raccoon | df4be4cd1353fcc4da27d21950f9080647884f8985cac8a5c54cc8f5fd2a843c

Analysis

max time kernel
92s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18b80be4ccf569476db98955ad019621.exe
Size

1.0MB
MD5

18b80be4ccf569476db98955ad019621
SHA1

2c160dc5cd238d9d7f0ca4b4a6419eacb4d6a76b
SHA256

df4be4cd1353fcc4da27d21950f9080647884f8985cac8a5c54cc8f5fd2a843c
SHA512

59565a2a19b8530dd15ac855d361ff7da9e534511787ee296f2e33aad87ebd3141b6e3e0bdd10a34482c0f60bfd644dc5ac11913650998ad6ab84c8f5b2a179f
SSDEEP

24576:ylijFje/d/FERYDhCbMIN5gCwRBXZSFm5qvlxoCCvcAk02D8GHz:hBje/d/FEONirgCmXZ6mQdHCvcLL8Oz

Score

10^/10

raccoon 1a5d06870a6b84740b2c11dce573e9a0 stealer upx

Malware Config

Extracted

Family

raccoon

Botnet

1a5d06870a6b84740b2c11dce573e9a0

http://95.169.205.186:80/

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

resource	yara_rule
behavioral2/memory/952-1-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/952-7-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/952-5-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2624-0-0x00007FF7687E0000-0x00007FF768AB0000-memory.dmp	upx
behavioral2/memory/2624-3-0x00007FF7687E0000-0x00007FF768AB0000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 952	2624	18b80be4ccf569476db98955ad019621.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4020	952	WerFault.exe	86

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	18b80be4ccf569476db98955ad019621.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 952	2624	18b80be4ccf569476db98955ad019621.exe	86
PID 2624 wrote to memory of 952	2624	18b80be4ccf569476db98955ad019621.exe	86
PID 2624 wrote to memory of 952	2624	18b80be4ccf569476db98955ad019621.exe	86
PID 2624 wrote to memory of 952	2624	18b80be4ccf569476db98955ad019621.exe	86
PID 2624 wrote to memory of 952	2624	18b80be4ccf569476db98955ad019621.exe	86
PID 2624 wrote to memory of 952	2624	18b80be4ccf569476db98955ad019621.exe	86
PID 2624 wrote to memory of 952	2624	18b80be4ccf569476db98955ad019621.exe	86
PID 2624 wrote to memory of 952	2624	18b80be4ccf569476db98955ad019621.exe	86

C:\Users\Admin\AppData\Local\Temp\18b80be4ccf569476db98955ad019621.exe
"C:\Users\Admin\AppData\Local\Temp\18b80be4ccf569476db98955ad019621.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  PID:952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 580
    3⤵
    - Program crash
    PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 952 -ip 952
1⤵
PID:940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/952-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/952-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2624-0-0x00007FF7687E0000-0x00007FF768AB0000-memory.dmp

Filesize
2.8MB

Download
memory/2624-3-0x00007FF7687E0000-0x00007FF768AB0000-memory.dmp

Filesize
2.8MB

Download