raccoon | 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503

General

Target

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
Size

2.6MB
MD5

38439fdf4744c8a97c0dafce36e4f432
SHA1

e6f56833ecfb2b47f4e39a290bad959776fea2f1
SHA256

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503
SHA512

69feeaeb83ee5b6773e2919716d9ab2f4acee2f6115ef1731557258f42a5b529760402a091c64be1707a13c4b4cfb09e79ddb0eff24cd3e77fa1e4b355cda407
SSDEEP

49152:01+6+AFUaW+Vvdj8Lf8JtKHibnPIb2qohbLLkYPTRAEOOaS4d5eTovYuLL:XANzVvdw4Jr76oNLpPNAEkeTYpLL

Score

10^/10

raccoon 2637bf45ccfc8a2d57025feab0be0b31 stealer

Malware Config

Extracted

Family

raccoon

Botnet

2637bf45ccfc8a2d57025feab0be0b31

C2

http://194.116.173.154:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 4 IoCs

resource	yara_rule
behavioral2/memory/396-19-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/396-23-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/396-24-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/396-25-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 4 IoCs

resource	yara_rule
behavioral2/memory/396-19-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/396-23-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/396-24-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/396-25-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables manipulated with Fody 1 IoCs

resource	yara_rule
behavioral2/memory/3856-0-0x0000000000A30000-0x0000000000CD4000-memory.dmp	INDICATOR_EXE_Packed_Fody

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3856 set thread context of 396	3856	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	87

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 428	3856	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	84
PID 3856 wrote to memory of 428	3856	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	84
PID 428 wrote to memory of 4976	428	csc.exe	86
PID 428 wrote to memory of 4976	428	csc.exe	86
PID 3856 wrote to memory of 396	3856	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	87
PID 3856 wrote to memory of 396	3856	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	87
PID 3856 wrote to memory of 396	3856	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	87
PID 3856 wrote to memory of 396	3856	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	87
PID 3856 wrote to memory of 396	3856	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	87
PID 3856 wrote to memory of 396	3856	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	87
PID 3856 wrote to memory of 396	3856	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	87
PID 3856 wrote to memory of 396	3856	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	87

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\il2m1yiu\il2m1yiu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES446B.tmp" "c:\Users\Admin\AppData\Local\Temp\il2m1yiu\CSC74CFEA0C53AD44AF9E1446CA7A75324A.TMP"
    3⤵
    PID:4976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES446B.tmp

Filesize
1KB

MD5
70e597bd126a11172835009166c7f3d6

SHA1
b42adf874b1cb577707ad64afadf654588e01818

SHA256
ac159e62f1dca8cc2db78b6141015af40cf60b807d2f67f3456a36c53ca427f5

SHA512
0a819437900979c352ca492026e0b6a7c1518456f7f364b262a16ab359b3c42e0702ac338726a63982e13cb719f8de88cefe2e7add59c5947a1b2c3f386edce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\il2m1yiu\il2m1yiu.dll

Filesize
9KB

MD5
2952cc77228608aa092bc7ff1eb076db

SHA1
f4f908b7a16b567fdfeeef91be5c1ae350e80323

SHA256
1307d19947c56855eed752668094322fa13ee5ba5c8a0d5fd13b12f19164a857

SHA512
36f4700637810ba6e652d66daadaa63fe1605cf9a83fdc6a28b00fce4e0078a3670390b7d0adfa15f5cd241538a1bba2052e222b8634c6d9a89e4bfdafa252aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\il2m1yiu\CSC74CFEA0C53AD44AF9E1446CA7A75324A.TMP

Filesize
652B

MD5
51d01bc78ab1bd069fd0f33202635dbc

SHA1
1c5453af0e094f08cd50f870282f4d4c1523e160

SHA256
0b273e40cfe99010197e6ced191a270b683f5f2a202912843071370c8c57e7d9

SHA512
d4e5444624485975b90d62624f8f514e6e5f367ba3b3c72554cf2549ba8156f626bbf19fed0bd2a2474569b1806cf20e07416e6d2d6cf5f03e49f010a156d261

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\il2m1yiu\il2m1yiu.0.cs

Filesize
10KB

MD5
42cdf76cfeebaa4420881fdb1f349522

SHA1
ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d

SHA256
463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970

SHA512
ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\il2m1yiu\il2m1yiu.cmdline

Filesize
204B

MD5
e6cb712acdfb266b2af2e4d45c9cd193

SHA1
669f8599a432d532a744acf1238ca29063f93a9d

SHA256
a6cf95d1c95de700c0c7abe4d3163f9e1237be375111d430e2b4066e9ef18a0a

SHA512
e86d21d36b8f7eb6785a648ad06077728247c3321b966d677b55a173436e0e950285faaba7e27cc17b28e68fa16c3672c634f37b063eef9a9ed265602b4dc11d

Download Submit
memory/396-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/396-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/396-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/396-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3856-4-0x000000001BBE0000-0x000000001BC64000-memory.dmp

Filesize
528KB

Download
memory/3856-17-0x000000001B9A0000-0x000000001B9A8000-memory.dmp

Filesize
32KB

Download
memory/3856-0-0x0000000000A30000-0x0000000000CD4000-memory.dmp

Filesize
2.6MB

Download
memory/3856-22-0x00007FFDF82E0000-0x00007FFDF8DA1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-3-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

Filesize
64KB

Download
memory/3856-2-0x00007FFDF82E0000-0x00007FFDF8DA1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-1-0x0000000002DE0000-0x0000000002E3E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing