raccoon | 6d5428ce4be04184f9c2f89a6a1646bffc718818c7a0af019207bd81cced4d06

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b6726d6af9d674d6b7d96808eb70d26.exe
Size

636KB
MD5

7b6726d6af9d674d6b7d96808eb70d26
SHA1

a352653f8026c0f823c4d8bc3bd1668dff1e1ed3
SHA256

6d5428ce4be04184f9c2f89a6a1646bffc718818c7a0af019207bd81cced4d06
SHA512

1028a0130d392b4b84b5c82b0f9d40cbba53f41c50a184aafb8c1c6c3a41a033196c57b3b213ab765fd6babe83c1f232ef070aca2cbd44c7ac95f0961958b5bd
SSDEEP

12288:brFCG95RXgPtl4EqSaXbhJ1Xs3gnVZd3OOm9Fd/rL2qsdGWw/R2:brFfaPXPqS0hJ1XsQnVZNOT9F5mGWw/I

Score

10^/10

raccoon 92be0387873e54dd629b9bfa972c3a9a88e6726c stealer

Malware Config

Extracted

Family

raccoon

Version

1.7.3

Botnet

92be0387873e54dd629b9bfa972c3a9a88e6726c

Attributes

url4cnc
https://t.me/gishsunsetman

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

resource	yara_rule
behavioral2/memory/548-7-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral2/memory/548-9-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral2/memory/548-11-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral2/memory/548-12-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1240 set thread context of 548	1240	7b6726d6af9d674d6b7d96808eb70d26.exe	98

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	7b6726d6af9d674d6b7d96808eb70d26.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 548	1240	7b6726d6af9d674d6b7d96808eb70d26.exe	98
PID 1240 wrote to memory of 548	1240	7b6726d6af9d674d6b7d96808eb70d26.exe	98
PID 1240 wrote to memory of 548	1240	7b6726d6af9d674d6b7d96808eb70d26.exe	98
PID 1240 wrote to memory of 548	1240	7b6726d6af9d674d6b7d96808eb70d26.exe	98
PID 1240 wrote to memory of 548	1240	7b6726d6af9d674d6b7d96808eb70d26.exe	98
PID 1240 wrote to memory of 548	1240	7b6726d6af9d674d6b7d96808eb70d26.exe	98
PID 1240 wrote to memory of 548	1240	7b6726d6af9d674d6b7d96808eb70d26.exe	98
PID 1240 wrote to memory of 548	1240	7b6726d6af9d674d6b7d96808eb70d26.exe	98
PID 1240 wrote to memory of 548	1240	7b6726d6af9d674d6b7d96808eb70d26.exe	98

C:\Users\Admin\AppData\Local\Temp\7b6726d6af9d674d6b7d96808eb70d26.exe
"C:\Users\Admin\AppData\Local\Temp\7b6726d6af9d674d6b7d96808eb70d26.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\7b6726d6af9d674d6b7d96808eb70d26.exe
  C:\Users\Admin\AppData\Local\Temp\7b6726d6af9d674d6b7d96808eb70d26.exe
  2⤵
  PID:548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/548-7-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/548-9-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/548-11-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/548-12-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1240-0-0x0000000000EA0000-0x0000000000F42000-memory.dmp

Filesize
648KB

Download
memory/1240-1-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/1240-3-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/1240-2-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/1240-4-0x0000000005930000-0x0000000005950000-memory.dmp

Filesize
128KB

Download
memory/1240-5-0x00000000059E0000-0x0000000005A56000-memory.dmp

Filesize
472KB

Download
memory/1240-6-0x00000000059B0000-0x00000000059CE000-memory.dmp

Filesize
120KB

Download
memory/1240-10-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download