raccoon | 40e374e5c98b01418e638e50cbae8ce4d2a4fbe00831e2be9a5abf2d8fba478b

Analysis

max time kernel
160s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-es
resource tags

arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
14-10-2023 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wondershare Filmora 12 License.exe
Size

838KB
MD5

5560bdda88b90827215d187b9b6b3f46
SHA1

799c650f0e0971d96019ef772ba37a8aa5b25784
SHA256

40e374e5c98b01418e638e50cbae8ce4d2a4fbe00831e2be9a5abf2d8fba478b
SHA512

3ba64aa47fc7ae1f62da76a685a97e1a7d5c2088fcafb99e28973af12444ef468dd502fd7859f934fc511fb5251ea5c0270472cf5a6bc28530e83865dd86eef8
SSDEEP

12288:UVIlE+PycGgq6astN6811B15heuWHbL/tvPp4hSkfm8GlhV+FNjovV:UVIa+PyzgJastT18HhGfxGlhViNjo

Score

10^/10

raccoon 824e7696690cc396bc008e0c919bdc4b stealer

Malware Config

Extracted

Family

raccoon

Botnet

824e7696690cc396bc008e0c919bdc4b

http://62.113.119.179:80/

Attributes

user_agent
SunShineMoonLight

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/1712-45-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon
behavioral1/memory/1712-49-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2844 created 3232	2844	Wondershare Filmora 12 License.exe	74

Executes dropped EXE 1 IoCs

pid	Process
888	GUP.exe

Loads dropped DLL 2 IoCs

pid	Process
888	GUP.exe
1712	Remotehost_v3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 888 set thread context of 2240	888	GUP.exe	87
PID 2240 set thread context of 1712	2240	cmd.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5032	1712	WerFault.exe	100

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2844	Wondershare Filmora 12 License.exe
2844	Wondershare Filmora 12 License.exe
888	GUP.exe
2240	cmd.exe
2240	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
888	GUP.exe
2240	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 888	2844	Wondershare Filmora 12 License.exe	86
PID 2844 wrote to memory of 888	2844	Wondershare Filmora 12 License.exe	86
PID 888 wrote to memory of 2240	888	GUP.exe	87
PID 888 wrote to memory of 2240	888	GUP.exe	87
PID 888 wrote to memory of 2240	888	GUP.exe	87
PID 888 wrote to memory of 2240	888	GUP.exe	87
PID 2240 wrote to memory of 1712	2240	cmd.exe	100
PID 2240 wrote to memory of 1712	2240	cmd.exe	100
PID 2240 wrote to memory of 1712	2240	cmd.exe	100
PID 2240 wrote to memory of 1712	2240	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\Wondershare Filmora 12 License.exe
"C:\Users\Admin\AppData\Local\Temp\Wondershare Filmora 12 License.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3232
- C:\Users\Admin\AppData\Roaming\KBDTIFI\GUP.exe
  C:\Users\Admin\AppData\Roaming\KBDTIFI\GUP.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Users\Admin\AppData\Local\Temp\Remotehost_v3.exe
      C:\Users\Admin\AppData\Local\Temp\Remotehost_v3.exe
      4⤵
      Loads dropped DLL
      PID:1712
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 9856
        5⤵
        Program crash
        
        PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1712 -ip 1712
1⤵
PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3de39ecb

Filesize
670KB

MD5
871786d4837419da51fec53e3d3de6f3

SHA1
2a8fed92b9a1dd7fc2edc2b711fe1843f440fb86

SHA256
16bacfd777098a696d575493e84db32dd3423eaea32bd1aa72bc2cafa3df6662

SHA512
2e7e3e161ea2d7c546b256f62419f560e3865fb4979ac84ee42a9039cd8f7e200c8ff0dac34422a20b66df84693518831059ff032160b310affc06a64050de7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remotehost_v3.exe

Filesize
301KB

MD5
68cefdfbd2e1a35e8c4f144e37d77a76

SHA1
0a6637d5eb3c958a0136358d0290514c7309af73

SHA256
c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8

SHA512
88d79115a6a0c487bd39a00a202f2467f4e05991da780f29f33cfc1ca53d2c6489104d5fbbe7e70167eb20c958b0322690454aec9ab1776d265ab8c558e971f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remotehost_v3.exe

Filesize
301KB

MD5
68cefdfbd2e1a35e8c4f144e37d77a76

SHA1
0a6637d5eb3c958a0136358d0290514c7309af73

SHA256
c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8

SHA512
88d79115a6a0c487bd39a00a202f2467f4e05991da780f29f33cfc1ca53d2c6489104d5fbbe7e70167eb20c958b0322690454aec9ab1776d265ab8c558e971f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcgytx

Filesize
40B

MD5
29ce1ea7f36d300e08b829418aad1f73

SHA1
c1a1c52f09cf8000326572c0ef8b2e9722d89fe1

SHA256
3d32d174e70b061eefc52899e6bfbe61c397811fedca20aa55746f91d0397655

SHA512
caa262c377e2a9aa8d07097daf0ff6cd4683276aeff75257d11e0645fc60dac4f1056527da42437bfdd579ff4ae6bea07efb408dae9446013e4d887264d45d03

Download Submit
C:\Users\Admin\AppData\Roaming\KBDTIFI\GUP.exe

Filesize
954KB

MD5
4620f1ba5072f37bdedf2650c654595d

SHA1
7f9079445da0b254457917c97945216eab3536ca

SHA256
ff14c25bf61e359668e0eeadb48345737caebf658f04e5b7ab4d4f465d0fd01c

SHA512
842a1935e95be85365b24a560c02b6bb9ec424a89c5e4240c28e2c63864da814dd862c5ed32847c5277570bed2cc1f90e94fe23fb5cd9950dbea4de18584313a

Download Submit
C:\Users\Admin\AppData\Roaming\KBDTIFI\GUP.exe

Filesize
954KB

MD5
4620f1ba5072f37bdedf2650c654595d

SHA1
7f9079445da0b254457917c97945216eab3536ca

SHA256
ff14c25bf61e359668e0eeadb48345737caebf658f04e5b7ab4d4f465d0fd01c

SHA512
842a1935e95be85365b24a560c02b6bb9ec424a89c5e4240c28e2c63864da814dd862c5ed32847c5277570bed2cc1f90e94fe23fb5cd9950dbea4de18584313a

Download Submit
C:\Users\Admin\AppData\Roaming\KBDTIFI\abutilon.ods

Filesize
499KB

MD5
26823c4154d364da43ef621a7d05dfd9

SHA1
86212f5dd79289138b6b9c606a2f9e59ceef6bb6

SHA256
54fd646e9a5a3064edcb9574ec5dcf34347b9f529174a888efbb9fe36bf88ead

SHA512
53a1c0df246bc69121dcd8684fee335054319232ad5863439d231ea82174fa37dc0c5e1d35edbbdfd15dfbc1143379c944d783d591046cb489ce429ede51c9eb

Download Submit
C:\Users\Admin\AppData\Roaming\KBDTIFI\libcurl.dll

Filesize
666KB

MD5
1714868945d417502d065380c6a83fbe

SHA1
6232020a2b23a2838d58ee49367a4145b213e3a4

SHA256
b2d815cec93c7d97ce2b10a086ea8cd9d88db0fb3d77884e0f46d3b09530ffef

SHA512
29ac8f57c5f203b3db8d983264cf5f4ba64d3882ed69b66e738a997729bd563b33564ead231b7ee2af6b724ec9d871e19feb5eec29091ac40a135ffa702058aa

Download Submit
C:\Users\Admin\AppData\Roaming\KBDTIFI\libcurl.dll

Filesize
666KB

MD5
1714868945d417502d065380c6a83fbe

SHA1
6232020a2b23a2838d58ee49367a4145b213e3a4

SHA256
b2d815cec93c7d97ce2b10a086ea8cd9d88db0fb3d77884e0f46d3b09530ffef

SHA512
29ac8f57c5f203b3db8d983264cf5f4ba64d3882ed69b66e738a997729bd563b33564ead231b7ee2af6b724ec9d871e19feb5eec29091ac40a135ffa702058aa

Download Submit
memory/888-19-0x00007FFC55870000-0x00007FFC559E2000-memory.dmp

Filesize
1.4MB

Download
memory/888-20-0x00007FFC55870000-0x00007FFC559E2000-memory.dmp

Filesize
1.4MB

Download
memory/888-23-0x00007FFC55870000-0x00007FFC559E2000-memory.dmp

Filesize
1.4MB

Download
memory/1712-42-0x00007FFC66950000-0x00007FFC66B45000-memory.dmp

Filesize
2.0MB

Download
memory/1712-45-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1712-49-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1712-48-0x00000000724A0000-0x00000000736F4000-memory.dmp

Filesize
18.3MB

Download
memory/1712-47-0x00000000724A0000-0x00000000736F4000-memory.dmp

Filesize
18.3MB

Download
memory/1712-43-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2240-30-0x0000000074FA0000-0x000000007511B000-memory.dmp

Filesize
1.5MB

Download
memory/2240-31-0x0000000074FA0000-0x000000007511B000-memory.dmp

Filesize
1.5MB

Download
memory/2240-34-0x0000000074FA0000-0x000000007511B000-memory.dmp

Filesize
1.5MB

Download
memory/2240-37-0x0000000074FA0000-0x000000007511B000-memory.dmp

Filesize
1.5MB

Download
memory/2240-26-0x00007FFC66950000-0x00007FFC66B45000-memory.dmp

Filesize
2.0MB

Download
memory/2240-39-0x0000000074FA0000-0x000000007511B000-memory.dmp

Filesize
1.5MB

Download
memory/2844-12-0x00000000738C0000-0x0000000073A3B000-memory.dmp

Filesize
1.5MB

Download
memory/2844-5-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2844-8-0x00000000738C0000-0x0000000073A3B000-memory.dmp

Filesize
1.5MB

Download
memory/2844-21-0x00000000738C0000-0x0000000073A3B000-memory.dmp

Filesize
1.5MB

Download