raccoon | 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503

General

Target

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
Size

2.6MB
MD5

38439fdf4744c8a97c0dafce36e4f432
SHA1

e6f56833ecfb2b47f4e39a290bad959776fea2f1
SHA256

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503
SHA512

69feeaeb83ee5b6773e2919716d9ab2f4acee2f6115ef1731557258f42a5b529760402a091c64be1707a13c4b4cfb09e79ddb0eff24cd3e77fa1e4b355cda407
SSDEEP

49152:01+6+AFUaW+Vvdj8Lf8JtKHibnPIb2qohbLLkYPTRAEOOaS4d5eTovYuLL:XANzVvdw4Jr76oNLpPNAEkeTYpLL

Score

10^/10

raccoon 2637bf45ccfc8a2d57025feab0be0b31 stealer

Malware Config

Extracted

Family

raccoon

Botnet

2637bf45ccfc8a2d57025feab0be0b31

C2

http://194.116.173.154:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 4 IoCs

resource	yara_rule
behavioral2/memory/4740-24-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/4740-23-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/4740-19-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/4740-25-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 4 IoCs

resource	yara_rule
behavioral2/memory/4740-24-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/4740-23-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/4740-19-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/4740-25-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables manipulated with Fody 1 IoCs

resource	yara_rule
behavioral2/memory/4828-0-0x0000000000F50000-0x00000000011F4000-memory.dmp	INDICATOR_EXE_Packed_Fody

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4828 set thread context of 4740	4828	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	20

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 1292	4828	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	18
PID 4828 wrote to memory of 1292	4828	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	18
PID 1292 wrote to memory of 372	1292	csc.exe	21
PID 1292 wrote to memory of 372	1292	csc.exe	21
PID 4828 wrote to memory of 4740	4828	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	20
PID 4828 wrote to memory of 4740	4828	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	20
PID 4828 wrote to memory of 4740	4828	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	20
PID 4828 wrote to memory of 4740	4828	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	20
PID 4828 wrote to memory of 4740	4828	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	20
PID 4828 wrote to memory of 4740	4828	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	20
PID 4828 wrote to memory of 4740	4828	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	20
PID 4828 wrote to memory of 4740	4828	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	20

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t205plqk\t205plqk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4517.tmp" "c:\Users\Admin\AppData\Local\Temp\t205plqk\CSC234AA00D99EB4A16AC6687B02C2F1DF0.TMP"
    3⤵
    PID:372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:4740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4517.tmp

Filesize
1KB

MD5
28976555b62b9cda6e28c1b0823f67fb

SHA1
e37f3be3f22d553ab8cf1cd1f63b178b0f9c2a4d

SHA256
61c20bd69eb6671f7419985a30dc60d09de943191d735cb7c58df2e26eef7bc8

SHA512
179c6d1cf7401a0f2aa957fc2941c7a2d05d1df9d26815726db3c1fb7810d872028cbcdc7e5c83c328a39b613b6d0667bba66a41772292656ac37f8f774156d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\t205plqk\t205plqk.dll

Filesize
9KB

MD5
cbb88098f3a5d07bf40143c9f909b741

SHA1
3350c0b55402130cedc2b0c4b32b2ed97ae5e8cc

SHA256
5a475a3f9ddc31de3763738e68874181f629c0e4a3fc6f8a76c4df395941104e

SHA512
7b18fda0a2f49b00bbaca1ed67002eb9d0d221258d4732ca8e2be110e9ad5c605d9d92ff327fa8d42ec0c678b5cce1b40bf6fdd0ad80527a1b88ca64c2084b82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t205plqk\CSC234AA00D99EB4A16AC6687B02C2F1DF0.TMP

Filesize
652B

MD5
f66a8eaf2f704bf8ace555e1f5a71cba

SHA1
d81c3b2d589e93a4527d49e18ef474db9e077484

SHA256
156dd0edd757c3d5ac6bac7b2f8e1c4e7c9f896977ab7b48c01f2522e708ee09

SHA512
241d20a73e22548aec3527ef6c2b72ea6efe4ab69fcafcbc0d800a60e4aca9f12a873538350ee4ab35bb2dc8961e52b469aa2ad64f92f81d23a6f3a49ea59d94

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t205plqk\t205plqk.0.cs

Filesize
1KB

MD5
f5829a84ccc8c97f4e676f27f981b1ff

SHA1
c9e319ddb507f890f5af8f775e720a2120912023

SHA256
6210f210adb7bc763f1f78964fb951fdf622202cd78f0191649a77fa6fd01164

SHA512
afc00afc72433c9e48ef53b94f1879aa77139a5a0885b382d3429338ed6500f040630e3b12e381354a7249556b45f1bf7a25c047335a66a6ea6bdb920880a1b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t205plqk\t205plqk.cmdline

Filesize
204B

MD5
75507f2e17c591a9fb8a3efb4fe33ee7

SHA1
78ada99724b423b98bd845d8cb9bf75c7dd39806

SHA256
a2da8ecc41dfd70a1ecd2ef66b6a0108fedc5d53486402e7420ac5028ab1d816

SHA512
eabd6a36748d903bd372cc02cac6d16529e3947336d5ba1c0ea20e9f45b08c3f40f6883823f51efdb51bf19b412001efa75dc61b7e8480db34ae891ca2226044

Download Submit
memory/4740-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4740-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4740-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4740-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4828-4-0x000000001C130000-0x000000001C1B4000-memory.dmp

Filesize
528KB

Download
memory/4828-17-0x000000001BD80000-0x000000001BD88000-memory.dmp

Filesize
32KB

Download
memory/4828-2-0x00007FFA8F430000-0x00007FFA8FEF1000-memory.dmp

Filesize
10.8MB

Download
memory/4828-22-0x00007FFA8F430000-0x00007FFA8FEF1000-memory.dmp

Filesize
10.8MB

Download
memory/4828-0-0x0000000000F50000-0x00000000011F4000-memory.dmp

Filesize
2.6MB

Download
memory/4828-3-0x000000001BD90000-0x000000001BDA0000-memory.dmp

Filesize
64KB

Download
memory/4828-1-0x000000001BD20000-0x000000001BD7E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing