raccoon | e4923ef723752a4bcb7082cb4b6df0c4330d6823e1e233f842c6d67aea275232

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

1.4MB
MD5

24444287765f88b5a8b63e1f66b074a4
SHA1

16aecb16cafce9d5ad85f0dd9ed94c3e0f2f40d3
SHA256

e4923ef723752a4bcb7082cb4b6df0c4330d6823e1e233f842c6d67aea275232
SHA512

fe65e94a68096fa51f4abc29d1245ffb2df02a158f06a84528688d59810a71dfeedf6b8c1eaff984b9a171c70a0605a59c947f28a5b14c309289ba10a14dd3cf
SSDEEP

24576:sAHnh+eWsN3skA4RV1Hom2KXMmHad/+lZUg83lTR08G4Dlda+T5:Lh+ZkldoPK8Yad/+z6HLLaK

Score

10^/10

raccoon a195dbd69ca528bed35b69aa07ed167e discovery stealer

Malware Config

Extracted

Family

raccoon

Botnet

a195dbd69ca528bed35b69aa07ed167e

http://45.8.145.76/

Attributes

user_agent
23591

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

resource	yara_rule
behavioral1/memory/2700-1-0x0000000002E20000-0x0000000002E60000-memory.dmp	family_raccoon_v2
behavioral1/memory/2700-2-0x0000000002E20000-0x0000000002E60000-memory.dmp	family_raccoon_v2
behavioral1/memory/2804-7-0x0000000000400000-0x000000000041E000-memory.dmp	family_raccoon_v2

Raccoon family
raccoon

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 2804	2700	Setup.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2804	2700	Setup.exe	31
PID 2700 wrote to memory of 2804	2700	Setup.exe	31
PID 2700 wrote to memory of 2804	2700	Setup.exe	31
PID 2700 wrote to memory of 2804	2700	Setup.exe	31
PID 2700 wrote to memory of 2804	2700	Setup.exe	31
PID 2700 wrote to memory of 2804	2700	Setup.exe	31
PID 2700 wrote to memory of 2804	2700	Setup.exe	31
PID 2700 wrote to memory of 2804	2700	Setup.exe	31
PID 2700 wrote to memory of 2804	2700	Setup.exe	31

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2700-1-0x0000000002E20000-0x0000000002E60000-memory.dmp

Filesize
256KB

Download
memory/2700-2-0x0000000002E20000-0x0000000002E60000-memory.dmp

Filesize
256KB

Download
memory/2700-8-0x0000000002E20000-0x0000000002E60000-memory.dmp

Filesize
256KB

Download
memory/2804-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2804-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-3-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download