raccoon | 45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503

General

Target

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
Size

2.6MB
MD5

38439fdf4744c8a97c0dafce36e4f432
SHA1

e6f56833ecfb2b47f4e39a290bad959776fea2f1
SHA256

45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503
SHA512

69feeaeb83ee5b6773e2919716d9ab2f4acee2f6115ef1731557258f42a5b529760402a091c64be1707a13c4b4cfb09e79ddb0eff24cd3e77fa1e4b355cda407
SSDEEP

49152:01+6+AFUaW+Vvdj8Lf8JtKHibnPIb2qohbLLkYPTRAEOOaS4d5eTovYuLL:XANzVvdw4Jr76oNLpPNAEkeTYpLL

Score

10^/10

raccoon 2637bf45ccfc8a2d57025feab0be0b31 stealer

Malware Config

Extracted

Family

raccoon

Botnet

2637bf45ccfc8a2d57025feab0be0b31

C2

http://194.116.173.154:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

resource	yara_rule
behavioral2/memory/2256-19-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/2256-23-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/2256-24-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 3 IoCs

resource	yara_rule
behavioral2/memory/2256-19-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/2256-23-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/2256-24-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables manipulated with Fody 1 IoCs

resource	yara_rule
behavioral2/memory/1916-0-0x0000000000850000-0x0000000000AF4000-memory.dmp	INDICATOR_EXE_Packed_Fody

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1916 set thread context of 2256	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 5116	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	85
PID 1916 wrote to memory of 5116	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	85
PID 5116 wrote to memory of 3724	5116	csc.exe	89
PID 5116 wrote to memory of 3724	5116	csc.exe	89
PID 1916 wrote to memory of 4980	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	87
PID 1916 wrote to memory of 4980	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	87
PID 1916 wrote to memory of 4980	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	87
PID 1916 wrote to memory of 2256	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	88
PID 1916 wrote to memory of 2256	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	88
PID 1916 wrote to memory of 2256	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	88
PID 1916 wrote to memory of 2256	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	88
PID 1916 wrote to memory of 2256	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	88
PID 1916 wrote to memory of 2256	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	88
PID 1916 wrote to memory of 2256	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	88
PID 1916 wrote to memory of 2256	1916	45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe	88

C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe
"C:\Users\Admin\AppData\Local\Temp\45c1e993dbcdef4111153f9c6ad3eb07a1bd8b50cb6164e4d55098412dfd4503.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\smk4amv5\smk4amv5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4892.tmp" "c:\Users\Admin\AppData\Local\Temp\smk4amv5\CSC2D3E5B56B234EB5B2A0C8AE7DC2D46.TMP"
    3⤵
    PID:3724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:4980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4892.tmp

Filesize
1KB

MD5
31401e3155bef18abef23f7b4ad7d293

SHA1
e590c0b99029d4661500e0cf3ee586ab62a76365

SHA256
9796434aa6b36ffcf501f92c7ae7a3f81e29592a7e1a87be67f1bb1934d34c0b

SHA512
4f2b650ec6abbd02dc4cc8e9e3adecc983c6c3e55fa1a9a65db2099feb96133ce53f693a4f428ec895b38541aaa386e14f08fc53457b2fc15927ba49e0310811

Download Submit
C:\Users\Admin\AppData\Local\Temp\smk4amv5\smk4amv5.dll

Filesize
9KB

MD5
d68aa96cf0d0bd8264b2ec1c26b4f36e

SHA1
7dd1ce476cbe7bed2301ea535946b069a1978c44

SHA256
6f3f9994eff7af3e23f5479352bc192019e2454d0e2281001f8cfe2df444e9b3

SHA512
7951f4e8c9e87a0ebc77af0ba93af8ba6f2a30d23c827659c282d46d564073f421af1c91d56f4162d7aa8519e9c588c5747b6fcc7055dd7942f6682bdf23a396

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\smk4amv5\CSC2D3E5B56B234EB5B2A0C8AE7DC2D46.TMP

Filesize
652B

MD5
0d0cf2de410bf7067f4a59f8f2e61457

SHA1
1008699be7da90e2b2c37e06cad35ca1901ffe18

SHA256
0b14adb0d3a39ff3fcf61a76c629ce38418dfd9ed01ee3d96fde720a056d0739

SHA512
827abc9c74f8acc8849e0e9bdcfd283df0da41cda2b61de7860d10268a3c2dbbe31ddbb193a74ad279513023c1817b8994bca5dea74785cef988d4fd3c21ed8e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\smk4amv5\smk4amv5.0.cs

Filesize
10KB

MD5
42cdf76cfeebaa4420881fdb1f349522

SHA1
ef4d59c2b791a84ef78b60dba7ab1aec1b28be1d

SHA256
463913a4eb1a1ec5b16cc0307e8e3910389e8505a224c695267eeed1c8d5b970

SHA512
ed44f969cf64ef7c68df80d09f7c8f96c6e688649995c3e624dcd1638a456a8ef66cc535b40aab43a5679fc676dc62a2160cc49a5d8bc22c7df525bfc5520a7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\smk4amv5\smk4amv5.cmdline

Filesize
204B

MD5
676c33563cffc082aadf499ce0d1b2ac

SHA1
11da3103980bf372c4c82ad3d945cf5ede73b4ce

SHA256
f0ebb7d2e3d5a42046549119c6806ccf173dceffe7d20df9df1e00ec049d12b5

SHA512
207b8c363f067b30d8ef1febb5ff2bb296bde394227a7067a21355e6f1f8d48913b630251593996a9d0dd65b28354dcc6e28114702b7bc9a881cf5d92f853d93

Download Submit
memory/1916-4-0x000000001B830000-0x000000001B8B4000-memory.dmp

Filesize
528KB

Download
memory/1916-0-0x0000000000850000-0x0000000000AF4000-memory.dmp

Filesize
2.6MB

Download
memory/1916-17-0x0000000001530000-0x0000000001538000-memory.dmp

Filesize
32KB

Download
memory/1916-3-0x000000001B8C0000-0x000000001B8D0000-memory.dmp

Filesize
64KB

Download
memory/1916-2-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/1916-22-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/1916-1-0x00000000014A0000-0x00000000014FE000-memory.dmp

Filesize
376KB

Download
memory/2256-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2256-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2256-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing