raccoon | 0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87

General

Target

010D3ED12031239D3F314F66BB28D58D.exe
Size

2.3MB
MD5

010d3ed12031239d3f314f66bb28d58d
SHA1

9daa168735a3f72e715f87d952a18f6c8f00238c
SHA256

0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87
SHA512

07234248dcb4d331e15bc102d83442723e5c887ded4cb8b9a66a288ea72560b7b85c169e08d192a035ff757dc8b0efdb555af97e7171bb378d17cd1c35a4e863
SSDEEP

49152:MJ8U/HLU3Yp7dPM8V/HLU3Yp7CgUxK3h7/SEyIas8JWsa6HdLm:MJ8U/HQ3r8V/HQ3BbxKxD9jXsj9Lm

Score

10^/10

raccoon dd188c0be5001b2c8fb76d74174694cd stealer

Malware Config

Extracted

Family

raccoon

Botnet

dd188c0be5001b2c8fb76d74174694cd

C2

http://147.45.44.25:80/

http://85.28.47.116:80/

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2212-0-0x0000000000400000-0x00000000004D0000-memory.dmp	family_raccoon_v2
behavioral2/memory/2212-2-0x0000000000400000-0x00000000004D0000-memory.dmp	family_raccoon_v2
behavioral2/memory/2212-3-0x0000000000400000-0x00000000004D0000-memory.dmp	family_raccoon_v2
behavioral2/memory/3688-7-0x0000000000400000-0x00000000004D0000-memory.dmp	family_raccoon_v2
behavioral2/memory/2212-8-0x0000000000400000-0x00000000004D0000-memory.dmp	family_raccoon_v2
behavioral2/memory/740-15-0x0000000000400000-0x00000000004D0000-memory.dmp	family_raccoon_v2
behavioral2/memory/4804-16-0x0000000000400000-0x00000000004D0000-memory.dmp	family_raccoon_v2

Suspicious use of SetThreadContext 13 IoCs

Processes:

010D3ED12031239D3F314F66BB28D58D.exe010D3ED12031239D3F314F66BB28D58D.exe010D3ED12031239D3F314F66BB28D58D.exe010D3ED12031239D3F314F66BB28D58D.exe010D3ED12031239D3F314F66BB28D58D.exe

description	pid	process	target process
PID 1172 set thread context of 2212	1172	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 set thread context of 3688	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 set thread context of 4804	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 set thread context of 740	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 set thread context of 940	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 set thread context of 4428	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 set thread context of 952	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 2904 set thread context of 2688	2904	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 2904 set thread context of 1844	2904	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 2904 set thread context of 2628	2904	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 2904 set thread context of 3424	2904	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 3296 set thread context of 1508	3296	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 3296 set thread context of 1948	3296	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

010D3ED12031239D3F314F66BB28D58D.exe010D3ED12031239D3F314F66BB28D58D.exe010D3ED12031239D3F314F66BB28D58D.exe

C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
"C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
  "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
  2⤵
  PID:2212
- C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
  "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
    "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
    3⤵
    PID:3688
- - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
    "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
    3⤵
    PID:4804
- - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
    "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
    3⤵
    PID:740
- - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
    "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
      "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
      4⤵
      PID:940
  - - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
      "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
      4⤵
      PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
      "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
      4⤵
      PID:952
  - - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
      "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
        5⤵
        
        PID:2688
    - - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
        5⤵
        
        PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
        5⤵
        
        PID:2628
    - - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
        5⤵
        
        PID:3424
    - - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:3296
      - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
        6⤵
        
        PID:1508
      - C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\010D3ED12031239D3F314F66BB28D58D.exe"
        6⤵
        
        PID:1948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-15-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2212-0-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2212-2-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2212-3-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2212-8-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3688-7-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4804-16-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download

description	pid	process	target process
PID 1172 wrote to memory of 2212	1172	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1172 wrote to memory of 2212	1172	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1172 wrote to memory of 2212	1172	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1172 wrote to memory of 2212	1172	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1172 wrote to memory of 2212	1172	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1172 wrote to memory of 2212	1172	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1172 wrote to memory of 2212	1172	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1172 wrote to memory of 2212	1172	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1172 wrote to memory of 2212	1172	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1172 wrote to memory of 5044	1172	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1172 wrote to memory of 5044	1172	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1172 wrote to memory of 5044	1172	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 3688	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 3688	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 3688	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 3688	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 3688	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 3688	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 3688	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 3688	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 3688	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 4804	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 4804	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 4804	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 4804	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 4804	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 4804	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 4804	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 4804	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 4804	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 740	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 740	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 740	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 740	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 740	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 740	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 740	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 740	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 740	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 1948	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 1948	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 5044 wrote to memory of 1948	5044	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 940	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 940	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 940	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 940	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 940	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 940	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 940	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 940	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 940	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 4428	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 4428	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 4428	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 4428	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 4428	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 4428	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 4428	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 4428	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 4428	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 952	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 952	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 952	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe
PID 1948 wrote to memory of 952	1948	010D3ED12031239D3F314F66BB28D58D.exe	010D3ED12031239D3F314F66BB28D58D.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads