raccoon | 9f89c8cffae82b4ce3af3181a1065db66c556fcd570a8964a016e47692af1994

Analysis

max time kernel
110s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f89c8cffae82b4ce3af3181a1065db66c556fcd570a8964a016e47692af1994.exe
Size

595KB
MD5

cb2eac57843718c29f216fbc0241d863
SHA1

27287f1706de2c4a32c0ae4c36d42869989ac2d4
SHA256

9f89c8cffae82b4ce3af3181a1065db66c556fcd570a8964a016e47692af1994
SHA512

d157417465d3bb4438f9d1be69149d5f24a890e89b53542e4d0a2807eb59a3a9bb59da07f204b69458bc7417052c71834d81c3a2d81625f0105d748648c3f87c
SSDEEP

12288:xFdi+7NvWv6lW4QSOxxU1MTtzl2BYQm97Un+U+5GMedLPPxjuD4b5VA:xLiwNz0V6CDByoG3PPxCDN

Score

10^/10

raccoon acea450e34e990b055ec3f61bbf5320fab082758 discovery stealer

Malware Config

Extracted

Family

raccoon

Botnet

acea450e34e990b055ec3f61bbf5320fab082758

Attributes

url4cnc
http://telegka.top/jdiamond13

http://telegin.top/jdiamond13

https://t.me/jdiamond13

rc4.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1056-2-0x0000000000D20000-0x0000000000DAE000-memory.dmp	family_raccoon_v1
behavioral2/memory/1056-3-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral2/memory/1056-5-0x0000000000D20000-0x0000000000DAE000-memory.dmp	family_raccoon_v1
behavioral2/memory/1056-7-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral2/memory/1056-6-0x0000000000400000-0x00000000008C4000-memory.dmp	family_raccoon_v1
behavioral2/memory/1056-14-0x0000000000400000-0x00000000008C4000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9f89c8cffae82b4ce3af3181a1065db66c556fcd570a8964a016e47692af1994.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f89c8cffae82b4ce3af3181a1065db66c556fcd570a8964a016e47692af1994.exe

C:\Users\Admin\AppData\Local\Temp\9f89c8cffae82b4ce3af3181a1065db66c556fcd570a8964a016e47692af1994.exe
"C:\Users\Admin\AppData\Local\Temp\9f89c8cffae82b4ce3af3181a1065db66c556fcd570a8964a016e47692af1994.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-1-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/1056-2-0x0000000000D20000-0x0000000000DAE000-memory.dmp

Filesize
568KB

Download
memory/1056-3-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1056-4-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/1056-5-0x0000000000D20000-0x0000000000DAE000-memory.dmp

Filesize
568KB

Download
memory/1056-7-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1056-6-0x0000000000400000-0x00000000008C4000-memory.dmp

Filesize
4.8MB

Download
memory/1056-14-0x0000000000400000-0x00000000008C4000-memory.dmp

Filesize
4.8MB

Download