raccoon | 5c4413fce239cfb51d0ef602b465626ea660649639bfc57a583c4142dad3dfe4

General

Target

ca8fed5a1394c4c680b5d261d4bb688c.exe
Size

900KB
MD5

ca8fed5a1394c4c680b5d261d4bb688c
SHA1

3e41eb13b33e2be9d15bc16352cb7cae1fa33b8d
SHA256

5c4413fce239cfb51d0ef602b465626ea660649639bfc57a583c4142dad3dfe4
SHA512

3ff22d11caecc3985416cc72ae4a344853d9e8427168de72d940ba70a003f155a677bc9fc3a9503a758e9eed907ddd48a7715fc54bea744afa1745d86c751101
SSDEEP

24576:i4c3+VbG0AOOy8Gq73UpdWuwWggp0F8pQ5:ics0lOwq7Sp0FH

Score

10^/10

raccoon d7b6e0cee1cd813ad40c812cf45171cf0360e249 stealer

Malware Config

Extracted

Family

raccoon

Version

1.7.3

Botnet

d7b6e0cee1cd813ad40c812cf45171cf0360e249

Attributes

url4cnc
https://telete.in/mimipanera11

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

resource	yara_rule
behavioral1/memory/2676-4-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/2676-6-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/2676-8-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/2676-9-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2212 set thread context of 2676	2212	ca8fed5a1394c4c680b5d261d4bb688c.exe	28

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ca8fed5a1394c4c680b5d261d4bb688c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ca8fed5a1394c4c680b5d261d4bb688c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	ca8fed5a1394c4c680b5d261d4bb688c.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2676	2212	ca8fed5a1394c4c680b5d261d4bb688c.exe	28
PID 2212 wrote to memory of 2676	2212	ca8fed5a1394c4c680b5d261d4bb688c.exe	28
PID 2212 wrote to memory of 2676	2212	ca8fed5a1394c4c680b5d261d4bb688c.exe	28
PID 2212 wrote to memory of 2676	2212	ca8fed5a1394c4c680b5d261d4bb688c.exe	28
PID 2212 wrote to memory of 2676	2212	ca8fed5a1394c4c680b5d261d4bb688c.exe	28
PID 2212 wrote to memory of 2676	2212	ca8fed5a1394c4c680b5d261d4bb688c.exe	28
PID 2212 wrote to memory of 2676	2212	ca8fed5a1394c4c680b5d261d4bb688c.exe	28
PID 2212 wrote to memory of 2676	2212	ca8fed5a1394c4c680b5d261d4bb688c.exe	28
PID 2212 wrote to memory of 2676	2212	ca8fed5a1394c4c680b5d261d4bb688c.exe	28
PID 2212 wrote to memory of 2676	2212	ca8fed5a1394c4c680b5d261d4bb688c.exe	28

C:\Users\Admin\AppData\Local\Temp\ca8fed5a1394c4c680b5d261d4bb688c.exe
"C:\Users\Admin\AppData\Local\Temp\ca8fed5a1394c4c680b5d261d4bb688c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\ca8fed5a1394c4c680b5d261d4bb688c.exe
  C:\Users\Admin\AppData\Local\Temp\ca8fed5a1394c4c680b5d261d4bb688c.exe
  2⤵
  - Modifies system certificate store
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2212-0-0x0000000000D60000-0x0000000000E42000-memory.dmp

Filesize
904KB

Download
memory/2212-1-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2212-2-0x00000000043C0000-0x0000000004400000-memory.dmp

Filesize
256KB

Download
memory/2212-3-0x0000000000570000-0x0000000000596000-memory.dmp

Filesize
152KB

Download
memory/2212-7-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2676-4-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2676-6-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2676-8-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2676-9-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing