raccoon | b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1

General

Target

b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe
Size

2.5MB
MD5

e8eedfa9c23d565850e4b712c469dc96
SHA1

f2f601bc5c5ac13d007774d7a874f06d41360898
SHA256

b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1
SHA512

b19716f9708f68927b7eb90a3e241e81801aa2c8fbcfa10707c15946613dafcb9cf4ddf3c41b08e13b44ba1034516a549cbca11632ed597ffa71e997dbae623b
SSDEEP

24576:q9NuMPWiKnLjlJ2jfELozwMxB7AvmsJTXsa4BDVUK7tl1SGxSA1wh5x92JaAZk:uPWXH2j8cpIhJTXqBL7trSaMh5xEZW

Score

10^/10

raccoon f2207cc6984622b8485f5089d6ca4069 stealer

Malware Config

Extracted

Family

raccoon

Botnet

f2207cc6984622b8485f5089d6ca4069

C2

http://5.78.81.39:8088/

Attributes

user_agent
GeekingToTheMoon

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1408-42-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral1/memory/1408-39-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral1/memory/1408-44-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral1/memory/1408-46-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 1408	2288	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 1408	2288	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	28
PID 2288 wrote to memory of 1408	2288	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	28
PID 2288 wrote to memory of 1408	2288	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	28
PID 2288 wrote to memory of 1408	2288	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	28
PID 2288 wrote to memory of 1408	2288	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	28
PID 2288 wrote to memory of 1408	2288	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	28
PID 2288 wrote to memory of 1408	2288	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	28
PID 2288 wrote to memory of 1408	2288	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	28
PID 2288 wrote to memory of 1408	2288	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe
"C:\Users\Admin\AppData\Local\Temp\b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
  2⤵
  PID:1408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1408-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1408-46-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1408-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1408-39-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1408-41-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1408-42-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1408-37-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1408-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2288-27-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2288-13-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2288-21-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2288-31-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2288-29-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2288-32-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2288-0-0x0000000000A40000-0x0000000000CB6000-memory.dmp

Filesize
2.5MB

Download
memory/2288-25-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2288-23-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2288-19-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2288-17-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2288-15-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2288-11-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2288-9-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2288-8-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2288-7-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/2288-6-0x0000000004D60000-0x0000000004DC8000-memory.dmp

Filesize
416KB

Download
memory/2288-5-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/2288-4-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-3-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2288-45-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-2-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/2288-1-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing