raccoon | ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182 | Triage

Sharing

General

Target

ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe
Size

768KB
Sample

240314-c9yg9sgg6x
MD5

ad27c002c314717f78cadab27bf049cf
SHA1

8467513920df45cc742760f05fef909b54a95261
SHA256

ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182
SHA512

a691790f69341f28173e6a83200480af952ca35af0724d670d8b4a52264c991cfb61ee6cc513615414a2864071244753b84122d493a67f2f73d47a2395e5255e
SSDEEP

24576:gbGdMU29P/8RLgad7P3BeJlDff4WGVF9kkzB:qG+xsZgg7fMJlDIVFTzB

Score

10^/10

raccoon 4076618ff41b7d8c15ac86f265ebc66d stealer

Malware Config

Extracted

Family

raccoon

Botnet

4076618ff41b7d8c15ac86f265ebc66d

C2

http://82.146.45.177:80/

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Targets

- Target
  
  ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe
- Size
  
  768KB
- MD5
  
  ad27c002c314717f78cadab27bf049cf
- SHA1
  
  8467513920df45cc742760f05fef909b54a95261
- SHA256
  
  ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182
- SHA512
  
  a691790f69341f28173e6a83200480af952ca35af0724d670d8b4a52264c991cfb61ee6cc513615414a2864071244753b84122d493a67f2f73d47a2395e5255e
- SSDEEP
  
  24576:gbGdMU29P/8RLgad7P3BeJlDff4WGVF9kkzB:qG+xsZgg7fMJlDIVFTzB
Score

10^/10

raccoon 4076618ff41b7d8c15ac86f265ebc66d stealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V2 payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Detects executables containing SQL queries to confidential data stores. Observed in infostealers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $TEMP/Designation
- Size
  
  209KB
- MD5
  
  c1cc1aa18b9007c18d77d379897ca025
- SHA1
  
  64c85a49243812f66e0dd819129cb99ee10ef763
- SHA256
  
  5ff84c86bbb50331fb0a8dda84591ff259d236aa54fb1c7e14e420e916d340cc
- SHA512
  
  791c7cdc14c4947460327d9cb4b9a524dcf948ece3f96446a0d8da8cd938922dcb5695a16b011ab7910581341ca1b0088dc1df7f45712dfdcb78a2058d56c310
- SSDEEP
  
  3072:J8NRCzqq/gNDCFPqWvMh5h92CjBf8QUnxoBVp:J8NRCzE9CY3h5h92QWQUxGp
Score

1^/10
behavioral3 behavioral4
- Target
  
  $TEMP/Prev
- Size
  
  173KB
- MD5
  
  8d019b45973901b4854eec33096d05c0
- SHA1
  
  1dfb37a78659ba3917c6479ead9c9f645bbb8331
- SHA256
  
  d4dce3c852197709b13ad7a426d2e515d3d7d0d52d79d4b1de7f3c8e5f881ff3
- SHA512
  
  9e23a4d76c707476e0c342dc6468c153571a5e1a106397d80c8ade95682119bd3bfe45ba803521327d61d926c14bcb3b61fd1869de4881956453a53183e98af1
- SSDEEP
  
  3072:pPpU08BjlWTPJth26X7Sn4UfpLUNN9t68cCWlrss4M5iRq3U0Pe3vHU4Sm:LQBk7JjX74cN0lrztgwU0Wym
Score

1^/10
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

raccoon4076618ff41b7d8c15ac86f265ebc66dstealer

behavioral3

behavioral4

behavioral5

behavioral6