Resubmissions
29-04-2024 19:30
240429-x7vc2sah46 1029-04-2024 19:28
240429-x65gmaah25 129-04-2024 19:25
240429-x49zbsag74 1029-04-2024 04:45
240429-fdebasaf52 10Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
29-04-2024 19:25
General
-
Target
de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe
-
Size
718KB
-
MD5
1bf24ce8b5e34930932432d626fac06d
-
SHA1
32276318f55c1118980f98377968de0f78c9227e
-
SHA256
de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3
-
SHA512
d3885e43fe5189eb37cdf4518f05c9096685974db4eefd96260e2db8b17cda13b67861cef2247aeb12baed7ca59c892c82f855c5179e54213f861d2c352ce4fa
-
SSDEEP
12288:tfLmWONlyXjI/kkJzHSomfaeITAl5aqzTuCTTcARinC/4Tf0Yk4FfRUEy2Hzo5:tfLmNlz/XUyZTAl8jOiiifDzo5
Malware Config
Extracted
raccoon
fda6c8debb0b6b5a1d9698b54b255a7d
http://91.92.255.182:80/
-
user_agent
MrBidenNeverKnow
Signatures
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer V2 payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe"C:\Users\Admin\AppData\Local\Temp\de35dae3ef97e43e60f63cf0ded58d480c0e7effe6a93c936be8f94db8e8bee3.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c move Evaluation Evaluation.bat && Evaluation.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md 340734⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V "BabesSalvationCarriesBabes" Drawings4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 34073\Mentor.pif + Adjacent + Captured + Sacred + Vagina + Lafayette + Surveys 34073\Mentor.pif4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Counting + Francisco + Honda 34073\o4⤵
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\34073\Mentor.pif34073\Mentor.pif 34073\o4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\34073\Mentor.pifC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\34073\Mentor.pif2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\34073\Mentor.pifC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\34073\Mentor.pif2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\WaitFind.ods"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3915855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\4h1396zdDs2gFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\LocalLow\mozglue.dllFilesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
C:\Users\Admin\AppData\LocalLow\nss3.dllFilesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
C:\Users\Admin\AppData\LocalLow\sqlite3.dllFilesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
C:\Users\Admin\AppData\LocalLow\zl1Ev1E5Lh51Filesize
100KB
MD56d7ef092add3330a33162536d6a34a07
SHA1b2646ee43195149c40daaadfada376f58169534e
SHA25684d90c18fdb84664ac660760bb9a201f672407ad5bc5da01655ac0209f7c67a7
SHA512579cf4851103bb8a3db2f24050c6b79229a968f0d5fb1ea92ccfb55e045b2a8ca82532200557f57052e39357b40a17ebac437007116d45de0f97d7189a3f251f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\34073\Mentor.pifFilesize
64KB
MD508dc66672690cba948c844cd27257a5c
SHA10495a4555ee60c87f806eed176c8e01bceb08de2
SHA25615793db09353012de2cbeda0b7867ca687913840880a5668e1fe1b91edfd85ab
SHA51222f17499baf96b5025d21cf493096f3a771894f4f7e6dc69e0c3d78f40edd96cec61e06fd1e516767b78970bcc0010aa23b1031771b6520eb7dd4782feca2412
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\34073\Mentor.pifFilesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\34073\oFilesize
526KB
MD5dd2acdef84b287794876c92c2a735aec
SHA11ff96f7a71f808ddaa2fc197b6299532a8fcd0fb
SHA2563a149e1f3ec43f37fb419affaf175870725b78b8fd5e42019fe6a988823d7282
SHA512664ad38efc6be0fe5a16d3670c564064d19fc27bc56397da8f798f7bb9bfcccb92e6f4b05d2f399a838dce1bff860b4e678f112b6eb90db9d3e97996f01e1524
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\AdjacentFilesize
64KB
MD57474db7b5f39b27e7fbce6e370b4bf66
SHA1d4d7c4d41bded1c9d8959017cfa7846e435d93bd
SHA2560efd0625b7921c18935c66adb4b3a653a913ecd90ab3b8b1983ff4101479605f
SHA5123247a749ddde2e80cc2d1b5f9c47d5ce4af2389da59de3360d8cbc60445bd593c5fc3270fb1eb156a344d69cc00b88e02feb6600998f4e7323f4ae3219aa273a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\CapturedFilesize
131KB
MD588edf7bb55387e597f59684273f66bb3
SHA199786b34a5db73c85a43cd4c18a8c085fed5ab89
SHA256f61189f0f701466dcc3e2f6a8e411e7878cbf9ba6bba49917d612c19b1cc6a23
SHA51284689a3c6d933710dffc4d80c0b41820a8e5a6309ba6979d07e22a638aa4db143f00ad80388871e444c3edf5332f471ec0db227ea97a3f0df2c9e2cdc5f3dd42
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\CountingFilesize
281KB
MD5a262219e61af791c944a87d07bac0075
SHA1d74aeaa010271d13e1edc54bc73601e57f020c49
SHA2560177bcf1e6862c139fae08a9c6027f68989b4f68a239b64fab7449d1c421ddc0
SHA512116ce3a1349a17f8b14a5c2a35af9008d8ffbdeae5e3b2a22f9cedbb18f2af564cc8b7762b30c643265eb16907df02a5c75fb3d141db0646f46bf777b855febb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\DrawingsFilesize
42B
MD5477a08320d6c6e2f4512d40eb08713b1
SHA17be0348f77ae584c1ef6b8de1321473da3f9aa3c
SHA256027643fd5055f08abd161719191a2ac764cdf555d452da6cb84ecfd557144529
SHA5121bebae844d70507826ca40d135d12172aba7c23c5ed6cd7f2a3d229dc8e137e641a527b63e1474a4f0e4849568aa6ce6fd3d1276772d75b7f597d6b0a51d01c0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\EvaluationFilesize
21KB
MD5b647cde3038a87c2498edec310305673
SHA16fcc09d2c62d284b66926d3605aff5510e7e9453
SHA2565c67bac057822f53f941200e27d24c5277ac742b78b3c3f5958a74a33c49b38d
SHA512db701f47fee7344c4331664ce7a0187e6b9e9d47bab386665d64a61ca3a21de24af193dd1b485fdea8a003e4cb859bee73b2ddb7e3304719df1ab3446a367482
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\FranciscoFilesize
210KB
MD51bd18404bd951a8deb7845f75a6399f9
SHA1748f9977c0e7d628bad8d3d8e827100b6590cb4d
SHA25616f684e24d64d7102f8ca4feddbbc6764fc405cc3688353baa3c086f98fda1cb
SHA512b00b38068cbc363e7fd5ff4038610f56828ffe13fb7ab78b6103baf6efeb05d4e9024e7383b8b6c73a010bce87f978e163685df6f3801aaa34f5da940aac6bbe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\HondaFilesize
35KB
MD559c2b53fe828fde64bd2a39a5de07ee9
SHA12ed2c83a393b5e30131acaf57893dd46c1084b52
SHA2566a258a819e64d26e05f34edadd0ef7e11f58cf4d68f60aba82a71f5236e9f9eb
SHA51228f667142fb539194d66503ecbfe9ee8fdb35dbd9324b4fb27ee0b6d2b76150f0a2751d825cc11314ae42f4d30b8e2c6a941c72a3cf72126391c48a4e3437998
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\LafayetteFilesize
200KB
MD54db90c416a38e4572abf3261e5dacf6a
SHA13d721f9c266090469bc46f9f3616d47611492038
SHA2563ed0263be62819660e0fd37e95ab71b30ab8409348ac4f7ed11bcba0235d570d
SHA512bd97959b027988a888010553e7fa424a8c38a7cccfd951e1b9222e5e16ce745e2a657b4dbc9238e5e8c84f66f1c238e999eba45e639f00cc928d2e5e5d66c25a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\SacredFilesize
125KB
MD5c68b90b18096cedb29d5dd73790b6b05
SHA100f7a79c3bb847352a8b9ef73a24bcb039890e07
SHA256f68e29a0f0c076fb5a3539f51168a73692c118cb861f3b814339a1eac86ce923
SHA512d4df00de092bebe44e13b06587052465b73e67abd5502cac1e50019d7f008e57b74352b0263d986aa95fd7a1d57bb19778661feae5305544e6a33605dd764415
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\SurveysFilesize
131KB
MD55bf3a39ef1e55247138748c2975a6873
SHA160d6c0a87fad62c31824f31c6def118541749698
SHA25610609820e62098fd90b9344a9ece578451f913433fc8b53dbab9007db210fdb7
SHA5122d9740527edfb51702f8b7c6c4123f530f559dada973455533f493dee2c5ebdcd1de47d9d47e4b35a2bf850d5c244c9fe59a497ad27f24648a848ca52221129b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\VaginaFilesize
270KB
MD575e4a838cff0be8ef793640d1011129c
SHA19788327d28e5c5fb43d03856f395a863f7ecf9a0
SHA2563bbf6b504ffec824edc168cb1a11121a5b360361ee192f5923aa11e9afe985e0
SHA51219f1a02ded1f1b79823eb6c6a5e4790412dab2a5395ac83e6ec6e5639fce642f45bb7403b995152dee31c2454063ac7da389676b3605fb57d2950440f7bb4a2e
-
memory/2300-102-0x0000000061E00000-0x0000000061EF1000-memory.dmpFilesize
964KB
-
memory/2300-35-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2300-33-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2300-32-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/3076-45-0x00007FFEB8C70000-0x00007FFEB8C80000-memory.dmpFilesize
64KB
-
memory/3076-48-0x00007FFEB64C0000-0x00007FFEB64D0000-memory.dmpFilesize
64KB
-
memory/3076-47-0x00007FFEB64C0000-0x00007FFEB64D0000-memory.dmpFilesize
64KB
-
memory/3076-46-0x00007FFEB8C70000-0x00007FFEB8C80000-memory.dmpFilesize
64KB
-
memory/3076-44-0x00007FFEB8C70000-0x00007FFEB8C80000-memory.dmpFilesize
64KB
-
memory/3076-43-0x00007FFEB8C70000-0x00007FFEB8C80000-memory.dmpFilesize
64KB
-
memory/3076-42-0x00007FFEB8C70000-0x00007FFEB8C80000-memory.dmpFilesize
64KB
-
memory/3620-106-0x000002AB1E810000-0x000002AB1E811000-memory.dmpFilesize
4KB
-
memory/3620-108-0x000002AB1E810000-0x000002AB1E811000-memory.dmpFilesize
4KB
-
memory/3620-107-0x000002AB1E810000-0x000002AB1E811000-memory.dmpFilesize
4KB
-
memory/3620-118-0x000002AB1E810000-0x000002AB1E811000-memory.dmpFilesize
4KB
-
memory/3620-117-0x000002AB1E810000-0x000002AB1E811000-memory.dmpFilesize
4KB
-
memory/3620-116-0x000002AB1E810000-0x000002AB1E811000-memory.dmpFilesize
4KB
-
memory/3620-115-0x000002AB1E810000-0x000002AB1E811000-memory.dmpFilesize
4KB
-
memory/3620-114-0x000002AB1E810000-0x000002AB1E811000-memory.dmpFilesize
4KB
-
memory/3620-113-0x000002AB1E810000-0x000002AB1E811000-memory.dmpFilesize
4KB
-
memory/3620-112-0x000002AB1E810000-0x000002AB1E811000-memory.dmpFilesize
4KB