raccoon | d4224f288dd203d784301459d37aed4a0e908f53b7b60b83c4d7f2b65cc007d1

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 00:46

Target

0e10ea38b2c0569203a5f46efdec60dc.exe
Size

5.3MB
MD5

0e10ea38b2c0569203a5f46efdec60dc
SHA1

2a85e47f44d07d52a55095c78b42127e290c5069
SHA256

d4224f288dd203d784301459d37aed4a0e908f53b7b60b83c4d7f2b65cc007d1
SHA512

29e909457cfeb8de60a9eecc3aed132bb59a5bfae8e81c76c414a54b5638500adf839e3bf0f26ee56d9bad2084c34a04886d0d35a64eb8761f0cc8449bdb8f35
SSDEEP

49152:Z4VIxoeQOSWFdin2IVvjm/yw3mAa3/jFPP+EhEyh3cow384AEDiJUdoKtYlQuWpo:Z2IxoebxdOKW

Score

10^/10

Family

raccoon

Botnet

5ff7bc68b712d0b2c95bc2d831e79eaf

http://45.15.156.141:80

Attributes

xor.plain

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/5092-11-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral2/memory/5092-13-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral2/memory/5092-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programfiles.vbs	0e10ea38b2c0569203a5f46efdec60dc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 928 set thread context of 5092	928	0e10ea38b2c0569203a5f46efdec60dc.exe	95

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	928	0e10ea38b2c0569203a5f46efdec60dc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 4104	928	0e10ea38b2c0569203a5f46efdec60dc.exe	92
PID 928 wrote to memory of 4104	928	0e10ea38b2c0569203a5f46efdec60dc.exe	92
PID 928 wrote to memory of 4104	928	0e10ea38b2c0569203a5f46efdec60dc.exe	92
PID 928 wrote to memory of 2740	928	0e10ea38b2c0569203a5f46efdec60dc.exe	94
PID 928 wrote to memory of 2740	928	0e10ea38b2c0569203a5f46efdec60dc.exe	94
PID 928 wrote to memory of 2740	928	0e10ea38b2c0569203a5f46efdec60dc.exe	94
PID 928 wrote to memory of 5092	928	0e10ea38b2c0569203a5f46efdec60dc.exe	95
PID 928 wrote to memory of 5092	928	0e10ea38b2c0569203a5f46efdec60dc.exe	95
PID 928 wrote to memory of 5092	928	0e10ea38b2c0569203a5f46efdec60dc.exe	95
PID 928 wrote to memory of 5092	928	0e10ea38b2c0569203a5f46efdec60dc.exe	95
PID 928 wrote to memory of 5092	928	0e10ea38b2c0569203a5f46efdec60dc.exe	95
PID 928 wrote to memory of 5092	928	0e10ea38b2c0569203a5f46efdec60dc.exe	95
PID 928 wrote to memory of 5092	928	0e10ea38b2c0569203a5f46efdec60dc.exe	95
PID 928 wrote to memory of 5092	928	0e10ea38b2c0569203a5f46efdec60dc.exe	95

C:\Users\Admin\AppData\Local\Temp\0e10ea38b2c0569203a5f46efdec60dc.exe
"C:\Users\Admin\AppData\Local\Temp\0e10ea38b2c0569203a5f46efdec60dc.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:4104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:5092

memory/928-6-0x0000000004C70000-0x0000000004CBC000-memory.dmp

Filesize
304KB

Download
memory/928-1-0x0000000000040000-0x0000000000190000-memory.dmp

Filesize
1.3MB

Download
memory/928-2-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/928-3-0x0000000004AE0000-0x0000000004B28000-memory.dmp

Filesize
288KB

Download
memory/928-4-0x0000000004BA0000-0x0000000004BE6000-memory.dmp

Filesize
280KB

Download
memory/928-5-0x0000000004C10000-0x0000000004C46000-memory.dmp

Filesize
216KB

Download
memory/928-0-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/928-7-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/928-8-0x00000000052A0000-0x0000000005844000-memory.dmp

Filesize
5.6MB

Download
memory/928-15-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/5092-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5092-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5092-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download