raccoon | 65af64061884c6ff247e9bab07a94f778cebec4c55da07ee3abb916dee0ddd71

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29/02/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad7a4b5c6bc9383e5a244fda169fdb00.exe
Size

1.5MB
MD5

ad7a4b5c6bc9383e5a244fda169fdb00
SHA1

14b24a4a1b0ef73c9550a5788dc3c687d633ce34
SHA256

65af64061884c6ff247e9bab07a94f778cebec4c55da07ee3abb916dee0ddd71
SHA512

c91dd8876fe495430681313a53992dd84a5a7cc58a3b68d530bf96176f01ac40b7a7487c11b3091fdcada085aebf353295f75716eff08dd69925fe46ac79cc4c
SSDEEP

24576:sSLXsG83o1wTJIC0IhecVBgHigJujOTNNVJ7M/4/659fs13evY5MS9IEckPY:bcb46TJE1cjgHiyMOT3VJo/l9fs0vYN2

Score

10^/10

raccoon eb0bbcaea74055acda89ce8f7067c40ba5121bbc stealer

Malware Config

Extracted

Family

raccoon

Botnet

eb0bbcaea74055acda89ce8f7067c40ba5121bbc

Attributes

url4cnc
https://t.me/mohibrainos

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

resource	yara_rule
behavioral1/memory/2428-29-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral1/memory/2428-33-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral1/memory/2428-34-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral1/memory/2428-36-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1

Executes dropped EXE 3 IoCs

pid	Process
2684	Volevo.exe.com
2232	Volevo.exe.com
2428	ipconfig.exe

Loads dropped DLL 3 IoCs

pid	Process
2492	cmd.exe
2684	Volevo.exe.com
2232	Volevo.exe.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 2428	2232	Volevo.exe.com	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2428	ipconfig.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
852	PING.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2232	Volevo.exe.com

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2684	Volevo.exe.com
2684	Volevo.exe.com
2684	Volevo.exe.com
2232	Volevo.exe.com
2232	Volevo.exe.com
2232	Volevo.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2684	Volevo.exe.com
2684	Volevo.exe.com
2684	Volevo.exe.com
2232	Volevo.exe.com
2232	Volevo.exe.com
2232	Volevo.exe.com

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2260	2036	ad7a4b5c6bc9383e5a244fda169fdb00.exe	28
PID 2036 wrote to memory of 2260	2036	ad7a4b5c6bc9383e5a244fda169fdb00.exe	28
PID 2036 wrote to memory of 2260	2036	ad7a4b5c6bc9383e5a244fda169fdb00.exe	28
PID 2036 wrote to memory of 2260	2036	ad7a4b5c6bc9383e5a244fda169fdb00.exe	28
PID 2036 wrote to memory of 2484	2036	ad7a4b5c6bc9383e5a244fda169fdb00.exe	29
PID 2036 wrote to memory of 2484	2036	ad7a4b5c6bc9383e5a244fda169fdb00.exe	29
PID 2036 wrote to memory of 2484	2036	ad7a4b5c6bc9383e5a244fda169fdb00.exe	29
PID 2036 wrote to memory of 2484	2036	ad7a4b5c6bc9383e5a244fda169fdb00.exe	29
PID 2484 wrote to memory of 2492	2484	cmd.exe	31
PID 2484 wrote to memory of 2492	2484	cmd.exe	31
PID 2484 wrote to memory of 2492	2484	cmd.exe	31
PID 2484 wrote to memory of 2492	2484	cmd.exe	31
PID 2492 wrote to memory of 2664	2492	cmd.exe	32
PID 2492 wrote to memory of 2664	2492	cmd.exe	32
PID 2492 wrote to memory of 2664	2492	cmd.exe	32
PID 2492 wrote to memory of 2664	2492	cmd.exe	32
PID 2492 wrote to memory of 2684	2492	cmd.exe	33
PID 2492 wrote to memory of 2684	2492	cmd.exe	33
PID 2492 wrote to memory of 2684	2492	cmd.exe	33
PID 2492 wrote to memory of 2684	2492	cmd.exe	33
PID 2492 wrote to memory of 852	2492	cmd.exe	34
PID 2492 wrote to memory of 852	2492	cmd.exe	34
PID 2492 wrote to memory of 852	2492	cmd.exe	34
PID 2492 wrote to memory of 852	2492	cmd.exe	34
PID 2684 wrote to memory of 2232	2684	Volevo.exe.com	35
PID 2684 wrote to memory of 2232	2684	Volevo.exe.com	35
PID 2684 wrote to memory of 2232	2684	Volevo.exe.com	35
PID 2684 wrote to memory of 2232	2684	Volevo.exe.com	35
PID 2232 wrote to memory of 2428	2232	Volevo.exe.com	36
PID 2232 wrote to memory of 2428	2232	Volevo.exe.com	36
PID 2232 wrote to memory of 2428	2232	Volevo.exe.com	36
PID 2232 wrote to memory of 2428	2232	Volevo.exe.com	36
PID 2232 wrote to memory of 2428	2232	Volevo.exe.com	36

C:\Users\Admin\AppData\Local\Temp\ad7a4b5c6bc9383e5a244fda169fdb00.exe
"C:\Users\Admin\AppData\Local\Temp\ad7a4b5c6bc9383e5a244fda169fdb00.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:2260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Sfaldavano.iso
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^YmzVnPKdwISSURsTWsXvPUNOOJsWIGAxaEboumddMhrUGgdoaZPrURNtLFuOnOHconmfxpNvwGJBQSoAaoDIQvmAQzvBaBSYGIMiOqOpjaegokhTvGvflYE$" Pel.iso
      4⤵
      PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volevo.exe.com
      Volevo.exe.com V
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volevo.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volevo.exe.com V
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
        6⤵
        Executes dropped EXE
        Gathers network information
        
        PID:2428
  - - C:\Windows\SysWOW64\PING.EXE
      ping BISMIZHX -n 30
      4⤵
      Runs ping.exe
      PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Animatrici.iso

Filesize
565KB

MD5
0b5082dbf8a3d1bce6c1018c8968c061

SHA1
2e7c6ac0f573441e524f4558f81fd0805854f10a

SHA256
66fc9c102c3b3d609f23dafd787accece3f4cd19749bbd3f24706cb4f047620d

SHA512
76d3b5c28decda14b8551e832a2c641722a18c7ac6850a58d47d2d28351cb2dc8653e1686e4662c77bdda552f292a1ba715eedb8630c3ea774b13aef12a61f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pel.iso

Filesize
284KB

MD5
dd4419c2588a1d1ff2fc46c1583ac1c0

SHA1
0391f57b3bc20841dff6c91034a99debbd4d193c

SHA256
91c85dccc30fdd274c3811d130d43081611b5f21892442ba0aad953065ea57f5

SHA512
2defbc68670df97f5d9d1a556fc4613d2c5091e98ffe932969e9e15e3f71b6937985ce509c83952fc8d6f0c05ea8ab9e0f9b2aa855e0d7e875a3c3d33723a557

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sfaldavano.iso

Filesize
477B

MD5
2f20ebfbc07121f6475c977decf8640e

SHA1
9db233717d321f73a8dfdbbcef255a84ead06e24

SHA256
f0ebd88e459e4a2330c60acb54bac61edb524d1539e2da6276eeca049c18ad1f

SHA512
195a93f53c54bfc6aaab8d2e62b8b778fa3c921fa7aac1c931da66fa0936a88d507eda5018ed4ed3690136ea4f4d0bffc577f20ab5244ffdef081bbdac261f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Universo.iso

Filesize
786KB

MD5
62c22d74d1deebbf8006453e057b6583

SHA1
d5fadcfe97d19bdc0c25f32164c4b6f69ce3af0f

SHA256
09da546d1a110fcc037af2715d178da0db3a0a50afe913e13122d98fb2a600f8

SHA512
2b0df9c9f57147f45c5ed77425cfb9214165b02625fd326b666bb7f35ab01c5073670d51bf92cfc7bcb44090db2f5b05b879b25c3a5846e52f448c7a6b243b77

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volevo.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe

Filesize
26KB

MD5
cabb20e171770ff64614a54c1f31c033

SHA1
ea18043fedaf888f04c07f71f2006f3f479c0b41

SHA256
c0e3087d87c84776fe7ffca768a0793c02d28e34a821f0c9da32339af8e7e6a6

SHA512
a6a6beff693f2e2c71c0d8e12f6964e789aa4b370c1e0191b2b0ff038801fdb0038a54c0a8f2dbc0d399d2c016f89701c6b6275b3a2b6fa74fb2a5ea817c2d3b

Download Submit
memory/2232-25-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2232-32-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2428-29-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2428-33-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2428-34-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2428-36-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download