raccoon

General

Target

SynapseFortnite.zip
Size

513KB
Sample

211230-m1xvgsedbj
MD5

9bae6b54f6ca0806d765726b44beedd8
SHA1

398ade2627d3ebee540d9a118f2f87fbc45f9e97
SHA256

e514b4e46887403b0cd8e03f1fc1c2e97ac526949595dc89bb90fea24dec0c0f
SHA512

e446e1076807dfd5a47d1cec72f707b7b70e7690226cfef35458edccf4eeb4b55deb9194921e24b3609db3b1597c2f22cf20780b170e84ede5ab6fb3a6d0fc98

Score

10^/10

Malware Config

Extracted

Family

redline

C2

49.12.47.66:27973

Extracted

Family

redline

Botnet

cheat

C2

45.147.196.146:6213

Extracted

Family

raccoon

Botnet

e9f10fade0328e7cef5c9f5bf00076086ba5a8a1

Attributes

url4cnc
http://91.219.236.18/baldandbankrupt1
http://194.180.174.41/baldandbankrupt1
http://91.219.236.148/baldandbankrupt1
https://t.me/baldandbankrupt1

rc4.plain

Targets

- Target
  
  SynapseFortnite/Synapse Fortnite.exe
- Size
  
  962KB
- MD5
  
  6697fab57c2d1bd545ed4ff377ac3f28
- SHA1
  
  c4e2849a522d5509c03ac76cdcae1f5e775a9535
- SHA256
  
  9de0798bf7328f2bcb11fbc584da890fe04f998dd393f03390f455d142c5a6f1
- SHA512
  
  1b855d1eaf027e81b3c272521308daff5a1fe8e9b52a133fa839b95c3735b5ec837976711c57bfd4b28c38c6cde56759966414cdc259bf3178a3b86ca28a2bb1
Score

10^/10

redline discovery infostealer spyware stealer raccoon cheat e9f10fade0328e7cef5c9f5bf00076086ba5a8a1 evasion persistence trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  SynapseFortnite/debug.dll
- Size
  
  140B
- MD5
  
  f8d0b4805818eea04fe89393dd1bbe8c
- SHA1
  
  c685b7e7eac766a9e070e7ee01a721b495aea98c
- SHA256
  
  ff273dcbc136f98497c1b6e72ab22dc2efaed5b2dcaa24037f9eb28b4d5a3560
- SHA512
  
  72abcd97d83a80e2ed805bdb5b504fa1c964622975d1cf767141845ec2dc599f29dc987732ee42dd11d62b20c1f9bb229e304f0a1bf449e1be40dccf7ec407b4
Score

1^/10
behavioral3 behavioral4
- Target
  
  SynapseFortnite/libEGL.dll
- Size
  
  307KB
- MD5
  
  37c7e6132ee3bab93da29633cbfa92a9
- SHA1
  
  74181f6a4a5990c6247fce39d7546b403271ecf1
- SHA256
  
  0601fa20464102a2fe8e2fbfef7654bc748083b0ef48bc9359bd380d4edcb7e1
- SHA512
  
  755058175b7a6a21d08319194b30fc90d5079e1484597b620f36310fcf3269205230f35d96bd42056216528614585b50d2c6044a9bdb6e6f80268cd94f64e228
Score

3^/10
behavioral5 behavioral6