raccoon | 65af64061884c6ff247e9bab07a94f778cebec4c55da07ee3abb916dee0ddd71

General

Target

ad7a4b5c6bc9383e5a244fda169fdb00.exe
Size

1.5MB
MD5

ad7a4b5c6bc9383e5a244fda169fdb00
SHA1

14b24a4a1b0ef73c9550a5788dc3c687d633ce34
SHA256

65af64061884c6ff247e9bab07a94f778cebec4c55da07ee3abb916dee0ddd71
SHA512

c91dd8876fe495430681313a53992dd84a5a7cc58a3b68d530bf96176f01ac40b7a7487c11b3091fdcada085aebf353295f75716eff08dd69925fe46ac79cc4c
SSDEEP

24576:sSLXsG83o1wTJIC0IhecVBgHigJujOTNNVJ7M/4/659fs13evY5MS9IEckPY:bcb46TJE1cjgHiyMOT3VJo/l9fs0vYN2

Score

10^/10

raccoon eb0bbcaea74055acda89ce8f7067c40ba5121bbc stealer

Malware Config

Extracted

Family

raccoon

Botnet

eb0bbcaea74055acda89ce8f7067c40ba5121bbc

Attributes

url4cnc
https://t.me/mohibrainos

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

resource	yara_rule
behavioral2/memory/4472-25-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral2/memory/4472-27-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral2/memory/4472-28-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1
behavioral2/memory/4472-29-0x0000000000400000-0x0000000000492000-memory.dmp	family_raccoon_v1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	ad7a4b5c6bc9383e5a244fda169fdb00.exe

Executes dropped EXE 3 IoCs

pid	Process
4632	Volevo.exe.com
3592	Volevo.exe.com
4472	ipconfig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3592 set thread context of 4472	3592	Volevo.exe.com	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4472	ipconfig.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1196	PING.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3592	Volevo.exe.com

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4632	Volevo.exe.com
4632	Volevo.exe.com
4632	Volevo.exe.com
3592	Volevo.exe.com
3592	Volevo.exe.com
3592	Volevo.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4632	Volevo.exe.com
4632	Volevo.exe.com
4632	Volevo.exe.com
3592	Volevo.exe.com
3592	Volevo.exe.com
3592	Volevo.exe.com

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 396	5064	ad7a4b5c6bc9383e5a244fda169fdb00.exe	91
PID 5064 wrote to memory of 396	5064	ad7a4b5c6bc9383e5a244fda169fdb00.exe	91
PID 5064 wrote to memory of 396	5064	ad7a4b5c6bc9383e5a244fda169fdb00.exe	91
PID 5064 wrote to memory of 4004	5064	ad7a4b5c6bc9383e5a244fda169fdb00.exe	92
PID 5064 wrote to memory of 4004	5064	ad7a4b5c6bc9383e5a244fda169fdb00.exe	92
PID 5064 wrote to memory of 4004	5064	ad7a4b5c6bc9383e5a244fda169fdb00.exe	92
PID 4004 wrote to memory of 3516	4004	cmd.exe	94
PID 4004 wrote to memory of 3516	4004	cmd.exe	94
PID 4004 wrote to memory of 3516	4004	cmd.exe	94
PID 3516 wrote to memory of 1564	3516	cmd.exe	95
PID 3516 wrote to memory of 1564	3516	cmd.exe	95
PID 3516 wrote to memory of 1564	3516	cmd.exe	95
PID 3516 wrote to memory of 4632	3516	cmd.exe	96
PID 3516 wrote to memory of 4632	3516	cmd.exe	96
PID 3516 wrote to memory of 4632	3516	cmd.exe	96
PID 3516 wrote to memory of 1196	3516	cmd.exe	97
PID 3516 wrote to memory of 1196	3516	cmd.exe	97
PID 3516 wrote to memory of 1196	3516	cmd.exe	97
PID 4632 wrote to memory of 3592	4632	Volevo.exe.com	98
PID 4632 wrote to memory of 3592	4632	Volevo.exe.com	98
PID 4632 wrote to memory of 3592	4632	Volevo.exe.com	98
PID 3592 wrote to memory of 4472	3592	Volevo.exe.com	101
PID 3592 wrote to memory of 4472	3592	Volevo.exe.com	101
PID 3592 wrote to memory of 4472	3592	Volevo.exe.com	101
PID 3592 wrote to memory of 4472	3592	Volevo.exe.com	101

C:\Users\Admin\AppData\Local\Temp\ad7a4b5c6bc9383e5a244fda169fdb00.exe
"C:\Users\Admin\AppData\Local\Temp\ad7a4b5c6bc9383e5a244fda169fdb00.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Sfaldavano.iso
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^YmzVnPKdwISSURsTWsXvPUNOOJsWIGAxaEboumddMhrUGgdoaZPrURNtLFuOnOHconmfxpNvwGJBQSoAaoDIQvmAQzvBaBSYGIMiOqOpjaegokhTvGvflYE$" Pel.iso
      4⤵
      PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volevo.exe.com
      Volevo.exe.com V
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volevo.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volevo.exe.com V
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3592
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
        6⤵
        Executes dropped EXE
        Gathers network information
        
        PID:4472
  - - C:\Windows\SysWOW64\PING.EXE
      ping JKRSODLE -n 30
      4⤵
      Runs ping.exe
      PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Animatrici.iso

Filesize
565KB

MD5
0b5082dbf8a3d1bce6c1018c8968c061

SHA1
2e7c6ac0f573441e524f4558f81fd0805854f10a

SHA256
66fc9c102c3b3d609f23dafd787accece3f4cd19749bbd3f24706cb4f047620d

SHA512
76d3b5c28decda14b8551e832a2c641722a18c7ac6850a58d47d2d28351cb2dc8653e1686e4662c77bdda552f292a1ba715eedb8630c3ea774b13aef12a61f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pel.iso

Filesize
872KB

MD5
ca4e8cc4704634fd026325cc9c976e39

SHA1
eff6b519ae58b5f45a48fab037526eb8b8c0a9e2

SHA256
5e83f932897eb544033f1354a9c14891e0908f14b7efecc831032d18a59cc3e7

SHA512
fd7727a91095d4b11c1a1bdb189e5efe5082b437b01d4833f30d8fc6cfb7ced602708565fd1f9c6fbc068bfb19dc5730e3107184dcf97da58b6b892a63e42317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sfaldavano.iso

Filesize
477B

MD5
2f20ebfbc07121f6475c977decf8640e

SHA1
9db233717d321f73a8dfdbbcef255a84ead06e24

SHA256
f0ebd88e459e4a2330c60acb54bac61edb524d1539e2da6276eeca049c18ad1f

SHA512
195a93f53c54bfc6aaab8d2e62b8b778fa3c921fa7aac1c931da66fa0936a88d507eda5018ed4ed3690136ea4f4d0bffc577f20ab5244ffdef081bbdac261f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Universo.iso

Filesize
786KB

MD5
62c22d74d1deebbf8006453e057b6583

SHA1
d5fadcfe97d19bdc0c25f32164c4b6f69ce3af0f

SHA256
09da546d1a110fcc037af2715d178da0db3a0a50afe913e13122d98fb2a600f8

SHA512
2b0df9c9f57147f45c5ed77425cfb9214165b02625fd326b666bb7f35ab01c5073670d51bf92cfc7bcb44090db2f5b05b879b25c3a5846e52f448c7a6b243b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volevo.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe

Filesize
28KB

MD5
3a3b9a5e00ef6a3f83bf300e2b6b67bb

SHA1
261127183df2987de2239806dd74fe624c430608

SHA256
87b036c720fbd5e63355b9920a2864feaf59b1584ebd8458651936ab8c7c1f81

SHA512
21df8867246a9c5834253c0d2c2de3e620e9f8b4b031b9e53cb6082eca78b90bdb09b9e8baf39e05a08b859f81b3aecbc34f3540428cef0bed746d7e769f2f04

Download Submit
memory/3592-22-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/3592-23-0x0000000001380000-0x0000000001382000-memory.dmp

Filesize
8KB

Download
memory/4472-25-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4472-27-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4472-28-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4472-29-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads