raccoon | ae0586d416a2c1310947a1017c43c0d95b04e80892804b3c61090b2087de0dfe

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
20-11-2023 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae0586d416a2c1310947a1017c43c0d95b04e80892804b3c61090b2087de0dfe.exe
Size

17.6MB
MD5

1fbf52eb4aa5fb5609bb63535e283835
SHA1

a96aa7fb149885cbdbf1dd3fc529c003c82f6cbb
SHA256

ae0586d416a2c1310947a1017c43c0d95b04e80892804b3c61090b2087de0dfe
SHA512

41e70df4b62465849bd10cd48d8e8966721575e3ede2c7c07b1e511fbd864687e1095a0351f80361cf2f69946b7fcc519e4bddd4e5a24126f05a0d747bbadb56
SSDEEP

393216:bu8SVoCsr12eyexwQ+/bDiZJKIIbsSSUmAWFPx/UQ0:bu8SVoCJeyexwVzcIoVA4Px/T0

Score

10^/10

raccoon 8c43462d3009db225c4c0889737572cd stealer

Malware Config

Extracted

Family

raccoon

Botnet

8c43462d3009db225c4c0889737572cd

http://94.142.138.49:80/

http://94.142.138.108:80/

Attributes

user_agent
DuckTales

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1632-3-0x0000000000400000-0x0000000001E41000-memory.dmp	family_raccoon
behavioral1/memory/1632-9-0x0000000000400000-0x0000000001E41000-memory.dmp	family_raccoon
behavioral1/memory/1632-45-0x0000000000400000-0x0000000001E41000-memory.dmp	family_raccoon

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

ae0586d416a2c1310947a1017c43c0d95b04e80892804b3c61090b2087de0dfe.exe

pid	process
1632	ae0586d416a2c1310947a1017c43c0d95b04e80892804b3c61090b2087de0dfe.exe
1632	ae0586d416a2c1310947a1017c43c0d95b04e80892804b3c61090b2087de0dfe.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ae0586d416a2c1310947a1017c43c0d95b04e80892804b3c61090b2087de0dfe.exe

pid process

1632 ae0586d416a2c1310947a1017c43c0d95b04e80892804b3c61090b2087de0dfe.exe

C:\Users\Admin\AppData\Local\Temp\ae0586d416a2c1310947a1017c43c0d95b04e80892804b3c61090b2087de0dfe.exe
"C:\Users\Admin\AppData\Local\Temp\ae0586d416a2c1310947a1017c43c0d95b04e80892804b3c61090b2087de0dfe.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1632-3-0x0000000000400000-0x0000000001E41000-memory.dmp

Filesize
26.3MB

Download
memory/1632-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1632-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1632-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1632-11-0x0000000076ED0000-0x0000000076ED1000-memory.dmp

Filesize
4KB

Download
memory/1632-12-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1632-9-0x0000000000400000-0x0000000001E41000-memory.dmp

Filesize
26.3MB

Download
memory/1632-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1632-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1632-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1632-17-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1632-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1632-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1632-22-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1632-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1632-27-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1632-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1632-32-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1632-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1632-37-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1632-42-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1632-40-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1632-45-0x0000000000400000-0x0000000001E41000-memory.dmp

Filesize
26.3MB

Download