Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2024 23:50

General

  • Target

    8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058(1).exe

  • Size

    39.9MB

  • MD5

    fd8058fe93fa938472722334f497e920

  • SHA1

    9d56a463fb795a3e87b6063d554aa5538a9b31c6

  • SHA256

    8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058

  • SHA512

    d6179132f6bec008a8e84422aa5575bfa97f6e5c0dc6ae18508087c68e67de66896cc11659807ef54305fc4cac8c15626eb013ae62795143b044d87b94c8721b

  • SSDEEP

    786432:HpP1TvbDChk+IOyS5Lir9d+woWNo9khkO5yajOAEbPA0GVRbJuah60m1G3Zr0rH:JtrnCFySCd2WhhkO5yuBwY0GVxjh60Cf

Malware Config

Extracted

Family

raccoon

Botnet

d4dfe058bb722373a292317097b425f0

C2

http://37.49.230.152:80

http://37.49.230.219:80

Attributes
  • user_agent

    MrBidenNeverKnow

xor.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

  • Raccoon Stealer V2 payload 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058(1).exe
    "C:\Users\Admin\AppData\Local\Temp\8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058(1).exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SpybotAntiBeacon-4.1-setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SpybotAntiBeacon-4.1-setup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3472
      • C:\Windows\System32\expand.exe
        "C:\Windows\System32\expand.exe" rywbeadtvbwehnp.jpg rywbeadtvbwehnp.exe
        3⤵
        • Drops file in Windows directory
        PID:4552
      • C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.exe
        "C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:568
      • C:\Windows\System32\expand.exe
        "C:\Windows\System32\expand.exe" SpybotAntiBeacon-4.1-setup.jpg SpybotAntiBeacon-4.1-setup.exe
        3⤵
        • Drops file in Windows directory
        PID:5080
      • C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe
        "C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4652
        • C:\Users\Admin\AppData\Local\Temp\is-1F739.tmp\SpybotAntiBeacon-4.1-setup.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-1F739.tmp\SpybotAntiBeacon-4.1-setup.tmp" /SL5="$130040,19094942,805888,C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe

    Filesize

    64KB

    MD5

    94e1adf26d5b376244529256db754967

    SHA1

    9203e37654eeacab29711f7e422b23404d33751e

    SHA256

    2868842b82167fb7cbc0c2138ddc1e6a224845f067a3dda661b966738abfae67

    SHA512

    9ce07f8b468928482a5c8dcd65199eccf7be16631ae3fe3fdf5e1b063078881f4abb2981d370b00e1ce396a48503708059de8e0691b2c49e9fc720ed9039c3a0

  • C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe

    Filesize

    1.1MB

    MD5

    d9f12fef3781a2e3b5e28b4081e47c79

    SHA1

    9cd746a3d95cb3b0faa193a590691917f7d7ee0c

    SHA256

    00abb5733cac11cc3bd3058825be5a441feb0c22b3114ce338f22a021e7259d9

    SHA512

    5b01011f232598df843d8255718929364e9e6a85d66e1bec5f0925d054fd016642a1e5d776e069b29aa836cff58b2e9d2629f716db4206001aaa71a6b4f17499

  • C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe

    Filesize

    896KB

    MD5

    c8c9dda242e5d0e628d2211d5feaf402

    SHA1

    3436658698cf1b13a9949665f6aa6ef10d08452a

    SHA256

    6c5a74297c89230d625d744f7ef26b4b76253a4cfadcc6352e5fae7d88c7992b

    SHA512

    1cae44ba3d8b12d75079042e0b01504662df5656398d050a93c302c831fc32fbeb9c9bd2c5cbb576a0c93dcd8df952c37f832d184e6005134a815d0756c1994f

  • C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe

    Filesize

    832KB

    MD5

    eeeb96586ff15a52b00d170acf01ae41

    SHA1

    56810676cfc6df2d602a4c7a489cd6e332a0239a

    SHA256

    b70280d0882494c60d41396b2266e30dd6a734503a76e4abedf08741644f7ca3

    SHA512

    841e08d9649f99ddd3562326b32e2e45e3fae7548c0f3699d5e7ed564198dd5288664eff28aed258e7b2218ca7a1608e3447434fa6f10b4428b9c48ba4141805

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SpybotAntiBeacon-4.1-setup.exe

    Filesize

    2.7MB

    MD5

    cd0ce9ab05d7f430ef7a9522b4ca6eb6

    SHA1

    4869e62bc78a9962bc93bd2e4120a575cb575ae9

    SHA256

    d0c2cd75ff96655fc14e6d37e80fd83294fdff3648e13fc60f22eee5ef068e6d

    SHA512

    9f2f0c078c815acd1755d6c4e355e67c84bb27b03c747a8b0b77a636229f1d625fea75effebcfa168bf302a6d5b4c23e355e7fb47e35ea64afd555716d7fa112

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SpybotAntiBeacon-4.1-setup.exe

    Filesize

    2.9MB

    MD5

    fc3482d28e8e5b379e140c2414e3158f

    SHA1

    7bc6ad015c69c9515ab515fd3eaff33ffe527dfe

    SHA256

    649a9557ea1675624308e97739d3d96a3c210bd77cff865c9fb0291535b2662a

    SHA512

    d2ac1aadbb64f2656ade0e127be628bf68f7bdc5e03758df53f6ab9be010c9b2690472466726f004d6006fa410eaae014c448400e5d7dc4f042f9ee4b496bf04

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SpybotAntiBeacon-4.1-setup.exe

    Filesize

    15.3MB

    MD5

    940a53e55cdda4532d2dbfd4be274282

    SHA1

    85b316e65f690d89288bee35038f857b438b179b

    SHA256

    1d26ed3d653ed5a8e54110b762d52e6504372864a8981fecc886652c7631f984

    SHA512

    b9fae150cec1600e517b79917ddc79dff638f478a57e316bd4e3c4ffefeb7dc439fb5632794b848676944c11eaff6673bd43f54903a3a5d9cd9ee2cd11bd0fd5

  • C:\Users\Admin\AppData\Local\Temp\is-1F739.tmp\SpybotAntiBeacon-4.1-setup.tmp

    Filesize

    192KB

    MD5

    c116bb08878a3075ee92271e14f66ae9

    SHA1

    a6f53761b4eef8a4c43b0bff7a75ac652f9a5b12

    SHA256

    0d57b6567e694756013a6284f0eca9e10f9eb80039282ded977e0dc3f45e689d

    SHA512

    350efe34a6bb6255754319f4c4effcebc62f239ebd4d9bbc0854daf8f0217db0641b8ea759b41c26ff4c0821921032a117e948600121b46ef92faacb0193205d

  • C:\Users\Admin\AppData\Local\Temp\is-1F739.tmp\SpybotAntiBeacon-4.1-setup.tmp

    Filesize

    128KB

    MD5

    5fbf904a2900d3854d3ad5002d3dc152

    SHA1

    3a10ef83388bf6afbf8c94018462e34456e6dedc

    SHA256

    ba5730ef64ebfc72fd42de645729353be128ce43067505a14387a0633cd1e582

    SHA512

    f6d1f65725f3275e28d423c9e5fd930dd54a459092da5d0ab58c26f3a7813aa339c23088b79a6e774d5f42292c89171d0a3861160e68a5b96a69fb0ce6e1374f

  • C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.exe

    Filesize

    1.4MB

    MD5

    cc31487fbf802d8fc47660fb3a660942

    SHA1

    93a6b350893a198e5fb73277217b0419a0a396b4

    SHA256

    fef8c80bcaa8829fc2ead6f993343a0dd13b353df5fa5f39972011bcd7b2962f

    SHA512

    efd3519d5ea0ef25ed759e197be95a5921431c78364c9912ff6e4d3803737a4f76e0f65de9708b21083b7264cd69d8431bbdcec57d2c2576938965ca3fd32a28

  • C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.exe

    Filesize

    2.1MB

    MD5

    9d6157d3e10de1d7a96ec3a9cfc30258

    SHA1

    a7e173b7a32b68102d5805fad3a3fab33e78b9ab

    SHA256

    2c7e161dbce0eef0a1706f4cfe1a785943625bf3cd67842a081258892295395d

    SHA512

    5c599cfd986220d8d84ada740562a7a5b44747dde2fbcf0c6958de4e8f7fac61e28e3ff97f073be92b7cf91cb721ced7f89e27f3a1365bb456a0858db4dd60a2

  • C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.exe

    Filesize

    1.3MB

    MD5

    99640598d9aec850de1b0bcd440c81fb

    SHA1

    c81c5252644384db2a3d20db513bf5bdc92276c7

    SHA256

    17d5fa6dbc57247bef95ba3c3f9f301ed77c4adb11ae52d30459bcb2c61e73d0

    SHA512

    186a5ca935c7b1ebbc463c1089bd11c63c546e40d389570d70844bb5b96fb0c5813855d4b101fa0c12f136e0e3f7eedbace586500c035039f3afaafd4027e04c

  • C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.exe

    Filesize

    1.1MB

    MD5

    5e4f3e2181ffbf3caf74ab8dc8d2bff8

    SHA1

    804c7eb71fdb77104df7c867d41663c42b3f698b

    SHA256

    32106bf7859ec72794642ee3c6c6fd22e62383caa1dc5377252870763f9f30cf

    SHA512

    e91f02a182d5d7f1b98b560c58dc490b861f30aa546f6db7a0a639c30a365cd3ecb5161496ba167c83a718a44e84654beef01d29b6080eee59d8754cd125f0e4

  • C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.jpg

    Filesize

    2.8MB

    MD5

    a561efe4b9659652d48ada9e40a61207

    SHA1

    4a70ae137675d140cde0a07fa0ccbbb3b942096b

    SHA256

    72654efdefaa159cde0b0197e09d71c40d30da310ac3089ea20ecd74185ff025

    SHA512

    8330ab0f566012db26fec01b69265efeea45b31ad604eec929610458b75e016d5364de2eed2fd32aa813af96ca72a002222dc56048a45990dfaa1058b2694a6d

  • C:\Users\Admin\AppData\Local\spybotantibeacon-4.1-setup.jpg

    Filesize

    576KB

    MD5

    b85e1526dfb46e339eb265116922b918

    SHA1

    bcaeffaefc04f99c7dc1c3dbe0c01e77ef5a176c

    SHA256

    cc55190330cfeb39a75a5ce0706148cef5c00aa4efa491396396a14d25687d52

    SHA512

    f49d90d4618e01628e779a115ef933d8c199c3598a39ee4c38d0eb5569914b26cb9e32787f33bbfa0b5f43ef8908d7cded90b505a8aa0bbcfb55350686bdee19

  • C:\Windows\LOGS\DPX\setupact.log

    Filesize

    169KB

    MD5

    427a568d0f66768b79e9024d531b5c5e

    SHA1

    1d6f5db7a2c8d8757d3b65dc89b16b36ca2e7a95

    SHA256

    188bfb2969e7e7506ce6d79e5c77e1ccb1d3a65588d1549ad263ab1120ae7eaa

    SHA512

    06ae548a9ac242bdf4c80d49dc4ddc2775dd480ba1e8b7803509c093093606e8be1f48a2c7b8ca1aa7c78da4e3be53f818afd682ebec5f5a2a49801ad8c9e062

  • memory/568-63-0x0000000002270000-0x0000000002271000-memory.dmp

    Filesize

    4KB

  • memory/568-72-0x0000000000400000-0x00000000021D1000-memory.dmp

    Filesize

    29.8MB

  • memory/568-71-0x0000000000400000-0x00000000021D1000-memory.dmp

    Filesize

    29.8MB

  • memory/568-64-0x0000000000400000-0x00000000021D1000-memory.dmp

    Filesize

    29.8MB

  • memory/568-65-0x0000000000400000-0x00000000021D1000-memory.dmp

    Filesize

    29.8MB

  • memory/3472-54-0x00007FFF74AF0000-0x00007FFF755B1000-memory.dmp

    Filesize

    10.8MB

  • memory/3472-12-0x00007FFF74AF0000-0x00007FFF755B1000-memory.dmp

    Filesize

    10.8MB

  • memory/3472-13-0x0000000000960000-0x0000000002FC2000-memory.dmp

    Filesize

    38.4MB

  • memory/3472-14-0x000000001DD00000-0x000000001DD10000-memory.dmp

    Filesize

    64KB

  • memory/4420-62-0x0000000000400000-0x000000000070E000-memory.dmp

    Filesize

    3.1MB

  • memory/4420-60-0x00000000008E0000-0x00000000008E1000-memory.dmp

    Filesize

    4KB

  • memory/4652-61-0x0000000000400000-0x00000000004D2000-memory.dmp

    Filesize

    840KB

  • memory/4652-53-0x0000000000400000-0x00000000004D2000-memory.dmp

    Filesize

    840KB