raccoon | 493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe

General

Target

493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
Size

2.7MB
MD5

0fe65a8555fb9d6a019c265efbccaf50
SHA1

c5527780ba3b4b495b9ae3b90ae43f55fa08db27
SHA256

493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe
SHA512

a5cded74fb81c22a56517287850a162998f69e5fb3ba426b3259e9492f43ef70f3e3715cb6b81f878399e8b0ed9633dbb84297e4b7f35a64227adfaca140b672
SSDEEP

49152:mobxvbkfN8ObOQzhSSsOfADj58PFxDEF4B6iETw/tM3:ZdvgN8yaDqPFxDb0TD3

Score

10^/10

raccoon 1adeb438cd8ab2abb4349e0ca6853b53 stealer

Malware Config

Extracted

Family

raccoon

Botnet

1adeb438cd8ab2abb4349e0ca6853b53

C2

http://45.67.35.164

http://185.242.86.142

http://5.182.36.75

http://185.242.86.143

Attributes

user_agent
23591

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

resource	yara_rule
behavioral1/memory/2288-4-0x0000000000400000-0x000000000041E000-memory.dmp	family_raccoon_v2
behavioral1/memory/2288-5-0x0000000000400000-0x000000000041E000-memory.dmp	family_raccoon_v2
behavioral1/memory/2288-10-0x0000000000400000-0x000000000041E000-memory.dmp	family_raccoon_v2

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2288	3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe	85
PID 3044 wrote to memory of 2288	3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe	85
PID 3044 wrote to memory of 2288	3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe	85
PID 3044 wrote to memory of 2288	3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe	85
PID 3044 wrote to memory of 2288	3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe	85
PID 3044 wrote to memory of 2288	3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe	85
PID 3044 wrote to memory of 2288	3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe	85
PID 3044 wrote to memory of 2288	3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe	85
PID 3044 wrote to memory of 2288	3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe	85
PID 3044 wrote to memory of 2288	3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe	85
PID 3044 wrote to memory of 2288	3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe	85
PID 3044 wrote to memory of 2288	3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe	85
PID 3044 wrote to memory of 2288	3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe	85
PID 3044 wrote to memory of 2288	3044	493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe	85

C:\Users\Admin\AppData\Local\Temp\493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe
"C:\Users\Admin\AppData\Local\Temp\493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
  "C:\Users\Admin\AppData\Local\Temp\493720da6f498098a54ae36cc97c04ec96880444030324bd043b66233899b8fe.exe"
  2⤵
  PID:2288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2288-4-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2288-7-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2288-6-0x0000000076FF2000-0x0000000076FF3000-memory.dmp

Filesize
4KB

Download
memory/2288-5-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2288-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3044-0-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/3044-1-0x0000000002A00000-0x0000000002A7B000-memory.dmp

Filesize
492KB

Download
memory/3044-2-0x0000000076FF2000-0x0000000076FF3000-memory.dmp

Filesize
4KB

Download
memory/3044-3-0x0000000002AE0000-0x0000000002C83000-memory.dmp

Filesize
1.6MB

Download
memory/3044-8-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/3044-9-0x0000000002A00000-0x0000000002A7B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing