raccoon | 5961d0a8ebdc116b674d3231b5c8b01b35d3c7a191b0bb8ab5bb7b14352cc065

Resubmissions

24/02/2024, 23:32

240224-3jlc5agg36 10

19/02/2024, 20:03

240219-ys4tlscg37 10

19/02/2024, 20:01

240219-yrrsnacb2z 10

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

License/Driver Booster 11 PRO License.exe
Size

770KB
MD5

27cf0c7d37e5ffbab9b1a163544f3321
SHA1

3ed7493f213a01f7c99a4d11f56cfa7f79f90d0a
SHA256

4f6eba5f100a37005509d15782ca2991de72d027be766ba779f20e956555c29b
SHA512

f9ac54ee39c7192406a51a6e506b420387b2314facc31656b1acd3a69fdcb3060553b42122c5a6f5092083d71c20d4304b1ed067e9b1e481951c1a4798e0fa2d
SSDEEP

12288:HtLqu6mmCXykkkkkkkBgEgEQJrQXSmsw71AfyffvnZYyGPlWHiCXIEwc+4iAxtz+:HtLWjQXDsw+fAXnZWWHLfwcvxzF7di

Score

10^/10

raccoon ccf92b7fb8bdc5b3c5b2cea72a452ab2 stealer

Malware Config

Extracted

Family

raccoon

Botnet

ccf92b7fb8bdc5b3c5b2cea72a452ab2

http://46.151.31.26:80/

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 2 IoCs

resource	yara_rule
behavioral2/memory/4568-32-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/4568-34-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3156 created 3488	3156	Rosa.pif	60

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	Driver Booster 11 PRO License.exe

Executes dropped EXE 2 IoCs

pid	Process
3156	Rosa.pif
4568	Rosa.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3156 set thread context of 4568	3156	Rosa.pif	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1888	tasklist.exe
4136	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2340	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3156	Rosa.pif
3156	Rosa.pif
3156	Rosa.pif
3156	Rosa.pif
3156	Rosa.pif
3156	Rosa.pif
3156	Rosa.pif
3156	Rosa.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	tasklist.exe
Token: SeDebugPrivilege	4136	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3156	Rosa.pif
3156	Rosa.pif
3156	Rosa.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3156	Rosa.pif
3156	Rosa.pif
3156	Rosa.pif

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 4328	2992	Driver Booster 11 PRO License.exe	87
PID 2992 wrote to memory of 4328	2992	Driver Booster 11 PRO License.exe	87
PID 2992 wrote to memory of 4328	2992	Driver Booster 11 PRO License.exe	87
PID 4328 wrote to memory of 1888	4328	cmd.exe	89
PID 4328 wrote to memory of 1888	4328	cmd.exe	89
PID 4328 wrote to memory of 1888	4328	cmd.exe	89
PID 4328 wrote to memory of 3712	4328	cmd.exe	90
PID 4328 wrote to memory of 3712	4328	cmd.exe	90
PID 4328 wrote to memory of 3712	4328	cmd.exe	90
PID 4328 wrote to memory of 4136	4328	cmd.exe	92
PID 4328 wrote to memory of 4136	4328	cmd.exe	92
PID 4328 wrote to memory of 4136	4328	cmd.exe	92
PID 4328 wrote to memory of 4488	4328	cmd.exe	93
PID 4328 wrote to memory of 4488	4328	cmd.exe	93
PID 4328 wrote to memory of 4488	4328	cmd.exe	93
PID 4328 wrote to memory of 4964	4328	cmd.exe	94
PID 4328 wrote to memory of 4964	4328	cmd.exe	94
PID 4328 wrote to memory of 4964	4328	cmd.exe	94
PID 4328 wrote to memory of 4884	4328	cmd.exe	95
PID 4328 wrote to memory of 4884	4328	cmd.exe	95
PID 4328 wrote to memory of 4884	4328	cmd.exe	95
PID 4328 wrote to memory of 4000	4328	cmd.exe	96
PID 4328 wrote to memory of 4000	4328	cmd.exe	96
PID 4328 wrote to memory of 4000	4328	cmd.exe	96
PID 4328 wrote to memory of 3156	4328	cmd.exe	97
PID 4328 wrote to memory of 3156	4328	cmd.exe	97
PID 4328 wrote to memory of 3156	4328	cmd.exe	97
PID 4328 wrote to memory of 2340	4328	cmd.exe	98
PID 4328 wrote to memory of 2340	4328	cmd.exe	98
PID 4328 wrote to memory of 2340	4328	cmd.exe	98
PID 3156 wrote to memory of 4568	3156	Rosa.pif	101
PID 3156 wrote to memory of 4568	3156	Rosa.pif	101
PID 3156 wrote to memory of 4568	3156	Rosa.pif	101
PID 3156 wrote to memory of 4568	3156	Rosa.pif	101
PID 3156 wrote to memory of 4568	3156	Rosa.pif	101

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\License\Driver Booster 11 PRO License.exe
  "C:\Users\Admin\AppData\Local\Temp\License\Driver Booster 11 PRO License.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Assume Assume.bat & Assume.bat & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1888
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:3712
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4136
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:4488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 19887
      4⤵
      PID:4964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Fields + Bronze + Pressing + Extending + Administrator 19887\Rosa.pif
      4⤵
      PID:4884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Processing 19887\e
      4⤵
      PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\19887\Rosa.pif
      19887\Rosa.pif 19887\e
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3156
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:2340
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\19887\Rosa.pif
  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\19887\Rosa.pif
  2⤵
  - Executes dropped EXE
  PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\19887\Rosa.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Administrator

Filesize
178KB

MD5
d8f9dd4003de34471d0797f274ebe7bc

SHA1
393aceab75a29520961e52cd0756e8971f02f72a

SHA256
db576bf9cae0e2ec38f1efbcaad5e7941b3456bc7b9ab5d3570d281937ef007c

SHA512
bc34e3ee19055353eab85ef420a8ccbba81bc8ade7f745c7e7ca6fab6ebded5ffbce01bd2fec78bc8db661e89c62f021ff375d547670eb08050ac49e07ea657e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Assume

Filesize
10KB

MD5
8c4c658f59e7e8626cf7f8a382cbe005

SHA1
7ca0681bab8878b032d2f084275a487fea690bcc

SHA256
462506a044d309cde8677030483e35b4ad323f7f93b4f82c667aa0426017bb1a

SHA512
d2077ef00c1f8753d7cd27b56aa2bcd266b046c3fe25eca58265ff0cc0e990234889eafb38cf55c16c98105cbaa785f66c4575b977958a26a0a1919069413f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bronze

Filesize
115KB

MD5
7dea798d8550a7eb8c0dac613d328119

SHA1
3c2a6577e063b7371c52108393c8637f338c70cc

SHA256
7c418482ec85689387802871cc2bc4a031b68328a60b90122d4e3d84cea306cf

SHA512
7750be47bcdd5225dd73eb7e06c500d50b43fe961424cc6f4c09f78648848e10175b137d032d73fecd7b9cc5e6469889d98ab39735c183c3b05447e7237ca7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Extending

Filesize
118KB

MD5
f2a6a75f93068cb427350af64f2b98a7

SHA1
e11e41958a8a3b68ff6a8a4bd126b9aff9849d0c

SHA256
28f253d9592bc6badf74dd1dbadda2d65a47e812cb2d75435b25f650cf06a9e5

SHA512
584bdb2eb53eaf86b85eff99c5f8253783421964e9ccc1d9226394b2135d75ef13d8d35369ebf569d5955fab5ba6acb98e6bf68a82a7b51a287470ac3816eefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fields

Filesize
293KB

MD5
b38a37e518db3dd0646287e647da2791

SHA1
80ec5fed671f51a07cc6f30a411bf91056e0e4e3

SHA256
f938df0350470599eda1c3359637627f8cc261038eb6d7438b883ce4c0722580

SHA512
5aaacfe5a3a033b9b07601b1ec1be3079d3244a2a42238cd498ff32f165bcb128a2442a84954fa92dfa3ef7bb32fd4f1013e51ff13deb222d97759c09af332db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pressing

Filesize
220KB

MD5
96b80b99cf941e0851f2d4c6c739563f

SHA1
7cb29861f9e3c81241558eb558f7b6766b9601c2

SHA256
348fcc34733289fb855961990e9c8a7fd0d0b6841fa915b11fea3f354666cbde

SHA512
7d64d6ddfb54beb647f56dc4bcd8f71b8477046c325e5bb35d88149c55a998f69822a6572945e12a4416ea2985d73da7235cc754beddb007c36fbc96a977c35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Processing

Filesize
401KB

MD5
f8a1fc75b3bb6e1cac4cfaa82e25b698

SHA1
ebd7573bdcbfc9ac51742d198cc3287689417cb2

SHA256
07760b8ddfaa45d173d7565e35147019b204cfa4d9009d90755f33062c8b4741

SHA512
cae5ea4f51058cb6bbb4aa70e50eec87be028a607f824ac80ee13b94dbc67489dad831900c4b45f45b79891aa9ab7b78e92748385547ebe7ac44c92f07c1013b

Download Submit
memory/3156-28-0x0000000077551000-0x0000000077671000-memory.dmp

Filesize
1.1MB

Download
memory/3156-30-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/4568-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4568-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4568-34-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download