raccoon | 5044bd3dfd6bd23b2ed2e52e4efc0ec6ee59d71d7672d37ce9f2b68e2299a9d1

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 13:08

Target

ce2328dfe8cdacd43216f91b61fec631.exe
Size

422KB
MD5

ce2328dfe8cdacd43216f91b61fec631
SHA1

80380910dabc95803a470c9f58d1ff3645747997
SHA256

5044bd3dfd6bd23b2ed2e52e4efc0ec6ee59d71d7672d37ce9f2b68e2299a9d1
SHA512

e4143db4187b69110cf8ca4dba6c17d20b508963b2168bba00ac1f34191904757d218836425c5067891756d6b972bdfb4e514a6678c1141e1291b23409d9ab29
SSDEEP

12288:Ctp+P1v1xuXz4AYOFg3APbDiVEIgN12/c:CHAMXz9PeI0

Score

10^/10

raccoon stealer

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

resource	yara_rule
behavioral2/memory/5020-2-0x0000000003B80000-0x0000000003C0F000-memory.dmp	family_raccoon_v1
behavioral2/memory/5020-3-0x0000000000400000-0x0000000001DB7000-memory.dmp	family_raccoon_v1
behavioral2/memory/5020-4-0x0000000000400000-0x0000000001DB7000-memory.dmp	family_raccoon_v1
behavioral2/memory/5020-7-0x0000000003B80000-0x0000000003C0F000-memory.dmp	family_raccoon_v1

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4052	5020	WerFault.exe	92
4748	5020	WerFault.exe	92
816	5020	WerFault.exe	92
1728	5020	WerFault.exe	92
4732	5020	WerFault.exe	92
3696	5020	WerFault.exe	92

C:\Users\Admin\AppData\Local\Temp\ce2328dfe8cdacd43216f91b61fec631.exe
"C:\Users\Admin\AppData\Local\Temp\ce2328dfe8cdacd43216f91b61fec631.exe"
1⤵
PID:5020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 740
  2⤵
  - Program crash
  PID:4052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 776
  2⤵
  - Program crash
  PID:4748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 896
  2⤵
  - Program crash
  PID:816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 760
  2⤵
  - Program crash
  PID:1728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1156
  2⤵
  - Program crash
  PID:4732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1168
  2⤵
  - Program crash
  PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5020 -ip 5020
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5020 -ip 5020
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5020 -ip 5020
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5020 -ip 5020
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5020 -ip 5020
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5020 -ip 5020
1⤵
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3728 --field-trial-handle=2700,i,14629483171127516024,12350888228055326066,262144 --variations-seed-version /prefetch:8
1⤵
PID:1496

memory/5020-1-0x00000000020E0000-0x00000000021E0000-memory.dmp

Filesize
1024KB

Download
memory/5020-2-0x0000000003B80000-0x0000000003C0F000-memory.dmp

Filesize
572KB

Download
memory/5020-3-0x0000000000400000-0x0000000001DB7000-memory.dmp

Filesize
25.7MB

Download
memory/5020-4-0x0000000000400000-0x0000000001DB7000-memory.dmp

Filesize
25.7MB

Download
memory/5020-6-0x00000000020E0000-0x00000000021E0000-memory.dmp

Filesize
1024KB

Download
memory/5020-7-0x0000000003B80000-0x0000000003C0F000-memory.dmp

Filesize
572KB

Download