raccoon | 361411e6321c45c845669ac89e32feec0bdd97916b5d73f508c43576b8a15a20

Analysis

max time kernel
34s
max time network
41s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/03/2025, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample2.exe
Size

871KB
MD5

dd1b734796b4aa40af46b4d69e1e2da2
SHA1

d5273be84dfa0c54fc9cefff7bcc24fed3e20e1c
SHA256

361411e6321c45c845669ac89e32feec0bdd97916b5d73f508c43576b8a15a20
SHA512

2de21b09091caaa2cfca919fb8e5777afb80ff1eba12b81b2f9a6fde3c94aea52f3bba22ad801bae37fb8816fc7e738c54fc2639d8f6cf47e04d4bc0dbd2af56
SSDEEP

12288:iANwRo+mv8QD4+0V165iTr/erjzuQhyACzHDxx/PI11TUeJpIPxSG6zKzxSg564k:iAT8QE+kms0LrSPY/TUeJ4jVzCW1qQa

Score

10^/10

raccoon vidar 651 discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

28.3

Botnet

651

http://manillamemories.com/

Attributes

profile_id
651

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 1 IoCs

resource	yara_rule
behavioral3/memory/2652-84-0x0000000000400000-0x00000000032DB000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral3/files/0x00060000000193ac-36.dat	family_vidar

Executes dropped EXE 2 IoCs

pid	Process
2652	wotsuper.exe
2784	wotsuper1.exe

Loads dropped DLL 4 IoCs

pid	Process
3008	sample2.exe
3008	sample2.exe
3008	sample2.exe
3008	sample2.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Advanced SystemCare = "\"C:\\Program Files (x86)\\IObit\\Advanced SystemCare\\ASCTray.exe\" /Auto"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\wotsuper	regedit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	iplogger.org
13	iplogger.org
14	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.exe	sample2.exe
File created	C:\Program Files (x86)\wotsuper\wotsuper\Uninstall.ini	sample2.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe	sample2.exe
File opened for modification	C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe	sample2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wotsuper.reg	sample2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sample2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wotsuper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wotsuper1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wotsuper1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wotsuper1.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 602e6541a296db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7CBEA181-0295-11F0-B4D5-7E918DD97D05} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011083bcbfe712d429e48e43958ae0f110000000002000000000010660000000100002000000007c60cd0ca7bae3067fc833b9219c6347508dafd7199e3492d03d53605513cfd000000000e80000000020000200000008ac005b3c89dec3ab9c60c8d0835b1f2579de4f82939efc55584e235b7be0e8d20000000f7b6c56785b123a8cb5ce137702ba96927716b865ae3c68430c1825d65b2075b400000005efead065112f165b9f74277a24995187ab8655b3b1e85332e2c36887f342bc327c8ca66088fbd151ab90e7795c43d797fce507307938b7657f1a157001176be	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011083bcbfe712d429e48e43958ae0f1100000000020000000000106600000001000020000000715f7ce08c52cef9c9758eb9c340a9d0c4d54065b7ff4b725039b7feef39219a000000000e8000000002000020000000a763cb2343cecfe348821eed62e3a2bd26f03b69b88db8fbf90a04f429941c7690000000b6455489c2198c869bfe70aec5600cb784f43fb37fd1f5b8bb019c6247f4512da850a7f72b9eaebeb0facba43a84b1764e8e8ad81dfc54544943f3f46cd14a9be7d3b6dbc5cf56cb2a7ebcd1d927037cf0654347338b186ae9fcf1bdb4f67f74e33e1f811212b92247318369d590553e12d55cc32b7a741d01b2d002f1bc0312f348131923091eaf48d50472c9debb7b4000000004e2dedd54a7a71db4500e61e08fc51cb39c1c7cdd51c2c40f79917d0ae602ee624c2389bc9805ed9c5343c1a831ced541b7a09903845aefbffa1036d363f2d6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2272	regedit.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2784	wotsuper1.exe
2784	wotsuper1.exe
2784	wotsuper1.exe
2784	wotsuper1.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2208	iexplore.exe
2208	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2208	iexplore.exe
2208	iexplore.exe
2208	iexplore.exe
2208	iexplore.exe
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2208	3008	sample2.exe	31
PID 3008 wrote to memory of 2208	3008	sample2.exe	31
PID 3008 wrote to memory of 2208	3008	sample2.exe	31
PID 3008 wrote to memory of 2208	3008	sample2.exe	31
PID 3008 wrote to memory of 2652	3008	sample2.exe	32
PID 3008 wrote to memory of 2652	3008	sample2.exe	32
PID 3008 wrote to memory of 2652	3008	sample2.exe	32
PID 3008 wrote to memory of 2652	3008	sample2.exe	32
PID 3008 wrote to memory of 2784	3008	sample2.exe	33
PID 3008 wrote to memory of 2784	3008	sample2.exe	33
PID 3008 wrote to memory of 2784	3008	sample2.exe	33
PID 3008 wrote to memory of 2784	3008	sample2.exe	33
PID 2208 wrote to memory of 2684	2208	iexplore.exe	34
PID 2208 wrote to memory of 2684	2208	iexplore.exe	34
PID 2208 wrote to memory of 2684	2208	iexplore.exe	34
PID 2208 wrote to memory of 2684	2208	iexplore.exe	34
PID 3008 wrote to memory of 2272	3008	sample2.exe	35
PID 3008 wrote to memory of 2272	3008	sample2.exe	35
PID 3008 wrote to memory of 2272	3008	sample2.exe	35
PID 3008 wrote to memory of 2272	3008	sample2.exe	35
PID 3008 wrote to memory of 2676	3008	sample2.exe	36
PID 3008 wrote to memory of 2676	3008	sample2.exe	36
PID 3008 wrote to memory of 2676	3008	sample2.exe	36
PID 3008 wrote to memory of 2676	3008	sample2.exe	36

C:\Users\Admin\AppData\Local\Temp\sample2.exe
"C:\Users\Admin\AppData\Local\Temp\sample2.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1Ldta7.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2684
- C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
  "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe
  "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2784
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2272
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1smEq7.html
  2⤵
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\wotsuper\wotsuper\wotsuper1.exe

Filesize
544KB

MD5
b8181cb72764c24e73c7b6204b16bed6

SHA1
c430cc4776ff5e21d08bca9a0d73cfaf29108fa4

SHA256
fdb5a0d4e97ee36d2b23605b0d8a2785d08d046058f07a8714e4908e8a2485a2

SHA512
bd63970b846bfdc6990b803e12028c692bc3f3125df03c3b9ec4626e1ce56dc43313d37c71337868ade0e4da31a5eca971b453242829b7312eb7efd2a407de1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\njqq61f\imagestore.dat

Filesize
2KB

MD5
69e4830ca7d676e47b4a8aa3ff08d40c

SHA1
863e146d6223909265bfb6f9d88c78f09c18b5bb

SHA256
23d871a174110c4bef5101c10b2c0bd5f9baa37f94305417060a05b9d2ef67d5

SHA512
55b6399b8eb89f75c4904305a87d1e17722294a003d77fa9aaadd2c74c4c513021353d5f248383226b73ce62b69974110f97561adf54fbfb52d94a1ce1325242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\favicon[1].png

Filesize
2KB

MD5
18c023bc439b446f91bf942270882422

SHA1
768d59e3085976dba252232a65a4af562675f782

SHA256
e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

SHA512
a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

Download Submit
C:\Windows\wotsuper.reg

Filesize
450B

MD5
42f073434559fb6b9c67aba86de89d1b

SHA1
9b969de41fc717353619068e46f21ec1db093ab5

SHA256
03ac69047bce954fdce3d00af881161a073f921d73ff79369e9ee96a109f9eed

SHA512
b1ae4fb02d7e629f824e084c5cd81e17be3bb37937eed7a1bfcd6aec0fd1cfe9a7299ecfc35958a5d98d11941fc6478e653b69140de02cbec28c4bf0647bd547

Download Submit
\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe

Filesize
449KB

MD5
7b20f5c61780fe383f45ca6e18ed5a6a

SHA1
bc9bfd59f0cde312cd9a0d20784887fed9b8c836

SHA256
26ccbcb079b3f0cc183293351c40da3146d2ddec9b4d6cd314090cfab94834df

SHA512
8a63f6ad20fe18bd49d055ae05bc81fe30d0ebfb25a37428b17b43569b53bf2560f0de8f993f62a2f5d458db78e6d24ad71fca8d7fd1133d3cb499dff356e68b

Download Submit
memory/2652-84-0x0000000000400000-0x00000000032DB000-memory.dmp

Filesize
46.9MB

Download
memory/3008-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download