raccoon | 1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe
Size

1.1MB
MD5

8569ef968c0c4045782e1ef4ecc96fec
SHA1

6f59472c780116468aa2953f8286c89c3188457e
SHA256

1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334
SHA512

4c9be25acce42fd404ad213cacc823d927e7c3249613771c1644a9054ff49e3edc0f4695240d067af49baf049546a2014fbe7966a37950c6d68d9f5c740e8af9
SSDEEP

24576:pOlBrvlF3FneFqBtzaYP5M338gN2/viKO0jytcWRczjVTe+fUpy:pKnBtz7P5M8gcK10jyt9RoJFUpy

Score

10^/10

raccoon 1a5d06870a6b84740b2c11dce573e9a0 discovery persistence spyware stealer upx

Malware Config

Extracted

Family

raccoon

Botnet

1a5d06870a6b84740b2c11dce573e9a0

http://95.169.205.186:80/

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

resource	yara_rule
behavioral2/memory/3620-27-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/3620-30-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/3620-32-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe

Executes dropped EXE 6 IoCs

pid	Process
2496	plunge.exe
1516	FRaqbC8wSA1XvpFVjCRGryWt.exe
1416	IIZS2TRqf69aZbLAX3cf3edn.exe
2196	plunge.exe
3980	91ewsf817t.exe
1832	plunge.exe

Loads dropped DLL 3 IoCs

pid	Process
3620	RegAsm.exe
3620	RegAsm.exe
3620	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234e2-20.dat	upx
behavioral2/memory/1516-21-0x00007FF636970000-0x00007FF636C40000-memory.dmp	upx
behavioral2/memory/1516-29-0x00007FF636970000-0x00007FF636C40000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\91ewsf817t = "C:\\ProgramData\\91ewsf817t.exe"	91ewsf817t.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 3620	1516	FRaqbC8wSA1XvpFVjCRGryWt.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3108	schtasks.exe
3900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
4896	1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe
4896	1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe
4896	1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe
4896	1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe
4896	1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe
4896	1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe
2496	plunge.exe
2496	plunge.exe
2496	plunge.exe
2496	plunge.exe
2496	plunge.exe
2496	plunge.exe
3620	RegAsm.exe
3620	RegAsm.exe
3620	RegAsm.exe
3620	RegAsm.exe
3620	RegAsm.exe
3620	RegAsm.exe
3620	RegAsm.exe
3620	RegAsm.exe
3620	RegAsm.exe
3620	RegAsm.exe
3620	RegAsm.exe
3620	RegAsm.exe
3620	RegAsm.exe
3620	RegAsm.exe
1416	IIZS2TRqf69aZbLAX3cf3edn.exe
1416	IIZS2TRqf69aZbLAX3cf3edn.exe
1416	IIZS2TRqf69aZbLAX3cf3edn.exe
1416	IIZS2TRqf69aZbLAX3cf3edn.exe
1416	IIZS2TRqf69aZbLAX3cf3edn.exe
1416	IIZS2TRqf69aZbLAX3cf3edn.exe
2196	plunge.exe
2196	plunge.exe
2196	plunge.exe
2196	plunge.exe
2196	plunge.exe
2196	plunge.exe
3980	91ewsf817t.exe
3980	91ewsf817t.exe
3980	91ewsf817t.exe
3980	91ewsf817t.exe
3980	91ewsf817t.exe
3980	91ewsf817t.exe
3980	91ewsf817t.exe
3980	91ewsf817t.exe
3980	91ewsf817t.exe
3980	91ewsf817t.exe
3980	91ewsf817t.exe
3980	91ewsf817t.exe
3980	91ewsf817t.exe
3980	91ewsf817t.exe
3980	91ewsf817t.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	FRaqbC8wSA1XvpFVjCRGryWt.exe
Token: SeDebugPrivilege	3980	91ewsf817t.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 3108	4896	1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe	83
PID 4896 wrote to memory of 3108	4896	1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe	83
PID 4896 wrote to memory of 3108	4896	1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe	83
PID 4896 wrote to memory of 2496	4896	1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe	85
PID 4896 wrote to memory of 2496	4896	1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe	85
PID 4896 wrote to memory of 2496	4896	1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe	85
PID 2496 wrote to memory of 3900	2496	plunge.exe	87
PID 2496 wrote to memory of 3900	2496	plunge.exe	87
PID 2496 wrote to memory of 3900	2496	plunge.exe	87
PID 2496 wrote to memory of 1516	2496	plunge.exe	90
PID 2496 wrote to memory of 1516	2496	plunge.exe	90
PID 2496 wrote to memory of 1416	2496	plunge.exe	92
PID 2496 wrote to memory of 1416	2496	plunge.exe	92
PID 1516 wrote to memory of 3620	1516	FRaqbC8wSA1XvpFVjCRGryWt.exe	93
PID 1516 wrote to memory of 3620	1516	FRaqbC8wSA1XvpFVjCRGryWt.exe	93
PID 1516 wrote to memory of 3620	1516	FRaqbC8wSA1XvpFVjCRGryWt.exe	93
PID 1516 wrote to memory of 3620	1516	FRaqbC8wSA1XvpFVjCRGryWt.exe	93
PID 1516 wrote to memory of 3620	1516	FRaqbC8wSA1XvpFVjCRGryWt.exe	93
PID 1516 wrote to memory of 3620	1516	FRaqbC8wSA1XvpFVjCRGryWt.exe	93
PID 1516 wrote to memory of 3620	1516	FRaqbC8wSA1XvpFVjCRGryWt.exe	93
PID 1516 wrote to memory of 3620	1516	FRaqbC8wSA1XvpFVjCRGryWt.exe	93
PID 1416 wrote to memory of 3980	1416	IIZS2TRqf69aZbLAX3cf3edn.exe	95
PID 1416 wrote to memory of 3980	1416	IIZS2TRqf69aZbLAX3cf3edn.exe	95

C:\Users\Admin\AppData\Local\Temp\1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe
"C:\Users\Admin\AppData\Local\Temp\1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN plunge.exe /TR "C:\ProgramData\F01FF211\plunge.exe" /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3108
- C:\ProgramData\F01FF211\plunge.exe
  "C:\ProgramData\F01FF211\plunge.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN plunge.exe /TR "C:\ProgramData\F01FF211\plunge.exe" /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3900
- - C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe
    "C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3620
- - C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe
    "C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\ProgramData\91ewsf817t.exe
      "C:\ProgramData\91ewsf817t.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3980

C:\ProgramData\F01FF211\plunge.exe
C:\ProgramData\F01FF211\plunge.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\ProgramData\F01FF211\plunge.exe
C:\ProgramData\F01FF211\plunge.exe
1⤵
- Executes dropped EXE
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\F01FF211\plunge.exe

Filesize
1.1MB

MD5
8569ef968c0c4045782e1ef4ecc96fec

SHA1
6f59472c780116468aa2953f8286c89c3188457e

SHA256
1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334

SHA512
4c9be25acce42fd404ad213cacc823d927e7c3249613771c1644a9054ff49e3edc0f4695240d067af49baf049546a2014fbe7966a37950c6d68d9f5c740e8af9

Download Submit
C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe

Filesize
1.0MB

MD5
18b80be4ccf569476db98955ad019621

SHA1
2c160dc5cd238d9d7f0ca4b4a6419eacb4d6a76b

SHA256
df4be4cd1353fcc4da27d21950f9080647884f8985cac8a5c54cc8f5fd2a843c

SHA512
59565a2a19b8530dd15ac855d361ff7da9e534511787ee296f2e33aad87ebd3141b6e3e0bdd10a34482c0f60bfd644dc5ac11913650998ad6ab84c8f5b2a179f

Download Submit
C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

Filesize
1.1MB

MD5
2053217d23f13b47a2801d33e767b72f

SHA1
cb40b186c36a272ab43d57e8c65b1aefc8d5d439

SHA256
dbaa899681f00b7d5852a0273afedc5e8fc6a81296a82d12c2fd8c6893461c85

SHA512
98327755c07d5a0fbff900e0d51c1602a88ee0b8cb4163fe40a793a4833c2df8ecade1583045585ea9ee4a17a870e354dd91038fb0d16f7c2cf64ef23c036b4f

Download Submit
C:\Users\Admin\AppData\LocalLow\6YQAS9HY5Y08

Filesize
100KB

MD5
669d125d56ef26aa0de5471543fbef2c

SHA1
82f3ec2071fae151886a4d3757bc3ffeba521db2

SHA256
e3d291fed46790b3827cfc8ff9f49f3e2d95661e8fd4cb2687cabd740bed35c1

SHA512
ad9e5b9b564f5da8b09f69696a115e22c74b7da925b4684cf9adb936c8c6b65293434d09184aaaaad40e8a257abd621883488a395aae5fd4f20ad7b063514386

Download Submit
C:\Users\Admin\AppData\LocalLow\Br076xk3JJV4

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
memory/1516-29-0x00007FF636970000-0x00007FF636C40000-memory.dmp

Filesize
2.8MB

Download
memory/1516-21-0x00007FF636970000-0x00007FF636C40000-memory.dmp

Filesize
2.8MB

Download
memory/2496-38-0x0000000004180000-0x000000000425C000-memory.dmp

Filesize
880KB

Download
memory/2496-11-0x0000000004180000-0x000000000425C000-memory.dmp

Filesize
880KB

Download
memory/2496-10-0x0000000004180000-0x000000000425C000-memory.dmp

Filesize
880KB

Download
memory/3620-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3620-30-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3620-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3620-92-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/3980-153-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-113-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-98-0x000001A010DA0000-0x000001A010E4A000-memory.dmp

Filesize
680KB

Download
memory/3980-99-0x000001A029800000-0x000001A029908000-memory.dmp

Filesize
1.0MB

Download
memory/3980-121-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-123-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-131-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-143-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-155-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-4097-0x000001A010EF0000-0x000001A010F46000-memory.dmp

Filesize
344KB

Download
memory/3980-151-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-149-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-147-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-145-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-141-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-139-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-137-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-135-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-133-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-129-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-127-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-125-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-119-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-117-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-115-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-4098-0x000001A011080000-0x000001A0110CC000-memory.dmp

Filesize
304KB

Download
memory/3980-111-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-109-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-107-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-105-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-103-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-101-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/3980-100-0x000001A029800000-0x000001A029905000-memory.dmp

Filesize
1.0MB

Download
memory/4896-9-0x0000000003B60000-0x0000000003C3C000-memory.dmp

Filesize
880KB

Download
memory/4896-0-0x0000000003B60000-0x0000000003C3C000-memory.dmp

Filesize
880KB

Download