raccoon | b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1

Analysis

max time kernel
152s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe
Size

2.5MB
MD5

e8eedfa9c23d565850e4b712c469dc96
SHA1

f2f601bc5c5ac13d007774d7a874f06d41360898
SHA256

b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1
SHA512

b19716f9708f68927b7eb90a3e241e81801aa2c8fbcfa10707c15946613dafcb9cf4ddf3c41b08e13b44ba1034516a549cbca11632ed597ffa71e997dbae623b
SSDEEP

24576:q9NuMPWiKnLjlJ2jfELozwMxB7AvmsJTXsa4BDVUK7tl1SGxSA1wh5x92JaAZk:uPWXH2j8cpIhJTXqBL7trSaMh5xEZW

Score

10^/10

raccoon f2207cc6984622b8485f5089d6ca4069 stealer

Malware Config

Extracted

Family

raccoon

Botnet

f2207cc6984622b8485f5089d6ca4069

http://5.78.81.39:8088/

Attributes

user_agent
GeekingToTheMoon

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/4980-34-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral2/memory/4980-36-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral2/memory/4980-39-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3152 set thread context of 4980	3152	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	95

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3152	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 4980	3152	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	95
PID 3152 wrote to memory of 4980	3152	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	95
PID 3152 wrote to memory of 4980	3152	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	95
PID 3152 wrote to memory of 4980	3152	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	95
PID 3152 wrote to memory of 4980	3152	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	95
PID 3152 wrote to memory of 4980	3152	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	95
PID 3152 wrote to memory of 4980	3152	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	95
PID 3152 wrote to memory of 4980	3152	b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe	95

C:\Users\Admin\AppData\Local\Temp\b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe
"C:\Users\Admin\AppData\Local\Temp\b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
  2⤵
  PID:4980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3152-16-0x0000000005950000-0x0000000005965000-memory.dmp

Filesize
84KB

Download
memory/3152-28-0x0000000005950000-0x0000000005965000-memory.dmp

Filesize
84KB

Download
memory/3152-0-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3152-4-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/3152-3-0x00000000059F0000-0x0000000005A8C000-memory.dmp

Filesize
624KB

Download
memory/3152-5-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/3152-6-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/3152-7-0x0000000005A90000-0x0000000005AF8000-memory.dmp

Filesize
416KB

Download
memory/3152-8-0x0000000005950000-0x000000000596C000-memory.dmp

Filesize
112KB

Download
memory/3152-10-0x0000000005950000-0x0000000005965000-memory.dmp

Filesize
84KB

Download
memory/3152-9-0x0000000005950000-0x0000000005965000-memory.dmp

Filesize
84KB

Download
memory/3152-18-0x0000000005950000-0x0000000005965000-memory.dmp

Filesize
84KB

Download
memory/3152-2-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/3152-20-0x0000000005950000-0x0000000005965000-memory.dmp

Filesize
84KB

Download
memory/3152-32-0x0000000005950000-0x0000000005965000-memory.dmp

Filesize
84KB

Download
memory/3152-22-0x0000000005950000-0x0000000005965000-memory.dmp

Filesize
84KB

Download
memory/3152-12-0x0000000005950000-0x0000000005965000-memory.dmp

Filesize
84KB

Download
memory/3152-26-0x0000000005950000-0x0000000005965000-memory.dmp

Filesize
84KB

Download
memory/3152-24-0x0000000005950000-0x0000000005965000-memory.dmp

Filesize
84KB

Download
memory/3152-1-0x0000000000D60000-0x0000000000FD6000-memory.dmp

Filesize
2.5MB

Download
memory/3152-30-0x0000000005950000-0x0000000005965000-memory.dmp

Filesize
84KB

Download
memory/3152-14-0x0000000005950000-0x0000000005965000-memory.dmp

Filesize
84KB

Download
memory/3152-33-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/3152-38-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4980-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4980-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4980-39-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download