raccoon | de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3

Resubmissions

29-04-2024 19:30

240429-x7vc2sah46 10

29-04-2024 19:28

240429-x65gmaah25 1

29-04-2024 19:25

240429-x49zbsag74 10

29-04-2024 04:45

240429-fdebasaf52 10

Analysis

max time kernel
195s
max time network
254s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-04-2024 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe
Size

718KB
MD5

1bf24ce8b5e34930932432d626fac06d
SHA1

32276318f55c1118980f98377968de0f78c9227e
SHA256

de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3
SHA512

d3885e43fe5189eb37cdf4518f05c9096685974db4eefd96260e2db8b17cda13b67861cef2247aeb12baed7ca59c892c82f855c5179e54213f861d2c352ce4fa
SSDEEP

12288:tfLmWONlyXjI/kkJzHSomfaeITAl5aqzTuCTTcARinC/4Tf0Yk4FfRUEy2Hzo5:tfLmNlz/XUyZTAl8jOiiifDzo5

Score

10^/10

raccoon fda6c8debb0b6b5a1d9698b54b255a7d discovery spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

fda6c8debb0b6b5a1d9698b54b255a7d

http://91.92.255.182:80/

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 2 IoCs

resource	yara_rule
behavioral2/memory/1768-31-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/1768-33-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2352 created 3160	2352	Mentor.pif	55

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2352	Mentor.pif
1768	Mentor.pif

Loads dropped DLL 3 IoCs

pid	Process
1768	Mentor.pif
1768	Mentor.pif
1768	Mentor.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 1768	2352	Mentor.pif	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2804	tasklist.exe
3372	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3804	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2352	Mentor.pif
2352	Mentor.pif
2352	Mentor.pif
2352	Mentor.pif
2352	Mentor.pif
2352	Mentor.pif
2352	Mentor.pif
2352	Mentor.pif
1768	Mentor.pif
1768	Mentor.pif
1768	Mentor.pif
1768	Mentor.pif
1768	Mentor.pif
1768	Mentor.pif
1768	Mentor.pif
1768	Mentor.pif
1768	Mentor.pif
1768	Mentor.pif
1768	Mentor.pif
1768	Mentor.pif
1768	Mentor.pif
1768	Mentor.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	tasklist.exe
Token: SeDebugPrivilege	3372	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2352	Mentor.pif
2352	Mentor.pif
2352	Mentor.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2352	Mentor.pif
2352	Mentor.pif
2352	Mentor.pif

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 3244	4104	de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe	73
PID 4104 wrote to memory of 3244	4104	de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe	73
PID 4104 wrote to memory of 3244	4104	de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe	73
PID 3244 wrote to memory of 2804	3244	cmd.exe	75
PID 3244 wrote to memory of 2804	3244	cmd.exe	75
PID 3244 wrote to memory of 2804	3244	cmd.exe	75
PID 3244 wrote to memory of 5016	3244	cmd.exe	76
PID 3244 wrote to memory of 5016	3244	cmd.exe	76
PID 3244 wrote to memory of 5016	3244	cmd.exe	76
PID 3244 wrote to memory of 3372	3244	cmd.exe	78
PID 3244 wrote to memory of 3372	3244	cmd.exe	78
PID 3244 wrote to memory of 3372	3244	cmd.exe	78
PID 3244 wrote to memory of 4664	3244	cmd.exe	79
PID 3244 wrote to memory of 4664	3244	cmd.exe	79
PID 3244 wrote to memory of 4664	3244	cmd.exe	79
PID 3244 wrote to memory of 5056	3244	cmd.exe	80
PID 3244 wrote to memory of 5056	3244	cmd.exe	80
PID 3244 wrote to memory of 5056	3244	cmd.exe	80
PID 3244 wrote to memory of 4208	3244	cmd.exe	81
PID 3244 wrote to memory of 4208	3244	cmd.exe	81
PID 3244 wrote to memory of 4208	3244	cmd.exe	81
PID 3244 wrote to memory of 4800	3244	cmd.exe	82
PID 3244 wrote to memory of 4800	3244	cmd.exe	82
PID 3244 wrote to memory of 4800	3244	cmd.exe	82
PID 3244 wrote to memory of 3032	3244	cmd.exe	83
PID 3244 wrote to memory of 3032	3244	cmd.exe	83
PID 3244 wrote to memory of 3032	3244	cmd.exe	83
PID 3244 wrote to memory of 2352	3244	cmd.exe	84
PID 3244 wrote to memory of 2352	3244	cmd.exe	84
PID 3244 wrote to memory of 2352	3244	cmd.exe	84
PID 3244 wrote to memory of 3804	3244	cmd.exe	85
PID 3244 wrote to memory of 3804	3244	cmd.exe	85
PID 3244 wrote to memory of 3804	3244	cmd.exe	85
PID 2352 wrote to memory of 1768	2352	Mentor.pif	86
PID 2352 wrote to memory of 1768	2352	Mentor.pif	86
PID 2352 wrote to memory of 1768	2352	Mentor.pif	86
PID 2352 wrote to memory of 1768	2352	Mentor.pif	86
PID 2352 wrote to memory of 1768	2352	Mentor.pif	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3160
- C:\Users\Admin\AppData\Local\Temp\de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe
  "C:\Users\Admin\AppData\Local\Temp\de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c move Evaluation Evaluation.bat && Evaluation.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2804
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:5016
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3372
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:4664
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 36973
      4⤵
      PID:5056
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "BabesSalvationCarriesBabes" Drawings
      4⤵
      PID:4208
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 36973\Mentor.pif + Adjacent + Captured + Sacred + Vagina + Lafayette + Surveys 36973\Mentor.pif
      4⤵
      PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Counting + Francisco + Honda 36973\o
      4⤵
      PID:3032
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\36973\Mentor.pif
      36973\Mentor.pif 36973\o
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2352
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3804
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\36973\Mentor.pif
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\36973\Mentor.pif
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\abI0N4aeKMp7

Filesize
92KB

MD5
f1f1e52e12157f58250690a14935123a

SHA1
025aa05e57a95271b542e7f968750fe0b7152775

SHA256
158a58c6f84871d2d0ad01de5e4b54f308bea3669a5e8e5bb4ad5b0824a9f72e

SHA512
8f3b4841ce6aea0d3a0e93b420b5985be47c609f4e477e432c626b2146c8b97854ed115b3c4fa2495033a103cb51f0d9cce85b14acb0a1de2227bbbb2305fab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\36973\Mentor.pif

Filesize
64KB

MD5
08dc66672690cba948c844cd27257a5c

SHA1
0495a4555ee60c87f806eed176c8e01bceb08de2

SHA256
15793db09353012de2cbeda0b7867ca687913840880a5668e1fe1b91edfd85ab

SHA512
22f17499baf96b5025d21cf493096f3a771894f4f7e6dc69e0c3d78f40edd96cec61e06fd1e516767b78970bcc0010aa23b1031771b6520eb7dd4782feca2412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\36973\Mentor.pif

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\36973\o

Filesize
526KB

MD5
dd2acdef84b287794876c92c2a735aec

SHA1
1ff96f7a71f808ddaa2fc197b6299532a8fcd0fb

SHA256
3a149e1f3ec43f37fb419affaf175870725b78b8fd5e42019fe6a988823d7282

SHA512
664ad38efc6be0fe5a16d3670c564064d19fc27bc56397da8f798f7bb9bfcccb92e6f4b05d2f399a838dce1bff860b4e678f112b6eb90db9d3e97996f01e1524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Adjacent

Filesize
64KB

MD5
7474db7b5f39b27e7fbce6e370b4bf66

SHA1
d4d7c4d41bded1c9d8959017cfa7846e435d93bd

SHA256
0efd0625b7921c18935c66adb4b3a653a913ecd90ab3b8b1983ff4101479605f

SHA512
3247a749ddde2e80cc2d1b5f9c47d5ce4af2389da59de3360d8cbc60445bd593c5fc3270fb1eb156a344d69cc00b88e02feb6600998f4e7323f4ae3219aa273a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Captured

Filesize
131KB

MD5
88edf7bb55387e597f59684273f66bb3

SHA1
99786b34a5db73c85a43cd4c18a8c085fed5ab89

SHA256
f61189f0f701466dcc3e2f6a8e411e7878cbf9ba6bba49917d612c19b1cc6a23

SHA512
84689a3c6d933710dffc4d80c0b41820a8e5a6309ba6979d07e22a638aa4db143f00ad80388871e444c3edf5332f471ec0db227ea97a3f0df2c9e2cdc5f3dd42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Counting

Filesize
281KB

MD5
a262219e61af791c944a87d07bac0075

SHA1
d74aeaa010271d13e1edc54bc73601e57f020c49

SHA256
0177bcf1e6862c139fae08a9c6027f68989b4f68a239b64fab7449d1c421ddc0

SHA512
116ce3a1349a17f8b14a5c2a35af9008d8ffbdeae5e3b2a22f9cedbb18f2af564cc8b7762b30c643265eb16907df02a5c75fb3d141db0646f46bf777b855febb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Drawings

Filesize
42B

MD5
477a08320d6c6e2f4512d40eb08713b1

SHA1
7be0348f77ae584c1ef6b8de1321473da3f9aa3c

SHA256
027643fd5055f08abd161719191a2ac764cdf555d452da6cb84ecfd557144529

SHA512
1bebae844d70507826ca40d135d12172aba7c23c5ed6cd7f2a3d229dc8e137e641a527b63e1474a4f0e4849568aa6ce6fd3d1276772d75b7f597d6b0a51d01c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Evaluation

Filesize
21KB

MD5
b647cde3038a87c2498edec310305673

SHA1
6fcc09d2c62d284b66926d3605aff5510e7e9453

SHA256
5c67bac057822f53f941200e27d24c5277ac742b78b3c3f5958a74a33c49b38d

SHA512
db701f47fee7344c4331664ce7a0187e6b9e9d47bab386665d64a61ca3a21de24af193dd1b485fdea8a003e4cb859bee73b2ddb7e3304719df1ab3446a367482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Francisco

Filesize
210KB

MD5
1bd18404bd951a8deb7845f75a6399f9

SHA1
748f9977c0e7d628bad8d3d8e827100b6590cb4d

SHA256
16f684e24d64d7102f8ca4feddbbc6764fc405cc3688353baa3c086f98fda1cb

SHA512
b00b38068cbc363e7fd5ff4038610f56828ffe13fb7ab78b6103baf6efeb05d4e9024e7383b8b6c73a010bce87f978e163685df6f3801aaa34f5da940aac6bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Honda

Filesize
35KB

MD5
59c2b53fe828fde64bd2a39a5de07ee9

SHA1
2ed2c83a393b5e30131acaf57893dd46c1084b52

SHA256
6a258a819e64d26e05f34edadd0ef7e11f58cf4d68f60aba82a71f5236e9f9eb

SHA512
28f667142fb539194d66503ecbfe9ee8fdb35dbd9324b4fb27ee0b6d2b76150f0a2751d825cc11314ae42f4d30b8e2c6a941c72a3cf72126391c48a4e3437998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lafayette

Filesize
200KB

MD5
4db90c416a38e4572abf3261e5dacf6a

SHA1
3d721f9c266090469bc46f9f3616d47611492038

SHA256
3ed0263be62819660e0fd37e95ab71b30ab8409348ac4f7ed11bcba0235d570d

SHA512
bd97959b027988a888010553e7fa424a8c38a7cccfd951e1b9222e5e16ce745e2a657b4dbc9238e5e8c84f66f1c238e999eba45e639f00cc928d2e5e5d66c25a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sacred

Filesize
125KB

MD5
c68b90b18096cedb29d5dd73790b6b05

SHA1
00f7a79c3bb847352a8b9ef73a24bcb039890e07

SHA256
f68e29a0f0c076fb5a3539f51168a73692c118cb861f3b814339a1eac86ce923

SHA512
d4df00de092bebe44e13b06587052465b73e67abd5502cac1e50019d7f008e57b74352b0263d986aa95fd7a1d57bb19778661feae5305544e6a33605dd764415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Surveys

Filesize
131KB

MD5
5bf3a39ef1e55247138748c2975a6873

SHA1
60d6c0a87fad62c31824f31c6def118541749698

SHA256
10609820e62098fd90b9344a9ece578451f913433fc8b53dbab9007db210fdb7

SHA512
2d9740527edfb51702f8b7c6c4123f530f559dada973455533f493dee2c5ebdcd1de47d9d47e4b35a2bf850d5c244c9fe59a497ad27f24648a848ca52221129b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Vagina

Filesize
270KB

MD5
75e4a838cff0be8ef793640d1011129c

SHA1
9788327d28e5c5fb43d03856f395a863f7ecf9a0

SHA256
3bbf6b504ffec824edc168cb1a11121a5b360361ee192f5923aa11e9afe985e0

SHA512
19f1a02ded1f1b79823eb6c6a5e4790412dab2a5395ac83e6ec6e5639fce642f45bb7403b995152dee31c2454063ac7da389676b3605fb57d2950440f7bb4a2e

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
memory/1768-30-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1768-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1768-33-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1768-69-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download