raccoon | ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05

General

Target

ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe
Size

1.6MB
MD5

1bff2e1095c5000b950c2f9bcde896e5
SHA1

fc61d68aa844f8a3cf8e879ea0005c009560b306
SHA256

ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05
SHA512

6339f59483fb86b402392171fc11ddaf27d805bec29cb088bb0efed1a1d29f7548a6151398344969486d02ba6e32155c0b58452570f0c031207e4eeabf01db0b
SSDEEP

24576:3CGKLOvnkRd/WMqXqCb4VKMseaIuNCXmcPUHQCSIdf+ZkY0rHOmUK7DVqZ:3IsS/WMqXqWMdad3LhddEaHOfo

Score

10^/10

raccoon 111a83bc76cd8d221f67303e6ef70a11 credential_access discovery spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

111a83bc76cd8d221f67303e6ef70a11

C2

http://192.153.57.177:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

resource	yara_rule
behavioral2/memory/4608-5-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/4608-8-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2
behavioral2/memory/4608-79-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon_v2

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4520	75Ub6jq3.exe
1340	oobeldr.exe

Loads dropped DLL 3 IoCs

pid	Process
4608	MSBuild.exe
4608	MSBuild.exe
4608	MSBuild.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3596 set thread context of 4608	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	82

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oobeldr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75Ub6jq3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3060	schtasks.exe
1044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe
3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe
3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe
3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe
4608	MSBuild.exe
4608	MSBuild.exe
4608	MSBuild.exe
4608	MSBuild.exe
4608	MSBuild.exe
4608	MSBuild.exe
4608	MSBuild.exe
4608	MSBuild.exe
4608	MSBuild.exe
4608	MSBuild.exe
4608	MSBuild.exe
4608	MSBuild.exe
4608	MSBuild.exe
4608	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 4984	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	80
PID 3596 wrote to memory of 4984	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	80
PID 3596 wrote to memory of 4984	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	80
PID 3596 wrote to memory of 4868	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	81
PID 3596 wrote to memory of 4868	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	81
PID 3596 wrote to memory of 4868	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	81
PID 3596 wrote to memory of 4608	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	82
PID 3596 wrote to memory of 4608	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	82
PID 3596 wrote to memory of 4608	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	82
PID 3596 wrote to memory of 4608	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	82
PID 3596 wrote to memory of 4608	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	82
PID 3596 wrote to memory of 4608	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	82
PID 3596 wrote to memory of 4608	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	82
PID 3596 wrote to memory of 4608	3596	ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe	82
PID 4608 wrote to memory of 4520	4608	MSBuild.exe	84
PID 4608 wrote to memory of 4520	4608	MSBuild.exe	84
PID 4608 wrote to memory of 4520	4608	MSBuild.exe	84
PID 4520 wrote to memory of 3060	4520	75Ub6jq3.exe	85
PID 4520 wrote to memory of 3060	4520	75Ub6jq3.exe	85
PID 4520 wrote to memory of 3060	4520	75Ub6jq3.exe	85
PID 1340 wrote to memory of 1044	1340	oobeldr.exe	88
PID 1340 wrote to memory of 1044	1340	oobeldr.exe	88
PID 1340 wrote to memory of 1044	1340	oobeldr.exe	88

C:\Users\Admin\AppData\Local\Temp\ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe
"C:\Users\Admin\AppData\Local\Temp\ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:4984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:4868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Users\Admin\AppData\Roaming\75Ub6jq3.exe
    "C:\Users\Admin\AppData\Roaming\75Ub6jq3.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3060

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Q7c730pHCeVc

Filesize
114KB

MD5
dd0753d538ec3e7164e5de76f268ff95

SHA1
ab7b74a045ed53e48a1c16f71c8dfb9fbe6b651e

SHA256
bf7ce934f5bad1713e29a4028e7cc1e8b6cffac889cbc2c2831755ccfaa4c987

SHA512
d92e0c725cbafb455f890bca865da7bb6a19381c1befb606efa1a766f44bbdbc6a311f84f740becb7f0c4a77cd2d9ea52fae7d783c70d2841039b539ecec9128

Download Submit
C:\Users\Admin\AppData\LocalLow\mK9b7gTwIej2

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Roaming\75Ub6jq3.exe

Filesize
4.4MB

MD5
af6e384dfabdad52d43cf8429ad8779c

SHA1
c78e8cd8c74ad9d598f591de5e49f73ce3373791

SHA256
f327c2b5ab1d98f0382a35cd78f694d487c74a7290f1ff7be53f42e23021e599

SHA512
b55ba87b275a475e751e13ec9bac2e7f1a3484057844e210168e2256d73d9b6a7c7c7592845d4a3bf8163cf0d479315418a9f3cb8f2f4832af88a06867e3df93

Download Submit
memory/1340-98-0x0000000000400000-0x0000000000BD9000-memory.dmp

Filesize
7.8MB

Download
memory/1340-96-0x0000000000400000-0x0000000000BD9000-memory.dmp

Filesize
7.8MB

Download
memory/1340-93-0x0000000000400000-0x0000000000BD9000-memory.dmp

Filesize
7.8MB

Download
memory/3596-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/3596-4-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/3596-3-0x0000000005720000-0x0000000005804000-memory.dmp

Filesize
912KB

Download
memory/3596-2-0x0000000005680000-0x000000000571C000-memory.dmp

Filesize
624KB

Download
memory/3596-1-0x00000000009F0000-0x0000000000B92000-memory.dmp

Filesize
1.6MB

Download
memory/4520-91-0x0000000000400000-0x0000000000BD9000-memory.dmp

Filesize
7.8MB

Download
memory/4520-85-0x0000000000400000-0x0000000000BD9000-memory.dmp

Filesize
7.8MB

Download
memory/4520-86-0x0000000000400000-0x0000000000BD9000-memory.dmp

Filesize
7.8MB

Download
memory/4520-87-0x0000000000400000-0x0000000000BD9000-memory.dmp

Filesize
7.8MB

Download
memory/4608-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4608-79-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4608-78-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/4608-8-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads