raccoon | 5d6216378288a42323449a10a8fc5cb03bbb0c7216b6c8c2f5866b63494c6038

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21-08-2023 18:27

Target

5d6216378288a42323449a10a8fc5cb03bbb0c7216b6c8c2f5866b63494c6038.exe
Size

239KB
MD5

3379ff3d41973e2e9ffa3e4a2ba3b2a0
SHA1

ee6a34860cc88bff4ad4ffac514875751f4ae522
SHA256

5d6216378288a42323449a10a8fc5cb03bbb0c7216b6c8c2f5866b63494c6038
SHA512

b856cda3b64d10299e061838b609985f247dcb63b939a6cde7d9f080ec345fb80e230939e6efed354c8c86020cb8e5c26c8aa0e2b0d2c3c3c3048d58aded6302
SSDEEP

3072:5tE2EWtoXCsvKcucuLHorEpbn3/3KziSHvVUbs2p+YnfEGXAOPxx+:5tEnWSCsGorEZiLHvqY2pzZXZC

Score

10^/10

Family

raccoon

Botnet

eabc0de1c27eeddb6aaf18a4edd4635a

http://94.142.138.177/

xor.plain

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/2852-58-0x0000000000400000-0x0000000000423000-memory.dmp	family_raccoon

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 2852	2472	5d6216378288a42323449a10a8fc5cb03bbb0c7216b6c8c2f5866b63494c6038.exe	29

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2852	2472	5d6216378288a42323449a10a8fc5cb03bbb0c7216b6c8c2f5866b63494c6038.exe	29
PID 2472 wrote to memory of 2852	2472	5d6216378288a42323449a10a8fc5cb03bbb0c7216b6c8c2f5866b63494c6038.exe	29
PID 2472 wrote to memory of 2852	2472	5d6216378288a42323449a10a8fc5cb03bbb0c7216b6c8c2f5866b63494c6038.exe	29
PID 2472 wrote to memory of 2852	2472	5d6216378288a42323449a10a8fc5cb03bbb0c7216b6c8c2f5866b63494c6038.exe	29
PID 2472 wrote to memory of 2852	2472	5d6216378288a42323449a10a8fc5cb03bbb0c7216b6c8c2f5866b63494c6038.exe	29
PID 2472 wrote to memory of 2852	2472	5d6216378288a42323449a10a8fc5cb03bbb0c7216b6c8c2f5866b63494c6038.exe	29

C:\Users\Admin\AppData\Local\Temp\5d6216378288a42323449a10a8fc5cb03bbb0c7216b6c8c2f5866b63494c6038.exe
"C:\Users\Admin\AppData\Local\Temp\5d6216378288a42323449a10a8fc5cb03bbb0c7216b6c8c2f5866b63494c6038.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2852

memory/2472-55-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2852-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2852-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2852-62-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download