6360fb91151902ff12de81a018ee6d9439249130628b1b24f6b1b687ea11f09e8881dabcae1b9c1d94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\34969\Nomination

Filesize
192KB

MD5
3cd5e45d649369a6e08d5c7743bea519

SHA1
e7190e41eb9691290efd5ee211d5969e34925297

SHA256
12c063891feaed5d6e78ef61167a4716acb40977890feca9735f8cb14b53f2cc

SHA512
45a8fbd67e8fac8becef16a026fa2c65f260deb65d55868ae481b8dba53576a2f5ed94a4508fa195101eeaffaeea79790b4ffc4fca1a119bc1ffb7187d612e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\34969\Risks

Filesize
13KB

MD5
e74236fa208e387cdd549b8d295d4480

SHA1
c724a51ea18f46f4295642b87aaa751cd7b101da

SHA256
8bff8d976d2743def2fc1a3341295375e055eb39ed218a1bf76d039787e48ab6

SHA512
18b90db00fef174ec94ef3218e024f421fa8cca267e68c41f609ea5fbeafe818285956324fe396b3e0ba0de925ff01fb71237520b5e2ed477af8ef2c92e9c7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\34969\Rom

Filesize
169KB

MD5
4af6cffda009ee969240d55962771ed1

SHA1
c7ca9348267c6d479339e70aab63ec0a917db046

SHA256
88062042a6f1dbc6ae5e3cb052359dc81abbd1fa32574fd285dbfb41e09750a8

SHA512
d42003945781b61f565964035fb2756d58a58d4c76f69913788181e2c09954a3c84bdcc3579a37105ba4ec42204381b370e197b1b428fa78d26da152563f8842

Download Submit
C:\Users\Admin\AppData\Local\Temp\34969\Stephanie

Filesize
925KB

MD5
402647b46e68c1646d30f5910d4f6606

SHA1
cfefa31059b45eba4d0375f9d7df565ee356ce22

SHA256
748c391aee307b46a17354eb01856bff25fecbe481768b96926264e02a52d025

SHA512
ef709d06a76672ec53541d40afe0fa61cd1324fc95e0723d1103c5531b448cda8339f75ac26f6000d5a95d145bfb65204f27fc24595859a409da5802fe83304a

Download Submit
C:\Users\Admin\AppData\Local\Temp\34969\Tn

Filesize
443KB

MD5
709d9ccfc5ce103c8eef06f353dcbd2a

SHA1
e66407b163cbfa6a72788ca27642d9fff935f712

SHA256
c0c851e45bfef22ad6806fc4ca5048bd7dec6ba8380c09b368cba4e63703d429

SHA512
42a334379a4926a692be83ace181e81c4f26d19995cd9c968ff9ecbdbf4791680ddecc7780f0217043cb215238dd6b391c98764186ead895e9a12adee629189f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sxhk1i0n.cpo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/396-214-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/1348-213-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1348-168-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1348-184-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1348-133-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2200-183-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/2200-169-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/2200-170-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2200-171-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2212-221-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2212-218-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3660-161-0x00000000063B0000-0x00000000063CA000-memory.dmp

Filesize
104KB

Download
memory/3660-144-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3660-166-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/3660-163-0x00000000076E0000-0x0000000007C84000-memory.dmp

Filesize
5.6MB

Download
memory/3660-162-0x0000000006400000-0x0000000006422000-memory.dmp

Filesize
136KB

Download
memory/3660-143-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/3660-160-0x0000000007090000-0x0000000007126000-memory.dmp

Filesize
600KB

Download
memory/3660-159-0x0000000004C30000-0x0000000004C4E000-memory.dmp

Filesize
120KB

Download
memory/3660-154-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/3660-148-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/3660-147-0x0000000004EE0000-0x0000000004F02000-memory.dmp

Filesize
136KB

Download
memory/3660-146-0x0000000005070000-0x0000000005698000-memory.dmp

Filesize
6.2MB

Download
memory/3660-145-0x0000000002580000-0x00000000025B6000-memory.dmp

Filesize
216KB

Download
memory/5084-199-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/5084-187-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/5084-186-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/5084-185-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download