raccoon | be7a5042cddfdba24c19f953bb1d93086087674cbb12745add35b2e51a4302db

Analysis

max time kernel
94s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7.exe
Size

963KB
MD5

cefc3739d099bae51eb2a9d3887ac12c
SHA1

fba9f10f553d73382f73247c5c136e8338f1ebe5
SHA256

17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7
SHA512

57b0428d8771b3945e432f6f6e9e105038f5a6d9b8ea1a3b0971c97d42eef4cef74f37446887094aba33fa7878eb9de2ba7bb919cf5838fdc65ca5362720b71c
SSDEEP

24576:juDXTIGaPhEYzUzA0aTuDXTIGaPhEYzUzA0bPrs:KDjlabwz9RDjlabwz9c

Score

10^/10

raccoon stealer

Malware Config

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002350b-14.dat	family_raccoon_v2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	clamer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7.exe

Executes dropped EXE 2 IoCs

pid	Process
3580	clamer.exe
2200	voptda.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 5032	3908	17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7.exe	82
PID 3908 wrote to memory of 5032	3908	17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7.exe	82
PID 5032 wrote to memory of 3580	5032	cmd.exe	86
PID 5032 wrote to memory of 3580	5032	cmd.exe	86
PID 3580 wrote to memory of 2200	3580	clamer.exe	89
PID 3580 wrote to memory of 2200	3580	clamer.exe	89
PID 3580 wrote to memory of 2200	3580	clamer.exe	89

C:\Users\Admin\AppData\Local\Temp\17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7.exe
"C:\Users\Admin\AppData\Local\Temp\17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
    clamer.exe -priverdD
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\voptda.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\voptda.exe"
      4⤵
      Executes dropped EXE
      PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
37B

MD5
28151380c82f5de81c1323171201e013

SHA1
ae515d813ba2b17c8c5ebdae196663dc81c26d3c

SHA256
bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d

SHA512
46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe

Filesize
518KB

MD5
257496c44c4c464162950d5bbda59bab

SHA1
a07337e13ce994f6bddadc23db96baf3121dd480

SHA256
eb31a7115657b5ab1feafd0a4f718eee57b766dbb048f512255fa339a12c5010

SHA512
6b2e0ac59ff90708f6ea451822af5427baed75252254b1ab8673e07d117c62142ec297fd445e2193390d0dbe6d8e5d6dc97128ade2e812e6291abddc2ec50901

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\voptda.exe

Filesize
80KB

MD5
e43ef6cf5352762aef8aab85d26b08ec

SHA1
3d5d12f98e659476f7a668b92d81a7071cce0159

SHA256
dd055c4cc0312422c64b522ff1d20410e618abf64ebd8ab367e0fa593c81f715

SHA512
8becf6a29dd4f710694e4c41e9c0cccffe49e0ad7881cb631ff5ca61464f5a8c73d3ee55a3343d3ee659c7461f17205b963312e215f32ed5d09a915413d27131

Download Submit