raccoon

General

Target

e5ba0907253b3701b2120953ecbba4e37690d70ca63f80dea28c5d488c2b7a7b
Size

925KB
Sample

220731-dh66rsdfh4
MD5

b48bce0e66961ec92c8e84ce0a1cad84
SHA1

01d88ab244b4ea715db5c2e2dbc91f2129b346af
SHA256

e5ba0907253b3701b2120953ecbba4e37690d70ca63f80dea28c5d488c2b7a7b
SHA512

819bc6b50e15674fed8c91d5b675cb82a68bab3ccacfcde3ca7f43d73caee470b6ed79a0bf987254c8ac0feaab598e317190e0143132a6dc979f894834aaba14

Score

10^/10

raccoon redline 4 @tag12312341 afb5c633c4650f69312baef49db9dfa4 f0c8034c83808635df0d9d8726d1bfd6 nam3 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

C2

103.89.90.61:18728

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

4

C2

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

C2

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

C2

http://77.73.132.84

rc4.plain

Extracted

Family

raccoon

Botnet

f0c8034c83808635df0d9d8726d1bfd6

C2

http://45.95.11.158/

rc4.plain

Targets

- Target
  
  e5ba0907253b3701b2120953ecbba4e37690d70ca63f80dea28c5d488c2b7a7b
- Size
  
  925KB
- MD5
  
  b48bce0e66961ec92c8e84ce0a1cad84
- SHA1
  
  01d88ab244b4ea715db5c2e2dbc91f2129b346af
- SHA256
  
  e5ba0907253b3701b2120953ecbba4e37690d70ca63f80dea28c5d488c2b7a7b
- SHA512
  
  819bc6b50e15674fed8c91d5b675cb82a68bab3ccacfcde3ca7f43d73caee470b6ed79a0bf987254c8ac0feaab598e317190e0143132a6dc979f894834aaba14
Score

10^/10

raccoon redline 4 @tag12312341 afb5c633c4650f69312baef49db9dfa4 f0c8034c83808635df0d9d8726d1bfd6 nam3 discovery infostealer persistence spyware stealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1