raccoon | ceb0b34bf3d2f9ef826aefe57e9f1c599925a5c57cb35425a5af808c5f1a979b

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2023 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77fe3e6231388c1b5c97c89044117aa5.exe
Size

1.1MB
MD5

77fe3e6231388c1b5c97c89044117aa5
SHA1

42fe4de17b9121fd7364eaccbd0f1e356424f520
SHA256

ceb0b34bf3d2f9ef826aefe57e9f1c599925a5c57cb35425a5af808c5f1a979b
SHA512

9266e30f5a70ff824f1d266172dbc1cc3074d6b58722010c1451203b223cdaf9f33e811187fe7a57aa147714869044e9358faac63c904dbf4d1dd37dc17f400d
SSDEEP

24576:Lki4YGb0KwdK2JZMHyfv5Y5uqwgRDOiz4nBY:Lki4V0VDUIy5X9RDOk4ni

Score

10^/10

raccoon 3fcb8af1f84748c4ea416ee206ea216c stealer

Malware Config

Extracted

Family

raccoon

Botnet

3fcb8af1f84748c4ea416ee206ea216c

http://84.246.85.83:80/

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3668-216-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral2/memory/3668-220-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral2/memory/3668-221-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon

Executes dropped EXE 2 IoCs

Processes:

Di.pifDi.pif

pid process

1276 Di.pif
3668 Di.pif
Suspicious use of SetThreadContext 1 IoCs

Processes:

Di.pif

description pid process target process

PID 1276 set thread context of 3668 1276 Di.pif Di.pif
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3748 PING.EXE

pid	process
1276	Di.pif
3668	Di.pif

description	pid	process	target process
PID 1276 set thread context of 3668	1276	Di.pif	Di.pif

pid	process
3748	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exeDi.pif

pid	process
4496	powershell.exe
4496	powershell.exe
4496	powershell.exe
404	powershell.exe
404	powershell.exe
404	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
1276	Di.pif
1276	Di.pif
1276	Di.pif
1276	Di.pif
1276	Di.pif
1276	Di.pif
1276	Di.pif
1276	Di.pif
1276	Di.pif
1276	Di.pif
1276	Di.pif
1276	Di.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4496 powershell.exe
Token: SeDebugPrivilege 404 powershell.exe
Token: SeDebugPrivilege 2696 powershell.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Di.pif

pid process

1276 Di.pif
1276 Di.pif
1276 Di.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Di.pif

pid process

1276 Di.pif
1276 Di.pif
1276 Di.pif

description	pid	process
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe

pid	process
1276	Di.pif
1276	Di.pif
1276	Di.pif

pid	process
1276	Di.pif
1276	Di.pif
1276	Di.pif

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

77fe3e6231388c1b5c97c89044117aa5.execmd.execmd.exeDi.pif

description	pid	process	target process
PID 2540 wrote to memory of 3300	2540	77fe3e6231388c1b5c97c89044117aa5.exe	cmd.exe
PID 2540 wrote to memory of 3300	2540	77fe3e6231388c1b5c97c89044117aa5.exe	cmd.exe
PID 2540 wrote to memory of 3300	2540	77fe3e6231388c1b5c97c89044117aa5.exe	cmd.exe
PID 3300 wrote to memory of 1996	3300	cmd.exe	cmd.exe
PID 3300 wrote to memory of 1996	3300	cmd.exe	cmd.exe
PID 3300 wrote to memory of 1996	3300	cmd.exe	cmd.exe
PID 1996 wrote to memory of 4496	1996	cmd.exe	powershell.exe
PID 1996 wrote to memory of 4496	1996	cmd.exe	powershell.exe
PID 1996 wrote to memory of 4496	1996	cmd.exe	powershell.exe
PID 1996 wrote to memory of 404	1996	cmd.exe	powershell.exe
PID 1996 wrote to memory of 404	1996	cmd.exe	powershell.exe
PID 1996 wrote to memory of 404	1996	cmd.exe	powershell.exe
PID 1996 wrote to memory of 2696	1996	cmd.exe	powershell.exe
PID 1996 wrote to memory of 2696	1996	cmd.exe	powershell.exe
PID 1996 wrote to memory of 2696	1996	cmd.exe	powershell.exe
PID 1996 wrote to memory of 2132	1996	cmd.exe	findstr.exe
PID 1996 wrote to memory of 2132	1996	cmd.exe	findstr.exe
PID 1996 wrote to memory of 2132	1996	cmd.exe	findstr.exe
PID 1996 wrote to memory of 1276	1996	cmd.exe	Di.pif
PID 1996 wrote to memory of 1276	1996	cmd.exe	Di.pif
PID 1996 wrote to memory of 1276	1996	cmd.exe	Di.pif
PID 1996 wrote to memory of 3748	1996	cmd.exe	PING.EXE
PID 1996 wrote to memory of 3748	1996	cmd.exe	PING.EXE
PID 1996 wrote to memory of 3748	1996	cmd.exe	PING.EXE
PID 1276 wrote to memory of 3668	1276	Di.pif	Di.pif
PID 1276 wrote to memory of 3668	1276	Di.pif	Di.pif
PID 1276 wrote to memory of 3668	1276	Di.pif	Di.pif
PID 1276 wrote to memory of 3668	1276	Di.pif	Di.pif
PID 1276 wrote to memory of 3668	1276	Di.pif	Di.pif

C:\Users\Admin\AppData\Local\Temp\77fe3e6231388c1b5c97c89044117aa5.exe
"C:\Users\Admin\AppData\Local\Temp\77fe3e6231388c1b5c97c89044117aa5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /k cmd < Risks & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell get-process avastui
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4496
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell get-process avgui
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:404
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell get-process nswscsvc
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2696
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^Retain$" Stephanie
      4⤵
      PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\24297\8958\Di.pif
      8958\\Di.pif 8958\\Y
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Users\Admin\AppData\Local\Temp\24297\8958\Di.pif
        
        C:\Users\Admin\AppData\Local\Temp\24297\8958\Di.pif
        5⤵
        Executes dropped EXE
        
        PID:3668
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
159e629cf9f0a03f21afa9e7fa194d41

SHA1
fd80345ca9aad5738ab18031cbb9b4541e3035ac

SHA256
2b1d5baa97b4f8c067ba9136c96417bb98ee9b85e5dc18cce7f9436070a6e5c1

SHA512
284dfbe4ba555b44291b8fb3d0e81919b77f14cd65596b01d4be30753b80ff7d0502d5d2506b3bea4e63e605d4a648e0c11d1f78aef4aec9032981d4123e509f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
87663ce88984dd73dc79fc51368af994

SHA1
bda6d072ce1744f0a996069eb4fc109cbcde6e10

SHA256
8788b435ee81df70cedb7cc495f008f82b5e6b7526a362adb927a3b679aa1c54

SHA512
56c7ed3a8c70f47c99bb3461c5cdcc300ce4d06e0c915cba3e375275674c72fb41529514712b1ffe2551915fa5aff50efc9dfcccd93e4f7c21c1665955cb2ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\24297\8958\Di.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\24297\8958\Di.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\24297\Angel

Filesize
95KB

MD5
204a246b961be1ad6c2dfb05ef5997b5

SHA1
4b9376e2d8df20a58284ff69d39dce6a92300ff8

SHA256
89b215b4982a65bd97da54668aa49d0b88afacbf50cbc49c67ae5cfdb4c71586

SHA512
eed767d24d80382b738d34a6e46c916143fdff60aaf0cac95fbb28c60d2209ad08e0bcde5acefae825e2d059bdee8c53fd6d7865645f01c922e1b2f5f3607692

Download Submit
C:\Users\Admin\AppData\Local\Temp\24297\Light

Filesize
139KB

MD5
0f7652c0f09ebe01fac15e9c9c9e8be4

SHA1
c23bebf27bd0a82f0903b720d63f4b9030bef57c

SHA256
f6c7d3ee5cd0f43415292445370770b2a88b628d243e5625de6361b6747c331d

SHA512
4b841996b21cdff293b7b8e11e5312b6489b2823017ff4fa6d401941357539d99982d1fd5142bddc5e1c935cedb97aebe9ca2f27410f944e82280caa569ff468

Download Submit
C:\Users\Admin\AppData\Local\Temp\24297\Modem

Filesize
196KB

MD5
59f4bbd37f0937efe52011f3e2f4529b

SHA1
359c27741ac289f26dbc20ddafa07c2af5336e20

SHA256
69dee46d6cab092e8c170452b31ef389a72df1609dc1e69e003dc7725f5d0603

SHA512
01a7e2b3cc39c342906331c9b3c814ca2945bb459bf5f508ca9330604624d6194ec8e15bec1a281b8727b70d34abc770b495f17eb505aad7e6efac6f8d32a8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\24297\Mt

Filesize
134KB

MD5
9bf1293fea0b793f7e86adb548142bbc

SHA1
d49023a25c92c679bf1dafebf9b90841bc213667

SHA256
7e2ba0092cf43e1005e2b4537f907bc37242eadb97557780daf7996cc1a8b2ba

SHA512
d9a4b5d70874c91777ba797885ee8433b800ea158f24b6360fb91151902ff12de81a018ee6d9439249130628b1b24f6b1b687ea11f09e8881dabcae1b9c1d94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\24297\Nomination

Filesize
192KB

MD5
3cd5e45d649369a6e08d5c7743bea519

SHA1
e7190e41eb9691290efd5ee211d5969e34925297

SHA256
12c063891feaed5d6e78ef61167a4716acb40977890feca9735f8cb14b53f2cc

SHA512
45a8fbd67e8fac8becef16a026fa2c65f260deb65d55868ae481b8dba53576a2f5ed94a4508fa195101eeaffaeea79790b4ffc4fca1a119bc1ffb7187d612e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\24297\Risks

Filesize
13KB

MD5
e74236fa208e387cdd549b8d295d4480

SHA1
c724a51ea18f46f4295642b87aaa751cd7b101da

SHA256
8bff8d976d2743def2fc1a3341295375e055eb39ed218a1bf76d039787e48ab6

SHA512
18b90db00fef174ec94ef3218e024f421fa8cca267e68c41f609ea5fbeafe818285956324fe396b3e0ba0de925ff01fb71237520b5e2ed477af8ef2c92e9c7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\24297\Rom

Filesize
169KB

MD5
4af6cffda009ee969240d55962771ed1

SHA1
c7ca9348267c6d479339e70aab63ec0a917db046

SHA256
88062042a6f1dbc6ae5e3cb052359dc81abbd1fa32574fd285dbfb41e09750a8

SHA512
d42003945781b61f565964035fb2756d58a58d4c76f69913788181e2c09954a3c84bdcc3579a37105ba4ec42204381b370e197b1b428fa78d26da152563f8842

Download Submit
C:\Users\Admin\AppData\Local\Temp\24297\Stephanie

Filesize
925KB

MD5
402647b46e68c1646d30f5910d4f6606

SHA1
cfefa31059b45eba4d0375f9d7df565ee356ce22

SHA256
748c391aee307b46a17354eb01856bff25fecbe481768b96926264e02a52d025

SHA512
ef709d06a76672ec53541d40afe0fa61cd1324fc95e0723d1103c5531b448cda8339f75ac26f6000d5a95d145bfb65204f27fc24595859a409da5802fe83304a

Download Submit
C:\Users\Admin\AppData\Local\Temp\24297\Tn

Filesize
443KB

MD5
709d9ccfc5ce103c8eef06f353dcbd2a

SHA1
e66407b163cbfa6a72788ca27642d9fff935f712

SHA256
c0c851e45bfef22ad6806fc4ca5048bd7dec6ba8380c09b368cba4e63703d429

SHA512
42a334379a4926a692be83ace181e81c4f26d19995cd9c968ff9ecbdbf4791680ddecc7780f0217043cb215238dd6b391c98764186ead895e9a12adee629189f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mgbovd4f.rdi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/404-184-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/404-170-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/404-169-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/404-171-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/1276-214-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/2540-182-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2540-213-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2540-133-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2540-197-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2696-185-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/2696-186-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2696-199-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/3668-221-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3668-220-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3668-216-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4496-160-0x0000000005D50000-0x0000000005D6E000-memory.dmp

Filesize
120KB

Download
memory/4496-145-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4496-150-0x0000000005020000-0x0000000005086000-memory.dmp

Filesize
408KB

Download
memory/4496-149-0x0000000004E80000-0x0000000004EE6000-memory.dmp

Filesize
408KB

Download
memory/4496-148-0x0000000004CE0000-0x0000000004D02000-memory.dmp

Filesize
136KB

Download
memory/4496-147-0x00000000050A0000-0x00000000056C8000-memory.dmp

Filesize
6.2MB

Download
memory/4496-146-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4496-167-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/4496-161-0x0000000006F40000-0x0000000006FD6000-memory.dmp

Filesize
600KB

Download
memory/4496-143-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/4496-162-0x0000000006220000-0x000000000623A000-memory.dmp

Filesize
104KB

Download
memory/4496-144-0x00000000023D0000-0x0000000002406000-memory.dmp

Filesize
216KB

Download
memory/4496-163-0x0000000006290000-0x00000000062B2000-memory.dmp

Filesize
136KB

Download
memory/4496-164-0x0000000007590000-0x0000000007B34000-memory.dmp

Filesize
5.6MB

Download