Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 12:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.6MB

  • MD5

    1bff2e1095c5000b950c2f9bcde896e5

  • SHA1

    fc61d68aa844f8a3cf8e879ea0005c009560b306

  • SHA256

    ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05

  • SHA512

    6339f59483fb86b402392171fc11ddaf27d805bec29cb088bb0efed1a1d29f7548a6151398344969486d02ba6e32155c0b58452570f0c031207e4eeabf01db0b

  • SSDEEP

    24576:3CGKLOvnkRd/WMqXqCb4VKMseaIuNCXmcPUHQCSIdf+ZkY0rHOmUK7DVqZ:3IsS/WMqXqWMdad3LhddEaHOfo

Score
10/10
raccoon111a83bc76cd8d221f67303e6ef70a11credential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

raccoon

Botnet

111a83bc76cd8d221f67303e6ef70a11

C2

http://192.153.57.177:80

Attributes
  • user_agent

    MrBidenNeverKnow

xor.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer V2 payload 5 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Users\Admin\AppData\Roaming\pMaD07a9.exe
        "C:\Users\Admin\AppData\Roaming\pMaD07a9.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Windows\SysWOW64\schtasks.exe
          /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2332
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {7D7022E8-83E1-4DC5-A202-786B6013C52D} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\SysWOW64\schtasks.exe
        /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\250b62992GA2
    Filesize

    92KB

    MD5

    f98745d81e8b84f39630844a63afc1ee

    SHA1

    d7977c2dab5de25630f7d869f9b16a8502cd3bb3

    SHA256

    9c34e13f0d2852fb4a8a53a4727a59d24691a507edb6ff1965024a6147799a83

    SHA512

    e6b1bf12139e627d6aa2b25c9d7e8ebab1e86fc3025655bf88bc735413f55b10490f0237b8d11fd5db0eb6045f6176e93228c70d8e940a62ea4324816c31a3dd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab7283.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar72A6.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • \Users\Admin\AppData\LocalLow\mozglue.dll
    Filesize

    612KB

    MD5

    f07d9977430e762b563eaadc2b94bbfa

    SHA1

    da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

    SHA256

    4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

    SHA512

    6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

    Download Submit

  • \Users\Admin\AppData\LocalLow\nss3.dll
    Filesize

    1.9MB

    MD5

    f67d08e8c02574cbc2f1122c53bfb976

    SHA1

    6522992957e7e4d074947cad63189f308a80fcf2

    SHA256

    c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

    SHA512

    2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

    Download Submit

  • \Users\Admin\AppData\LocalLow\sqlite3.dll
    Filesize

    1.0MB

    MD5

    dbf4f8dcefb8056dc6bae4b67ff810ce

    SHA1

    bbac1dd8a07c6069415c04b62747d794736d0689

    SHA256

    47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

    SHA512

    b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

    Download Submit

  • \Users\Admin\AppData\Roaming\pMaD07a9.exe
    Filesize

    4.4MB

    MD5

    af6e384dfabdad52d43cf8429ad8779c

    SHA1

    c78e8cd8c74ad9d598f591de5e49f73ce3373791

    SHA256

    f327c2b5ab1d98f0382a35cd78f694d487c74a7290f1ff7be53f42e23021e599

    SHA512

    b55ba87b275a475e751e13ec9bac2e7f1a3484057844e210168e2256d73d9b6a7c7c7592845d4a3bf8163cf0d479315418a9f3cb8f2f4832af88a06867e3df93

    Download Submit

  • memory/1036-126-0x0000000000400000-0x0000000000BD9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/1036-123-0x0000000000400000-0x0000000000BD9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/1036-121-0x0000000000400000-0x0000000000BD9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2024-111-0x0000000000400000-0x0000000000BD9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2024-112-0x0000000000400000-0x0000000000BD9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2024-117-0x0000000000400000-0x0000000000BD9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2024-113-0x0000000000400000-0x0000000000BD9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2608-9-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2608-5-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2608-7-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2608-101-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2608-100-0x0000000061E00000-0x0000000061EF1000-memory.dmp

    Filesize

    964KB

    Download

  • memory/2608-4-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2608-110-0x0000000004F50000-0x0000000005729000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2608-118-0x0000000004F50000-0x0000000005729000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2608-11-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2608-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-6-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2692-0-0x000000007447E000-0x000000007447F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-3-0x00000000002E0000-0x0000000000302000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2692-2-0x0000000004620000-0x0000000004704000-memory.dmp

    Filesize

    912KB

    Download

  • memory/2692-1-0x0000000001070000-0x0000000001212000-memory.dmp

    Filesize

    1.6MB

    Download