raccoon | 447cc0e824ccbad20d29998b9e64b792d7c40de93ebc36ac490748f4b551e02c

General

Target

FullSetup.exe
Size

810KB
MD5

44e6f5db4a0f2c8f90c487b06c1b31bf
SHA1

8dbdb692668f214892759c2e0ce2ee1e16aed475
SHA256

447cc0e824ccbad20d29998b9e64b792d7c40de93ebc36ac490748f4b551e02c
SHA512

c0201dc9ed1354103b72670939f5e2226f1559748618e2642dbf3e6b7f29189583e641edb70c135976d7d58a39edcd12871d6b588e1eb500151125c5cf8d6f11
SSDEEP

12288:ZiuvcvdBR6qqAqo8BjSJpbYNm1Bi/k52jCVkonaafLSPbXCvPFqwnNZ:Zkv6qqdpSzbYNOBV2jMnaU00tTNZ

Score

10^/10

raccoon 167f93a63fe65b2f9a51452da5a0e659 discovery persistence stealer

Malware Config

Extracted

Family

raccoon

Botnet

167f93a63fe65b2f9a51452da5a0e659

C2

http://92.38.240.8/

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Executes dropped EXE 2 IoCs

pid	Process
2360	Gli.exe.pif
1444	Gli.exe.pif

Loads dropped DLL 6 IoCs

pid	Process
2360	Gli.exe.pif
2360	Gli.exe.pif
2360	Gli.exe.pif
2360	Gli.exe.pif
2360	Gli.exe.pif
2360	Gli.exe.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	FullSetup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 1444	2360	Gli.exe.pif	97

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gli.exe.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FullSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gli.exe.pif

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1888	cmd.exe
4296	PING.EXE
1284	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4296	PING.EXE
1284	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2360	Gli.exe.pif
2360	Gli.exe.pif
2360	Gli.exe.pif
2360	Gli.exe.pif
2360	Gli.exe.pif
2360	Gli.exe.pif

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2360	Gli.exe.pif
2360	Gli.exe.pif
2360	Gli.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2360	Gli.exe.pif
2360	Gli.exe.pif
2360	Gli.exe.pif

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 2948	5060	FullSetup.exe	82
PID 5060 wrote to memory of 2948	5060	FullSetup.exe	82
PID 5060 wrote to memory of 2948	5060	FullSetup.exe	82
PID 5060 wrote to memory of 1888	5060	FullSetup.exe	83
PID 5060 wrote to memory of 1888	5060	FullSetup.exe	83
PID 5060 wrote to memory of 1888	5060	FullSetup.exe	83
PID 1888 wrote to memory of 632	1888	cmd.exe	85
PID 1888 wrote to memory of 632	1888	cmd.exe	85
PID 1888 wrote to memory of 632	1888	cmd.exe	85
PID 632 wrote to memory of 4404	632	cmd.exe	86
PID 632 wrote to memory of 4404	632	cmd.exe	86
PID 632 wrote to memory of 4404	632	cmd.exe	86
PID 632 wrote to memory of 2360	632	cmd.exe	87
PID 632 wrote to memory of 2360	632	cmd.exe	87
PID 632 wrote to memory of 2360	632	cmd.exe	87
PID 632 wrote to memory of 4296	632	cmd.exe	88
PID 632 wrote to memory of 4296	632	cmd.exe	88
PID 632 wrote to memory of 4296	632	cmd.exe	88
PID 1888 wrote to memory of 1284	1888	cmd.exe	89
PID 1888 wrote to memory of 1284	1888	cmd.exe	89
PID 1888 wrote to memory of 1284	1888	cmd.exe	89
PID 2360 wrote to memory of 1444	2360	Gli.exe.pif	97
PID 2360 wrote to memory of 1444	2360	Gli.exe.pif	97
PID 2360 wrote to memory of 1444	2360	Gli.exe.pif	97
PID 2360 wrote to memory of 1444	2360	Gli.exe.pif	97
PID 2360 wrote to memory of 1444	2360	Gli.exe.pif	97

C:\Users\Admin\AppData\Local\Temp\FullSetup.exe
"C:\Users\Admin\AppData\Local\Temp\FullSetup.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\SysWOW64\WerFault.exe
  WerFault.exe //////
  2⤵
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Moto.eps & ping -n 5 localhost
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^tfRFLqTvsdIvUOKycksieezLBpgscdNdnOfYhOdVSSkJZtltWZlydmGwVytBLBqqCsYunLRHVcglRKMvZlxvuHZYiheoKPldRluIutFkiClUkvplaHCBiEUVsqYkJJX$" Tua.eps
      4⤵
      System Location Discovery: System Language Discovery
      PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif
      Gli.exe.pif W
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1444
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 5
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4296
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gli.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mise.eps

Filesize
804KB

MD5
0b1008510d8ad78f303d4002b429b8db

SHA1
9abf5a170d7200bec2af12949fa88be6e64f4c7a

SHA256
2b394bca6c02157946a8344d478c1e6e4295f6714dbe531360f7033748c2deb1

SHA512
de2662e6c7edd9856bee6c90760708a6cf508bb289f0765a7bf0847b9ab7ab99bce9cfbd67725dff2e98ef76a425552ece5440e3492c1bcf8cfd5fd0a80005f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Moto.eps

Filesize
8KB

MD5
258280b6e48ab449d2190299900d195b

SHA1
d991053bdb2c36526fa5ac70c11d5cd125a63f2f

SHA256
c033bde6cd385138ecc9c1726cb91aeb4c33eb3b107baf81fcaafcd24bb16d92

SHA512
2d35d334073dd64bf08b806908d34314d17cd66e8289fe0a0ec0462070b265cc74d8f801c3dc08a7e38c08d695b52aabc5d8c5714d72519c82b607c6bdddcfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.eps

Filesize
924KB

MD5
2680f631d04f3e8f3422f5c4681d044c

SHA1
8429c33dfc52763a7c192f8134436c7ebb314cf2

SHA256
4f3210a0dadf4bd1da643251e3ee89718c4fc90078ef6917871740b39bfcf137

SHA512
a4e60d12c1edb136a60d4f2e85518453025eb8f310eb2d94a1906b2a1165bf0a28995a64e6b943809ad6be69a6b85c3e3ac066f25012b1e705540414c6dabbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hgiRTV.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/1444-24-0x0000000001280000-0x0000000001292000-memory.dmp

Filesize
72KB

Download
memory/1444-32-0x0000000001280000-0x0000000001292000-memory.dmp

Filesize
72KB

Download
memory/1444-33-0x0000000001280000-0x0000000001292000-memory.dmp

Filesize
72KB

Download
memory/1444-34-0x0000000001280000-0x0000000001292000-memory.dmp

Filesize
72KB

Download
memory/2360-14-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads