raccoon | 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503

General

Target

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
Size

2.6MB
MD5

38439fdf4744c8a97c0dafce36e4f432
SHA1

e6f56833ecfb2b47f4e39a290bad959776fea2f1
SHA256

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503
SHA512

69feeaeb83ee5b6773e2919716d9ab2f4acee2f6115ef1731557258f42a5b529760402a091c64be1707a13c4b4cfb09e79ddb0eff24cd3e77fa1e4b355cda407
SSDEEP

49152:01+6+AFUaW+Vvdj8Lf8JtKHibnPIb2qohbLLkYPTRAEOOaS4d5eTovYuLL:XANzVvdw4Jr76oNLpPNAEkeTYpLL

Score

10^/10

raccoon 2637bf45ccfc8a2d57025feab0be0b31 stealer

Malware Config

Extracted

Family

raccoon

Botnet

2637bf45ccfc8a2d57025feab0be0b31

C2

http://194.116.173.154:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 4 IoCs

resource	yara_rule
behavioral2/memory/1140-19-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/1140-23-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/1140-24-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/1140-25-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 4 IoCs

resource	yara_rule
behavioral2/memory/1140-19-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/1140-23-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/1140-24-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/1140-25-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables manipulated with Fody 1 IoCs

resource	yara_rule
behavioral2/memory/3656-0-0x0000000000AC0000-0x0000000000D64000-memory.dmp	INDICATOR_EXE_Packed_Fody

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3656 set thread context of 1140	3656	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	21

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 4020	3656	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	18
PID 3656 wrote to memory of 4020	3656	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	18
PID 4020 wrote to memory of 4508	4020	csc.exe	22
PID 4020 wrote to memory of 4508	4020	csc.exe	22
PID 3656 wrote to memory of 1140	3656	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	21
PID 3656 wrote to memory of 1140	3656	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	21
PID 3656 wrote to memory of 1140	3656	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	21
PID 3656 wrote to memory of 1140	3656	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	21
PID 3656 wrote to memory of 1140	3656	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	21
PID 3656 wrote to memory of 1140	3656	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	21
PID 3656 wrote to memory of 1140	3656	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	21
PID 3656 wrote to memory of 1140	3656	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	21

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0vn2mxlb\0vn2mxlb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES567C.tmp" "c:\Users\Admin\AppData\Local\Temp\0vn2mxlb\CSC9ADD1AEF2DA943629735A0461857C516.TMP"
    3⤵
    PID:4508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0vn2mxlb\0vn2mxlb.dll

Filesize
9KB

MD5
8a9cb41fd92cb679e0d5eb2bd91572a4

SHA1
230403437b6322f8222e4a2806c05ba9f64e4c34

SHA256
2f68b0dcca3621f6836db31c1a08413535f3209f7dd274d5269d754a1af9e899

SHA512
1ef655d3bd4b1b0399f1b123c0b9c495534dc51e8b92740aa391f191fe78954bf3e9c2c87b113bef05be79f41fa29db8bd1140337d10e8d9cd73710295c795e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES567C.tmp

Filesize
1KB

MD5
843b69ca34a54aef9b88641907b3ded6

SHA1
9a4f06406b9f198c2e2f6f92b778fee283d9958b

SHA256
a390aff5152cd6af7f1bf0d085bdb62018aee136e136994e43b47b38b87cdd21

SHA512
128687a734873ac013bce904e36e4220029df7a306ba96e84e515f48604ddc09fd24e1e4adf774e3f4e77289fb7b6f2cd3bc83610a9cef012c120d62764fa098

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0vn2mxlb\0vn2mxlb.0.cs

Filesize
10KB

MD5
42cdf76cfeebaa4420881fdb1f349522

SHA1
ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d

SHA256
463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970

SHA512
ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0vn2mxlb\0vn2mxlb.cmdline

Filesize
204B

MD5
4ed789dc68bd60019213838af5ca0204

SHA1
e4434972735819fa30a82e94c88b578a1a762d4f

SHA256
62f443696009ff5dcfbe1f111b4a566dec6caf1d4626f0ac6c3c4ce3fce16671

SHA512
3ded5f9fc933ab66373d1e6f6c3a5337ef633812fb0655206f7d9d9bf49c32105a4f4960b7e685859ad1b5a598eca29d57b50ce35fa73e74096d9433816baabf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0vn2mxlb\CSC9ADD1AEF2DA943629735A0461857C516.TMP

Filesize
652B

MD5
651e4aacb77f0e75699f5c1da5f428de

SHA1
403ec5834eaa719d4164cdd1561a789dba061ea5

SHA256
b0b1e542eeca7da4447f73e0f4ccdafd7ab9c499ed8e2ca9b949257779789988

SHA512
5114484f0674341dbe71fbc0559c28e3d0273bb3f43cba1128796129ccbafcb5c49fd3d04aea6a1f7b8ae15ceb068bb348f484becbc8179975a4e5643669441d

Download Submit
memory/1140-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1140-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1140-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1140-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3656-4-0x000000001BE00000-0x000000001BE84000-memory.dmp

Filesize
528KB

Download
memory/3656-0-0x0000000000AC0000-0x0000000000D64000-memory.dmp

Filesize
2.6MB

Download
memory/3656-22-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

Filesize
10.8MB

Download
memory/3656-17-0x0000000002FB0000-0x0000000002FB8000-memory.dmp

Filesize
32KB

Download
memory/3656-1-0x0000000002FD0000-0x000000000302E000-memory.dmp

Filesize
376KB

Download
memory/3656-2-0x00007FFD57950000-0x00007FFD58411000-memory.dmp

Filesize
10.8MB

Download
memory/3656-3-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing