raccoon | 8d552cc759fb010e6a6fffd0b9210e7c1ad608d74db3b212e68e16b7fb4c3cba

Analysis

max time kernel
143s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2024, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FILMORA 13 [LATEST].exe
Size

841KB
MD5

cd1906c7863d47729b0e67f618c416f8
SHA1

b477551537909240af8cd5ab92c1b10668ae9b6b
SHA256

8d552cc759fb010e6a6fffd0b9210e7c1ad608d74db3b212e68e16b7fb4c3cba
SHA512

c3a4c18d10711b2ffd71a4ef6b1f9977c98c3e3e5d63d16977c1e7cd32b0c0f1c02a83ae69af6f12fe9e415afb8ad062a428d3a7a28b0d5650d35923549369e1
SSDEEP

12288:MTmVRdJlYb5EQ8MzHRSwm9e9IjDxIMGy2o6+ceSrhLPRvwYu9GkZuVCUT47TALs5:MoPzybReDao6Pt1RYYMGwmCUT47sQ12y

Score

10^/10

raccoon ef424a2eb9bb1c91d8e21915b6fa4721 stealer

Malware Config

Extracted

Family

raccoon

Botnet

ef424a2eb9bb1c91d8e21915b6fa4721

http://82.146.45.177:80/

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 2 IoCs

resource	yara_rule
behavioral2/memory/3184-37-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/3184-39-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4912 created 3348	4912	Conventional.pif	57
PID 4912 created 3348	4912	Conventional.pif	57

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	FILMORA 13 [LATEST].exe

Executes dropped EXE 3 IoCs

pid	Process
4912	Conventional.pif
4444	Conventional.pif
3184	Conventional.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4912 set thread context of 3184	4912	Conventional.pif	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4532	tasklist.exe
1512	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1344	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4912	Conventional.pif
4912	Conventional.pif
4912	Conventional.pif
4912	Conventional.pif
4912	Conventional.pif
4912	Conventional.pif
4912	Conventional.pif
4912	Conventional.pif
4912	Conventional.pif
4912	Conventional.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	tasklist.exe
Token: SeDebugPrivilege	1512	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4912	Conventional.pif
4912	Conventional.pif
4912	Conventional.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4912	Conventional.pif
4912	Conventional.pif
4912	Conventional.pif

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 1536	456	FILMORA 13 [LATEST].exe	100
PID 456 wrote to memory of 1536	456	FILMORA 13 [LATEST].exe	100
PID 456 wrote to memory of 1536	456	FILMORA 13 [LATEST].exe	100
PID 1536 wrote to memory of 4532	1536	cmd.exe	102
PID 1536 wrote to memory of 4532	1536	cmd.exe	102
PID 1536 wrote to memory of 4532	1536	cmd.exe	102
PID 1536 wrote to memory of 2728	1536	cmd.exe	103
PID 1536 wrote to memory of 2728	1536	cmd.exe	103
PID 1536 wrote to memory of 2728	1536	cmd.exe	103
PID 1536 wrote to memory of 1512	1536	cmd.exe	105
PID 1536 wrote to memory of 1512	1536	cmd.exe	105
PID 1536 wrote to memory of 1512	1536	cmd.exe	105
PID 1536 wrote to memory of 3156	1536	cmd.exe	106
PID 1536 wrote to memory of 3156	1536	cmd.exe	106
PID 1536 wrote to memory of 3156	1536	cmd.exe	106
PID 1536 wrote to memory of 3316	1536	cmd.exe	107
PID 1536 wrote to memory of 3316	1536	cmd.exe	107
PID 1536 wrote to memory of 3316	1536	cmd.exe	107
PID 1536 wrote to memory of 3400	1536	cmd.exe	108
PID 1536 wrote to memory of 3400	1536	cmd.exe	108
PID 1536 wrote to memory of 3400	1536	cmd.exe	108
PID 1536 wrote to memory of 4112	1536	cmd.exe	109
PID 1536 wrote to memory of 4112	1536	cmd.exe	109
PID 1536 wrote to memory of 4112	1536	cmd.exe	109
PID 1536 wrote to memory of 4912	1536	cmd.exe	110
PID 1536 wrote to memory of 4912	1536	cmd.exe	110
PID 1536 wrote to memory of 4912	1536	cmd.exe	110
PID 1536 wrote to memory of 1344	1536	cmd.exe	111
PID 1536 wrote to memory of 1344	1536	cmd.exe	111
PID 1536 wrote to memory of 1344	1536	cmd.exe	111
PID 4912 wrote to memory of 4444	4912	Conventional.pif	113
PID 4912 wrote to memory of 4444	4912	Conventional.pif	113
PID 4912 wrote to memory of 4444	4912	Conventional.pif	113
PID 4912 wrote to memory of 3184	4912	Conventional.pif	114
PID 4912 wrote to memory of 3184	4912	Conventional.pif	114
PID 4912 wrote to memory of 3184	4912	Conventional.pif	114
PID 4912 wrote to memory of 3184	4912	Conventional.pif	114
PID 4912 wrote to memory of 3184	4912	Conventional.pif	114

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\FILMORA 13 [LATEST].exe
  "C:\Users\Admin\AppData\Local\Temp\FILMORA 13 [LATEST].exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Jazz Jazz.bat & Jazz.bat & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4532
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1512
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:3156
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 10809
      4⤵
      PID:3316
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Projects + Makers + Producers + Mexico + Appliance 10809\Conventional.pif
      4⤵
      PID:3400
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Promotions + Dollars + Transition 10809\W
      4⤵
      PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10809\Conventional.pif
      10809\Conventional.pif 10809\W
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4912
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1344
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10809\Conventional.pif
  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10809\Conventional.pif
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10809\Conventional.pif
  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10809\Conventional.pif
  2⤵
  - Executes dropped EXE
  PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10809\Conventional.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10809\W

Filesize
595KB

MD5
0451b84e177975f235961a36d679c34f

SHA1
285b96964b70f23e54b5f4fc6f80bdc3c038cf50

SHA256
d9323feddda7bccdff87a7006138ed2ac8d966408d6daf07ae7ef8ce5c9365fa

SHA512
0b6e0f3f6b4ab560e7970f73987573033a1c79fa6ac2a5242d7f391636dd935af09e1d8d4c463ffb7e10715e1bb97c44d89d5baaf0efc3511de5e5c711c8888c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appliance

Filesize
124KB

MD5
fd27be119556d6ea8774a72b62997f47

SHA1
df7d3d657ff449bfddc034fe5b637f7d054b2a48

SHA256
df6a3c9ee84f766bbbb1ca3def54b7dcd24c2d1e88774a6162c277df126cf09c

SHA512
114bda917fb7ce012a8cb7299a29830fb0c7179cac749f0d0602ed0b9acc5494f5d92687f0825610925d111087b0010d03efa346d4f9ad395dc3108e61112cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dollars

Filesize
267KB

MD5
3300545b635ddbec733a4e9827e15d9b

SHA1
a730338bc5a9d36a2ff3b27b05cd2b4742ceea13

SHA256
20892b4e9f73c2bf6d2c596b9d00be0c679f3daaf5da71eccfdacfbaae7a747b

SHA512
a4b5a52c9a90e4707aff16d899680b24d792fb586ec34b481f43174d052c771f6b193150e028277dba4b72514e80db9d3059df70484489accde2173aef8bd0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Jazz

Filesize
11KB

MD5
7cf4eb8d80dda0cc8e0bdf7cb242091e

SHA1
f292e582e9222899a895360dd3f165a01bfa72b0

SHA256
29c20d9435ec8640e7f57233f43c9356b37a05fb6c4b29938dac755d48ed8070

SHA512
f1eaa0050c3764ef7ec647d9e43a1f8695261a31499f57e76993e5f246772a206d270cf6b0d4b1d66dd97d0e29911b35b2a1381e6d7c488c2ba78194ba1267da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Makers

Filesize
157KB

MD5
324167d21fdb1415be17242b3f628991

SHA1
d2b6155e158fa6ae645cc1df90d4dc4f9ca5b754

SHA256
1a24f30941fd6748dee61c27e76dc9d0944a06c50fbfd1e1e7c0dee2f2d312d7

SHA512
1605ed990fa57f645ace09c154ca81e78048d7cba96cb91ba1d41ee104b43fc7f49ffec9a12cda3ae74fe27c967f78d09e01581dbb7489b19bfa50efdc0b0ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mexico

Filesize
260KB

MD5
70ab199475e2f54fac1050f34e1f6dd5

SHA1
e95dd15e1108ae2eab02c5c7f5dfd2dc49c5eb6e

SHA256
9d7c1993006ef27f7d46abcadb213118364f40238e42122115b88bd831ba99b4

SHA512
6837371e6f29d0556ec315ebbe92d763a14e20c48a53a6369288616d405b2590d66fa6d81557186e681037342ae14864af410feb2c2ed21f9c8c94a9a629ad24

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Producers

Filesize
199KB

MD5
411848bec112c50bf158289496479e46

SHA1
aa09fc72d0b2ea84d5164c3f804f30d5eb46245b

SHA256
4eca2017d72de2235c7f72a8b638da746b02057980ff3008b8e1facfb75ff53e

SHA512
764e507ef2fe6ee3d5cd990c35d2fb5c54a4c5605441648eeccb53cdf212a216a4dd8f965fec04fa575fbc6619647de2155a2f8683e7ea91f89850fffc3f96cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Projects

Filesize
184KB

MD5
1538ce51b0a02ec4e04c8e3cb53020cb

SHA1
4e7f8e619f3ff05b330b386cbe44a64c319a347a

SHA256
bb74ba920a49685ff1b366c38f59a41c8b5a9749062febd08a4927cf08c68b7a

SHA512
9461542339f269e5da6d138cb5a044fd98505a3579e6898830d5eae6aff3c894112c2731b766fdd3b2fb484ab4def2dfc4f051b659671d3e10a33c24998fc3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Promotions

Filesize
220KB

MD5
58a9e1be12c510b6dd8258ac643f7417

SHA1
d5f8fe827825d1a27e2fa1e0a52d88901c5a0a77

SHA256
49e968f090b436408803d98779a38f95c9f8048c772b51e8e4084b8bb93c435b

SHA512
5c8d095ae81fadb90ea524aac62b34aea6efaed4020ceb7ba13aba070b2593b19aabfce54b33f9c5820421cb5af1dfbcc65927f3d241844becd1a0d6bcc16bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Transition

Filesize
108KB

MD5
af5669d347e8b5f17879b7c6ad248912

SHA1
08b87792572f914ad8e3b349bcc42a630970d91a

SHA256
0b3c02f2feeab42c6479bde859c034e16fa60a3a391c964d7f5e9d3bd6988799

SHA512
83aa191315b99f35be6ea49a6f0b076b891d02415a2c78ce38c6d1c6dd267c4c445bac808427551e0e5e85352d0a729c6b8cdc114bbc1f6fe91ea0445dbf2f5a

Download Submit
memory/3184-36-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3184-37-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3184-39-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4912-32-0x00000000779A1000-0x0000000077AC1000-memory.dmp

Filesize
1.1MB

Download
memory/4912-34-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download