Overview

overview

10

Static

static

3

ceb6b3d9b2...82.exe

windows7-x64

10

ceb6b3d9b2...82.exe

windows10-2004-x64

10

$TEMP/Designation.ps1

windows7-x64

3

$TEMP/Designation.ps1

windows10-2004-x64

3

$TEMP/Prev.exe

windows7-x64

$TEMP/Prev.exe

windows10-2004-x64

Analysis

  • max time kernel
    240s
  • max time network
    245s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18/03/2025, 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe

  • Size

    768KB

  • MD5

    ad27c002c314717f78cadab27bf049cf

  • SHA1

    8467513920df45cc742760f05fef909b54a95261

  • SHA256

    ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182

  • SHA512

    a691790f69341f28173e6a83200480af952ca35af0724d670d8b4a52264c991cfb61ee6cc513615414a2864071244753b84122d493a67f2f73d47a2395e5255e

  • SSDEEP

    24576:gbGdMU29P/8RLgad7P3BeJlDff4WGVF9kkzB:qG+xsZgg7fMJlDIVFTzB

Score
10/10
raccoon4076618ff41b7d8c15ac86f265ebc66ddiscoverystealer

Malware Config

Extracted

Family

raccoon

Botnet

4076618ff41b7d8c15ac86f265ebc66d

C2

http://82.146.45.177:80/

Attributes
  • user_agent

    MrBidenNeverKnow

xor.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer V2 payload 2 IoCs
  • Raccoon family
    raccoon
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe
        "C:\Users\Admin\AppData\Local\Temp\ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Latter Latter.bat & Latter.bat & exit
          3⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2184
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2948
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:584
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3052
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2932
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 3446
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2496
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b Prev + Objectives + Publishing + Planning + Eight 3446\Victoria.pif
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2976
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b Designation + Chorus + Place 3446\B
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1804
          • C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif
            3446\Victoria.pif 3446\B
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2800
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 5 127.0.0.1
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2864
      • C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif
        C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:916

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3446\B
      Filesize

      521KB

      MD5

      2ea6936964f3396a440d6fcd1d0e6a40

      SHA1

      c1b605042274a26061f9b3acf6e3e3c84d0dd27d

      SHA256

      ee33bc9748fc3f2799d43df04ead1df383764f6a00e85cb6865a456b1023bf27

      SHA512

      8e3c462a5ab1f47e834ebbe64a320d68d7e98dc5a50a3d21127d9731c168dcd64a1ed77a33c514d2cbe56daa981073942eb878504e58cffd864f28c68facbba5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3446\Victoria.pif
      Filesize

      924KB

      MD5

      848164d084384c49937f99d5b894253e

      SHA1

      3055ef803eeec4f175ebf120f94125717ee12444

      SHA256

      f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

      SHA512

      aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Chorus
      Filesize

      296KB

      MD5

      6289f0044be469e5cc5d78425de1ecd2

      SHA1

      1633cbe5c9c79ff74cef4ef8d44221d16dc7c674

      SHA256

      68c92d709cd12a0decce387d841e41519f68979ff305aff68738a81e538c2434

      SHA512

      256d3016d615d47f71f762b339ef842d1da613323aa8beb3b67afbb3271b5a5001e470d9331039fbf5600b87e49d40fe41af29dd96cdaef8af37dfee37c83f70

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Designation
      Filesize

      209KB

      MD5

      c1cc1aa18b9007c18d77d379897ca025

      SHA1

      64c85a49243812f66e0dd819129cb99ee10ef763

      SHA256

      5ff84c86bbb50331fb0a8dda84591ff259d236aa54fb1c7e14e420e916d340cc

      SHA512

      791c7cdc14c4947460327d9cb4b9a524dcf948ece3f96446a0d8da8cd938922dcb5695a16b011ab7910581341ca1b0088dc1df7f45712dfdcb78a2058d56c310

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Eight
      Filesize

      76KB

      MD5

      521f2aed387524bdd7052bb4f23c0018

      SHA1

      7c57b9c934705f1ba9418840afef2f0af8e69168

      SHA256

      d38464b74940765c78bf06478029f2366bfbca7c9b965c164efb2886e98c3d6a

      SHA512

      73366414419bb41c192a74f56a94c867d50187c24e07cc9ac33f4dbab31ea756671dc879a9bf78735596f8c96976fd595dd987702daadd9b8b25ea543a12c474

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Latter
      Filesize

      12KB

      MD5

      202cd0ed4d5a42ef36c223e2e041bae9

      SHA1

      814d8e675a6c57811052f1f116e51605f11c5c7a

      SHA256

      dfab3a6b7e63339e8a23e9270cbbd49fa5d9efe42512339e1a7a915bd04d7b10

      SHA512

      e66ab9d35dbc6cb593f90b31d739fd361bb2426f8137121b6f297663b970ba8e2ffd0e53e72d3137ce705ebee3f254646fc6d350b0fcb432276761b664f7cb60

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Objectives
      Filesize

      109KB

      MD5

      93fc6d378cf9f3e4bd856b24e758032b

      SHA1

      23509fad0ad1dc5cead9b4f8e0efe2b1a52c2536

      SHA256

      21cc51aee34eef0c66dbc4c633bedc390dba87482289b7a31e15806b9dfb60ad

      SHA512

      e8304645ae862af43af2d8596626764420a4c6acaa4cb1a4a1eacab231a0351a04b1130609c34e8b2c58e13b97f048af5f97bcbcee8ace3eef9955228b57285e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Place
      Filesize

      16KB

      MD5

      9ea9a13f6966bda0647d6f83f6d257fb

      SHA1

      36d5c6d95368508c5878bf08e2a2bc753aaf7aec

      SHA256

      5db649df3c48e3e7e47f9bfa222fc229b4a000dadd9d12b83fde569ed2ee81a3

      SHA512

      4c3a3359777a16c190973eefd001e166f76dee32482493b0da2c635b90a143aef35a36101ff66daa1b60eeaec945c3d93a8d82b51cc8a70e48bc6b9c3199db2a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Planning
      Filesize

      284KB

      MD5

      9bb02422262416ba9e804e520ab576be

      SHA1

      3d6b62a8f9d8d846c8e05495819b5320ada507c6

      SHA256

      fb7337b18c69464c4c84b9ecb69d62f6f693460c86d0e5ab3586c315c59cac97

      SHA512

      febc9d3221329aa1150dc3b1b81afe858634bb3a096939ae5cbef87d9c7dc3613265baf1e40befac34798ac186802d17437f04cadff4b3ade71332647ece10e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Prev
      Filesize

      173KB

      MD5

      8d019b45973901b4854eec33096d05c0

      SHA1

      1dfb37a78659ba3917c6479ead9c9f645bbb8331

      SHA256

      d4dce3c852197709b13ad7a426d2e515d3d7d0d52d79d4b1de7f3c8e5f881ff3

      SHA512

      9e23a4d76c707476e0c342dc6468c153571a5e1a106397d80c8ade95682119bd3bfe45ba803521327d61d926c14bcb3b61fd1869de4881956453a53183e98af1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Publishing
      Filesize

      282KB

      MD5

      5c3dd15e00b94c2d9b169d10e4f89144

      SHA1

      32f0c00bcf18cc51ed0ff7bcab2cb6b62ff08620

      SHA256

      d2ad4b17ef916f37ba03c3a7f5c3e3733a7b63bc18eda759f0e8744d682af9c4

      SHA512

      1f4c9bc47efe1c5644042daa5575dd2fbfc92de604b1af7c70fb77070f5b1d2928811d84e47ddabae08b4bf7248a23c66690413d6a75cb1b683e3c893068c4eb

      Download Submit

    • memory/916-25-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/916-26-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/916-28-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download