raccoon | 17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7.exe
Size

963KB
MD5

cefc3739d099bae51eb2a9d3887ac12c
SHA1

fba9f10f553d73382f73247c5c136e8338f1ebe5
SHA256

17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7
SHA512

57b0428d8771b3945e432f6f6e9e105038f5a6d9b8ea1a3b0971c97d42eef4cef74f37446887094aba33fa7878eb9de2ba7bb919cf5838fdc65ca5362720b71c
SSDEEP

24576:juDXTIGaPhEYzUzA0aTuDXTIGaPhEYzUzA0bPrs:KDjlabwz9RDjlabwz9c

Score

10^/10

raccoon stealer

Malware Config

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016ce8-26.dat	family_raccoon_v2

Executes dropped EXE 2 IoCs

pid	Process
2740	clamer.exe
2888	voptda.exe

Loads dropped DLL 1 IoCs

pid	Process
2800	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2800	3028	17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7.exe	30
PID 3028 wrote to memory of 2800	3028	17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7.exe	30
PID 3028 wrote to memory of 2800	3028	17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7.exe	30
PID 2800 wrote to memory of 2740	2800	cmd.exe	32
PID 2800 wrote to memory of 2740	2800	cmd.exe	32
PID 2800 wrote to memory of 2740	2800	cmd.exe	32
PID 2740 wrote to memory of 2888	2740	clamer.exe	33
PID 2740 wrote to memory of 2888	2740	clamer.exe	33
PID 2740 wrote to memory of 2888	2740	clamer.exe	33
PID 2740 wrote to memory of 2888	2740	clamer.exe	33

C:\Users\Admin\AppData\Local\Temp\17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7.exe
"C:\Users\Admin\AppData\Local\Temp\17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
    clamer.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\voptda.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\voptda.exe"
      4⤵
      Executes dropped EXE
      PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
37B

MD5
28151380c82f5de81c1323171201e013

SHA1
ae515d813ba2b17c8c5ebdae196663dc81c26d3c

SHA256
bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d

SHA512
46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\voptda.exe

Filesize
80KB

MD5
e43ef6cf5352762aef8aab85d26b08ec

SHA1
3d5d12f98e659476f7a668b92d81a7071cce0159

SHA256
dd055c4cc0312422c64b522ff1d20410e618abf64ebd8ab367e0fa593c81f715

SHA512
8becf6a29dd4f710694e4c41e9c0cccffe49e0ad7881cb631ff5ca61464f5a8c73d3ee55a3343d3ee659c7461f17205b963312e215f32ed5d09a915413d27131

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe

Filesize
518KB

MD5
257496c44c4c464162950d5bbda59bab

SHA1
a07337e13ce994f6bddadc23db96baf3121dd480

SHA256
eb31a7115657b5ab1feafd0a4f718eee57b766dbb048f512255fa339a12c5010

SHA512
6b2e0ac59ff90708f6ea451822af5427baed75252254b1ab8673e07d117c62142ec297fd445e2193390d0dbe6d8e5d6dc97128ade2e812e6291abddc2ec50901

Download Submit