raccoon | 49ae8012110cb36ae61a138a492531bc6ddb2d69618bffef6a93077fefba3a51 | Triage

Submit
Reports

Overview

overview

Static

static

cf5546412e...d6.exe

windows7_x64

cf5546412e...d6.exe

windows10_x64

Sharing

General

Target

cf5546412e349b49b8aafb77af57b5d6.exe
Size

526KB
Sample

210413-h5a7he33jx
MD5

cf5546412e349b49b8aafb77af57b5d6
SHA1

8f83ecc2c0d0046c51fab5c75e419c0d2adde1a2
SHA256

49ae8012110cb36ae61a138a492531bc6ddb2d69618bffef6a93077fefba3a51
SHA512

0de60ca7d2e239e58cdacef8bb45f1be752a72e19d6a587e43746b19d5f5f611615fc671a54127395b41cdfb825cb927dd5e94c869a097bf4e77622430cecd3d

Score

10^/10

raccoon f6a4646c17af7db77b0a5aba1906d97ffcdd34ed discovery spyware stealer vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

cf5546412e349b49b8aafb77af57b5d6.exe

Resource

win7v20210408

raccoon f6a4646c17af7db77b0a5aba1906d97ffcdd34ed discovery spyware stealer vmprotect

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

cf5546412e349b49b8aafb77af57b5d6.exe

Resource

win10v20210408

raccoon f6a4646c17af7db77b0a5aba1906d97ffcdd34ed discovery spyware stealer vmprotect

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
213.252.244.165
Port:
21
Username:
user
Password:
aiojdjinfbSDFGOJNI2346IJNOFGBIKJ

Extracted

Family

raccoon

Botnet

f6a4646c17af7db77b0a5aba1906d97ffcdd34ed

Attributes

url4cnc
https://telete.in/jdiamond13

rc4.plain

rc4.plain

Targets

- Target
  
  cf5546412e349b49b8aafb77af57b5d6.exe
- Size
  
  526KB
- MD5
  
  cf5546412e349b49b8aafb77af57b5d6
- SHA1
  
  8f83ecc2c0d0046c51fab5c75e419c0d2adde1a2
- SHA256
  
  49ae8012110cb36ae61a138a492531bc6ddb2d69618bffef6a93077fefba3a51
- SHA512
  
  0de60ca7d2e239e58cdacef8bb45f1be752a72e19d6a587e43746b19d5f5f611615fc671a54127395b41cdfb825cb927dd5e94c869a097bf4e77622430cecd3d
Score

10^/10

raccoon f6a4646c17af7db77b0a5aba1906d97ffcdd34ed discovery spyware stealer vmprotect
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

raccoonf6a4646c17af7db77b0a5aba1906d97ffcdd34eddiscoveryspywarestealervmprotect

behavioral2

raccoonf6a4646c17af7db77b0a5aba1906d97ffcdd34eddiscoveryspywarestealervmprotect

© 2018-2024

Terms | Privacy