raccoon | 788567d3cc693dd5d0dada9f4e1421755c1d74257544ba12b502f085a620585e

Analysis

max time kernel
134s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2023 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MlсrоsоftЕdgеSеtup.appx
Size

3.6MB
MD5

de2456b94b4d4019ad591379205ebd6e
SHA1

7f98a888fb52ed5627d7b374439ca14616f68d33
SHA256

788567d3cc693dd5d0dada9f4e1421755c1d74257544ba12b502f085a620585e
SHA512

abb726b87c0fc52159076fe7ee0a32d3667478cdb9959d206c9589e1e95210cfd7122268ac931c35aff43c6834d024ebfc597052aa3bcd936f6925a84aa2b540
SSDEEP

98304:dfic5es3aimY7NhbJpcdYyeuASKnRcfw9X:dKc5emmYvdM5euASKnRcfo

Score

10^/10

raccoon 5e2505d8647542f05843f89ae7cd18e7 discovery spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

5e2505d8647542f05843f89ae7cd18e7

http://5.75.241.110:80

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 2 IoCs

resource	yara_rule
behavioral2/memory/2772-33-0x0000000000400000-0x000000000041D000-memory.dmp	family_raccoon
behavioral2/memory/2772-84-0x0000000000400000-0x000000000041D000-memory.dmp	family_raccoon

Downloads MZ/PE file

Loads dropped DLL 4 IoCs

pid	Process
2772	KBDFR.exe
2772	KBDFR.exe
2772	KBDFR.exe
2772	KBDFR.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3016 set thread context of 4944	3016	2_1.3.0.5.exe	98
PID 4944 set thread context of 2772	4944	cmd.exe	101

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3792	powershell.exe
3792	powershell.exe
3792	powershell.exe
3016	2_1.3.0.5.exe
3016	2_1.3.0.5.exe
4944	cmd.exe
4944	cmd.exe
2772	KBDFR.exe
2772	KBDFR.exe
2772	KBDFR.exe
2772	KBDFR.exe
2772	KBDFR.exe
2772	KBDFR.exe
2772	KBDFR.exe
2772	KBDFR.exe
2772	KBDFR.exe
2772	KBDFR.exe
2772	KBDFR.exe
2772	KBDFR.exe
2772	KBDFR.exe
2772	KBDFR.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3016	2_1.3.0.5.exe
4944	cmd.exe
4944	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeManageVolumePrivilege	692	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 3380	4480	AiStubX64.exe	95
PID 4480 wrote to memory of 3380	4480	AiStubX64.exe	95
PID 4480 wrote to memory of 3016	4480	AiStubX64.exe	97
PID 4480 wrote to memory of 3016	4480	AiStubX64.exe	97
PID 4480 wrote to memory of 3016	4480	AiStubX64.exe	97
PID 4480 wrote to memory of 3016	4480	AiStubX64.exe	97
PID 4480 wrote to memory of 3016	4480	AiStubX64.exe	97
PID 3016 wrote to memory of 4944	3016	2_1.3.0.5.exe	98
PID 3016 wrote to memory of 4944	3016	2_1.3.0.5.exe	98
PID 3016 wrote to memory of 4944	3016	2_1.3.0.5.exe	98
PID 3016 wrote to memory of 4944	3016	2_1.3.0.5.exe	98
PID 4944 wrote to memory of 2772	4944	cmd.exe	101
PID 4944 wrote to memory of 2772	4944	cmd.exe	101
PID 4944 wrote to memory of 2772	4944	cmd.exe	101
PID 4944 wrote to memory of 2772	4944	cmd.exe	101
PID 4944 wrote to memory of 2772	4944	cmd.exe	101

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:AppsFolder\MicrosoftCorporation.Edge_2hba6mcbkmhp4!MicrosoftEdgeSetup.exe
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Program Files\WindowsApps\MicrosoftCorporation.Edge_1.3.177.11_x64__2hba6mcbkmhp4\AI_STUBS\AiStubX64.exe
"C:\Program Files\WindowsApps\MicrosoftCorporation.Edge_1.3.177.11_x64__2hba6mcbkmhp4\AI_STUBS\AiStubX64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\system32\xcopy.exe
  "xcopy.exe" "C:\Program Files\WindowsApps\MicrosoftCorporation.Edge_1.3.177.11_x64__2hba6mcbkmhp4\VFS\AppData" "C:\Users\Admin\AppData\Local\Packages\MicrosoftCorporation.Edge_2hba6mcbkmhp4\LocalCache\Roaming" /e /s /y /c /h /q /i /k
  2⤵
  PID:3380
- C:\Program Files\WindowsApps\MicrosoftCorporation.Edge_1.3.177.11_x64__2hba6mcbkmhp4\VFS\AppData\2_1.3.0.5.exe
  "C:\Program Files\WindowsApps\MicrosoftCorporation.Edge_1.3.177.11_x64__2hba6mcbkmhp4\VFS\AppData\2_1.3.0.5.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\KBDFR.exe
      C:\Users\Admin\AppData\Local\Temp\KBDFR.exe
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2772

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e378d55

Filesize
649KB

MD5
96dcabfe048acd813cd534591a4a9d6d

SHA1
43026e3ad042fa0549742236690961e4723fa605

SHA256
f78405550ec743b74816bc9f629278b853b494520a9d3abb3be6dd8b47c5a3eb

SHA512
0b9f2891598071333072eec21a8285f947ad362a3e0e318574b1ea975de03b443e55bb681a553fb970ed137e5342e62f1f91f96ceb51cc2105f9f81baba5448c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KBDFR.exe

Filesize
301KB

MD5
68cefdfbd2e1a35e8c4f144e37d77a76

SHA1
0a6637d5eb3c958a0136358d0290514c7309af73

SHA256
c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8

SHA512
88d79115a6a0c487bd39a00a202f2467f4e05991da780f29f33cfc1ca53d2c6489104d5fbbe7e70167eb20c958b0322690454aec9ab1776d265ab8c558e971f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KBDFR.exe

Filesize
301KB

MD5
68cefdfbd2e1a35e8c4f144e37d77a76

SHA1
0a6637d5eb3c958a0136358d0290514c7309af73

SHA256
c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8

SHA512
88d79115a6a0c487bd39a00a202f2467f4e05991da780f29f33cfc1ca53d2c6489104d5fbbe7e70167eb20c958b0322690454aec9ab1776d265ab8c558e971f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lxcczmkj.itu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/692-138-0x0000029762410000-0x0000029762411000-memory.dmp

Filesize
4KB

Download
memory/692-127-0x0000029762800000-0x0000029762801000-memory.dmp

Filesize
4KB

Download
memory/692-124-0x0000029762800000-0x0000029762801000-memory.dmp

Filesize
4KB

Download
memory/692-133-0x0000029762410000-0x0000029762411000-memory.dmp

Filesize
4KB

Download
memory/692-132-0x0000029762420000-0x0000029762421000-memory.dmp

Filesize
4KB

Download
memory/692-131-0x0000029762A00000-0x0000029762A01000-memory.dmp

Filesize
4KB

Download
memory/692-130-0x0000029762A00000-0x0000029762A01000-memory.dmp

Filesize
4KB

Download
memory/692-129-0x0000029762800000-0x0000029762801000-memory.dmp

Filesize
4KB

Download
memory/692-128-0x0000029762800000-0x0000029762801000-memory.dmp

Filesize
4KB

Download
memory/692-141-0x0000029762350000-0x0000029762351000-memory.dmp

Filesize
4KB

Download
memory/692-153-0x0000029762550000-0x0000029762551000-memory.dmp

Filesize
4KB

Download
memory/692-135-0x0000029762420000-0x0000029762421000-memory.dmp

Filesize
4KB

Download
memory/692-155-0x0000029762560000-0x0000029762561000-memory.dmp

Filesize
4KB

Download
memory/692-156-0x0000029762560000-0x0000029762561000-memory.dmp

Filesize
4KB

Download
memory/692-157-0x0000029762670000-0x0000029762671000-memory.dmp

Filesize
4KB

Download
memory/692-126-0x0000029762800000-0x0000029762801000-memory.dmp

Filesize
4KB

Download
memory/692-125-0x0000029762800000-0x0000029762801000-memory.dmp

Filesize
4KB

Download
memory/692-105-0x000002975A240000-0x000002975A250000-memory.dmp

Filesize
64KB

Download
memory/692-121-0x00000297627D0000-0x00000297627D1000-memory.dmp

Filesize
4KB

Download
memory/692-122-0x0000029762800000-0x0000029762801000-memory.dmp

Filesize
4KB

Download
memory/692-123-0x0000029762800000-0x0000029762801000-memory.dmp

Filesize
4KB

Download
memory/2772-84-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2772-30-0x0000000073820000-0x0000000074A74000-memory.dmp

Filesize
18.3MB

Download
memory/2772-85-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/2772-36-0x00007FFF539B0000-0x00007FFF53BA5000-memory.dmp

Filesize
2.0MB

Download
memory/2772-33-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3016-15-0x0000000000FD0000-0x000000000133F000-memory.dmp

Filesize
3.4MB

Download
memory/3016-19-0x00000000774D0000-0x000000007758F000-memory.dmp

Filesize
764KB

Download
memory/3016-18-0x00000000774D0000-0x000000007758F000-memory.dmp

Filesize
764KB

Download
memory/3016-17-0x00000000774D0000-0x000000007758F000-memory.dmp

Filesize
764KB

Download
memory/3792-0-0x000001D7BD380000-0x000001D7BD3A2000-memory.dmp

Filesize
136KB

Download
memory/3792-13-0x00007FFF35FD0000-0x00007FFF36A91000-memory.dmp

Filesize
10.8MB

Download
memory/3792-11-0x000001D7BCAC0000-0x000001D7BCAD0000-memory.dmp

Filesize
64KB

Download
memory/3792-10-0x00007FFF35FD0000-0x00007FFF36A91000-memory.dmp

Filesize
10.8MB

Download
memory/4944-29-0x0000000001880000-0x000000000193F000-memory.dmp

Filesize
764KB

Download
memory/4944-26-0x0000000001880000-0x000000000193F000-memory.dmp

Filesize
764KB

Download
memory/4944-25-0x0000000001880000-0x000000000193F000-memory.dmp

Filesize
764KB

Download
memory/4944-22-0x00007FFF539B0000-0x00007FFF53BA5000-memory.dmp

Filesize
2.0MB

Download