raccoon | c98d20df81567c0b314ba81bb8deb937eb385eccc352fa61258c58800d53a3d6

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.6MB
MD5

a11d579c5bd5589c82fcf263519b038a
SHA1

8b728cd41c9e43122228ee58f890ecad1db20b82
SHA256

c98d20df81567c0b314ba81bb8deb937eb385eccc352fa61258c58800d53a3d6
SHA512

36bb6b900a43df3f4b003fa50e7d1e228eb3e9e4fdfdfb11dc6710cc618b8999a4703e9cf702ee4acdc67ea93aa1e5654d9a3eb2923514ac92c928e3829798ee
SSDEEP

24576:XBS5YMxUU0jQApp/rGCOVCFZ/Jb4m8W2uX75U/yj0yfFLXh1mnOWqZ:XBS5YMxwL/pUa5/n2urK/YV9R1iOW

Score

10^/10

raccoon 4e847b07368a85ebd0a57e614b4bffb9 discovery stealer

Malware Config

Extracted

Family

raccoon

Botnet

4e847b07368a85ebd0a57e614b4bffb9

https://192.153.57.177:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4976-5-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/4976-7-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/4976-9-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description	pid	Process	procid_target
PID 3464 set thread context of 4976	3464	file.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

file.exeMSBuild.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

file.exe

pid	Process
3464	file.exe
3464	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description	pid	Process
Token: SeDebugPrivilege	3464	file.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

file.exe

description	pid	Process	procid_target
PID 3464 wrote to memory of 3048	3464	file.exe	86
PID 3464 wrote to memory of 3048	3464	file.exe	86
PID 3464 wrote to memory of 3048	3464	file.exe	86
PID 3464 wrote to memory of 4976	3464	file.exe	87
PID 3464 wrote to memory of 4976	3464	file.exe	87
PID 3464 wrote to memory of 4976	3464	file.exe	87
PID 3464 wrote to memory of 4976	3464	file.exe	87
PID 3464 wrote to memory of 4976	3464	file.exe	87
PID 3464 wrote to memory of 4976	3464	file.exe	87
PID 3464 wrote to memory of 4976	3464	file.exe	87
PID 3464 wrote to memory of 4976	3464	file.exe	87

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3464-0-0x000000007511E000-0x000000007511F000-memory.dmp

Filesize
4KB

Download
memory/3464-1-0x0000000000B00000-0x0000000000CA2000-memory.dmp

Filesize
1.6MB

Download
memory/3464-2-0x00000000056D0000-0x000000000576C000-memory.dmp

Filesize
624KB

Download
memory/3464-3-0x0000000005770000-0x0000000005854000-memory.dmp

Filesize
912KB

Download
memory/3464-4-0x0000000005620000-0x0000000005642000-memory.dmp

Filesize
136KB

Download
memory/4976-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4976-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4976-9-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download