raccoon | fadd73e288bf414c45512fd27b0b02971d5f2f1a4323b508575b4ca87c3752ee

Analysis

max time kernel
138s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2023 12:56

Target

Setup_x32_x64.exe
Size

992.0MB
MD5

aa87368fd85c71caebb069bbd711b5ba
SHA1

2c2390bb8cff65b843a682cdb613909cc5fc3579
SHA256

1f88c89c82edcde05886262f770bd3df3af0049924d7e290cdc3ab6586503e0a
SHA512

4d99c8857d50729e1e99a0f477f5950deff6c11a820095ce765946100b0a0ee58a4fe483589459fba9c5683b79a8f8946879b2cf33eb79fa0a1b486bd64210ca
SSDEEP

196608:gpKYW15rR/FityRl28WklfrrN+tBaa/bK0a99R:g0YsTUcP27SfctBV+089R

Score

10^/10

Family

raccoon

Botnet

94c54520400750937a6f1bf6044f8667

http://185.181.10.208/

xor.plain

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1328-133-0x0000000000400000-0x0000000000DC1000-memory.dmp	family_raccoon
behavioral2/memory/1328-142-0x0000000000400000-0x0000000000DC1000-memory.dmp	family_raccoon
behavioral2/memory/1328-144-0x0000000000400000-0x0000000000DC1000-memory.dmp	family_raccoon
behavioral2/memory/1328-145-0x0000000000400000-0x0000000000DC1000-memory.dmp	family_raccoon

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral2/memory/1328-133-0x0000000000400000-0x0000000000DC1000-memory.dmp	vmprotect
behavioral2/memory/1328-142-0x0000000000400000-0x0000000000DC1000-memory.dmp	vmprotect
behavioral2/memory/1328-144-0x0000000000400000-0x0000000000DC1000-memory.dmp	vmprotect
behavioral2/memory/1328-145-0x0000000000400000-0x0000000000DC1000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup_x32_x64.exe

pid process

1328 Setup_x32_x64.exe
1328 Setup_x32_x64.exe
1328 Setup_x32_x64.exe
1328 Setup_x32_x64.exe

C:\Users\Admin\AppData\Local\Temp\Setup_x32_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_x32_x64.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1328

memory/1328-133-0x0000000000400000-0x0000000000DC1000-memory.dmp

Filesize
9.8MB

Download
memory/1328-134-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1328-135-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1328-136-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1328-137-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/1328-138-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/1328-139-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/1328-141-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/1328-142-0x0000000000400000-0x0000000000DC1000-memory.dmp

Filesize
9.8MB

Download
memory/1328-144-0x0000000000400000-0x0000000000DC1000-memory.dmp

Filesize
9.8MB

Download
memory/1328-145-0x0000000000400000-0x0000000000DC1000-memory.dmp

Filesize
9.8MB

Download