raccoon | e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2024, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe
Size

3.6MB
MD5

c9c5e96b74ae38dff42a998e5ac7cc8e
SHA1

fb3d9bc8d612325adea6d95e61748dfe149a4e0c
SHA256

e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7
SHA512

829cdae8c5223b615b48a1b23153c767d6130042cd898edb32b2f9a28f241270a32f3e04a5858f50e8233222e7d0e1fe515694ca1ad7ae72925a7fcc0c99d5d0
SSDEEP

98304:I34AQwo/KgFP195Ok9P+VSeC47gpuxbswnBx0OE9:IIBF13xP+1C47gMgwnBNE9

Score

10^/10

raccoon 21afed884343422099404c3331adc81c stealer

Malware Config

Extracted

Family

raccoon

Botnet

21afed884343422099404c3331adc81c

http://89.238.170.230:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 4 IoCs

resource	yara_rule
behavioral2/memory/4540-4-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/5068-6-0x0000000002A10000-0x0000000004A10000-memory.dmp	family_raccoon_v2
behavioral2/memory/4540-9-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/4540-12-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 3 IoCs

resource	yara_rule
behavioral2/memory/4540-4-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/4540-9-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/4540-12-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5068 set thread context of 4540	5068	e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3904	4540	WerFault.exe	89

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 2520	5068	e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe	88
PID 5068 wrote to memory of 2520	5068	e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe	88
PID 5068 wrote to memory of 2520	5068	e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe	88
PID 5068 wrote to memory of 4540	5068	e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe	89
PID 5068 wrote to memory of 4540	5068	e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe	89
PID 5068 wrote to memory of 4540	5068	e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe	89
PID 5068 wrote to memory of 4540	5068	e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe	89
PID 5068 wrote to memory of 4540	5068	e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe	89
PID 5068 wrote to memory of 4540	5068	e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe	89
PID 5068 wrote to memory of 4540	5068	e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe	89
PID 5068 wrote to memory of 4540	5068	e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe	89

C:\Users\Admin\AppData\Local\Temp\e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe
"C:\Users\Admin\AppData\Local\Temp\e4deb9b39299696eacccddadf26db3fa070601a6293b6f09be95ca32c91188f7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 576
    3⤵
    - Program crash
    PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4540 -ip 4540
1⤵
PID:1552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4540-4-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4540-9-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4540-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5068-0-0x00000000004A0000-0x00000000004C2000-memory.dmp

Filesize
136KB

Download
memory/5068-1-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/5068-6-0x0000000002A10000-0x0000000004A10000-memory.dmp

Filesize
32.0MB

Download
memory/5068-11-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download