raccoon | 7cf98c4d66d5932d35a20a38b36c369d9847857ccefca7a0ca5a6b378e471527

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2023 15:41

Target

7cf98c4d66d5932d35a20a38b36c369d9847857ccefca7a0ca5a6b378e471527_JC.exe
Size

640KB
MD5

fea64d3a0106278b952c5da98d795414
SHA1

8a9cefe3e1f2b20416281ca3d59aa1a97c5785dd
SHA256

7cf98c4d66d5932d35a20a38b36c369d9847857ccefca7a0ca5a6b378e471527
SHA512

153d2a3645544e90cbd13590fcd404f9e4e966373c2408024321e60fcbb314e176769406e8c4ffea1bc2efcfce4fe696c88bacd1a8f91f8dbfdd3b09e4d8b0fd
SSDEEP

6144:zgOeGIAHxSJ3laLHgbVzUMNv0eAOSe5zKE9vM534:M7JJVakBp0eJ52E9kC

Score

10^/10

Family

raccoon

Botnet

58d3d798d34797c8dc115d7871080018

http://94.142.138.147:77z

xor.plain

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/3472-133-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral2/memory/3472-135-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon
behavioral2/memory/3472-136-0x0000000000400000-0x000000000040F000-memory.dmp	family_raccoon

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3240 set thread context of 3472	3240	7cf98c4d66d5932d35a20a38b36c369d9847857ccefca7a0ca5a6b378e471527_JC.exe	81

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 3472	3240	7cf98c4d66d5932d35a20a38b36c369d9847857ccefca7a0ca5a6b378e471527_JC.exe	81
PID 3240 wrote to memory of 3472	3240	7cf98c4d66d5932d35a20a38b36c369d9847857ccefca7a0ca5a6b378e471527_JC.exe	81
PID 3240 wrote to memory of 3472	3240	7cf98c4d66d5932d35a20a38b36c369d9847857ccefca7a0ca5a6b378e471527_JC.exe	81
PID 3240 wrote to memory of 3472	3240	7cf98c4d66d5932d35a20a38b36c369d9847857ccefca7a0ca5a6b378e471527_JC.exe	81
PID 3240 wrote to memory of 3472	3240	7cf98c4d66d5932d35a20a38b36c369d9847857ccefca7a0ca5a6b378e471527_JC.exe	81
PID 3240 wrote to memory of 3472	3240	7cf98c4d66d5932d35a20a38b36c369d9847857ccefca7a0ca5a6b378e471527_JC.exe	81
PID 3240 wrote to memory of 3472	3240	7cf98c4d66d5932d35a20a38b36c369d9847857ccefca7a0ca5a6b378e471527_JC.exe	81
PID 3240 wrote to memory of 3472	3240	7cf98c4d66d5932d35a20a38b36c369d9847857ccefca7a0ca5a6b378e471527_JC.exe	81

C:\Users\Admin\AppData\Local\Temp\7cf98c4d66d5932d35a20a38b36c369d9847857ccefca7a0ca5a6b378e471527_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7cf98c4d66d5932d35a20a38b36c369d9847857ccefca7a0ca5a6b378e471527_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:3472

memory/3472-133-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3472-135-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3472-136-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download