raccoon | c98d20df81567c0b314ba81bb8deb937eb385eccc352fa61258c58800d53a3d6

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.6MB
MD5

a11d579c5bd5589c82fcf263519b038a
SHA1

8b728cd41c9e43122228ee58f890ecad1db20b82
SHA256

c98d20df81567c0b314ba81bb8deb937eb385eccc352fa61258c58800d53a3d6
SHA512

36bb6b900a43df3f4b003fa50e7d1e228eb3e9e4fdfdfb11dc6710cc618b8999a4703e9cf702ee4acdc67ea93aa1e5654d9a3eb2923514ac92c928e3829798ee
SSDEEP

24576:XBS5YMxUU0jQApp/rGCOVCFZ/Jb4m8W2uX75U/yj0yfFLXh1mnOWqZ:XBS5YMxwL/pUa5/n2urK/YV9R1iOW

Score

10^/10

raccoon 4e847b07368a85ebd0a57e614b4bffb9 discovery stealer

Malware Config

Extracted

Family

raccoon

Botnet

4e847b07368a85ebd0a57e614b4bffb9

https://192.153.57.177:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 4 IoCs

resource	yara_rule
behavioral1/memory/2408-11-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral1/memory/2408-9-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral1/memory/2408-7-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral1/memory/2408-12-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 2408	3040	file.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2408	3040	file.exe	30
PID 3040 wrote to memory of 2408	3040	file.exe	30
PID 3040 wrote to memory of 2408	3040	file.exe	30
PID 3040 wrote to memory of 2408	3040	file.exe	30
PID 3040 wrote to memory of 2408	3040	file.exe	30
PID 3040 wrote to memory of 2408	3040	file.exe	30
PID 3040 wrote to memory of 2408	3040	file.exe	30
PID 3040 wrote to memory of 2408	3040	file.exe	30
PID 3040 wrote to memory of 2408	3040	file.exe	30

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2408-11-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2408-9-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2408-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2408-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2408-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2408-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2408-4-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2408-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-0-0x000000007472E000-0x000000007472F000-memory.dmp

Filesize
4KB

Download
memory/3040-1-0x0000000000D70000-0x0000000000F12000-memory.dmp

Filesize
1.6MB

Download
memory/3040-2-0x0000000002430000-0x0000000002514000-memory.dmp

Filesize
912KB

Download
memory/3040-3-0x0000000000460000-0x0000000000482000-memory.dmp

Filesize
136KB

Download