raccoon | c30de5a8c243dcee3ad3f971985ac2608c6678dd0e0869296f64243c5178f85e | Triage

Submit
Reports

Overview

overview

Static

static

51f9ec34c7...f4.exe

windows7_x64

51f9ec34c7...f4.exe

windows10_x64

Sharing

General

Target

51f9ec34c7094e6baaf3ee4a0d1bf9f4.exe
Size

505KB
Sample

210413-8drjfxq1es
MD5

51f9ec34c7094e6baaf3ee4a0d1bf9f4
SHA1

b94cf497d51f6bcd3b26640514a9ecea2e72ad5d
SHA256

c30de5a8c243dcee3ad3f971985ac2608c6678dd0e0869296f64243c5178f85e
SHA512

beb10eb881b801e2fd6e3315225a313c3e28870a437fca062c758e8be32a8eb732f80b3c25d0b7a1956d270d6eca41ddabffcc1e2f150a7a5e9f7e6fafb5c6d7

Score

10^/10

raccoon f6a4646c17af7db77b0a5aba1906d97ffcdd34ed discovery spyware stealer vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

51f9ec34c7094e6baaf3ee4a0d1bf9f4.exe

Resource

win7v20210408

raccoon f6a4646c17af7db77b0a5aba1906d97ffcdd34ed discovery spyware stealer vmprotect

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

51f9ec34c7094e6baaf3ee4a0d1bf9f4.exe

Resource

win10v20210410

raccoon f6a4646c17af7db77b0a5aba1906d97ffcdd34ed discovery spyware stealer vmprotect

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
213.252.244.165
Port:
21
Username:
user
Password:
aiojdjinfbSDFGOJNI2346IJNOFGBIKJ

Extracted

Family

raccoon

Botnet

f6a4646c17af7db77b0a5aba1906d97ffcdd34ed

Attributes

url4cnc
https://telete.in/jdiamond13

rc4.plain

rc4.plain

Targets

- Target
  
  51f9ec34c7094e6baaf3ee4a0d1bf9f4.exe
- Size
  
  505KB
- MD5
  
  51f9ec34c7094e6baaf3ee4a0d1bf9f4
- SHA1
  
  b94cf497d51f6bcd3b26640514a9ecea2e72ad5d
- SHA256
  
  c30de5a8c243dcee3ad3f971985ac2608c6678dd0e0869296f64243c5178f85e
- SHA512
  
  beb10eb881b801e2fd6e3315225a313c3e28870a437fca062c758e8be32a8eb732f80b3c25d0b7a1956d270d6eca41ddabffcc1e2f150a7a5e9f7e6fafb5c6d7
Score

10^/10

raccoon f6a4646c17af7db77b0a5aba1906d97ffcdd34ed discovery spyware stealer vmprotect
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

raccoonf6a4646c17af7db77b0a5aba1906d97ffcdd34eddiscoveryspywarestealervmprotect

behavioral2

raccoonf6a4646c17af7db77b0a5aba1906d97ffcdd34eddiscoveryspywarestealervmprotect

© 2018-2024

Terms | Privacy