raccoon

General

Target

88a1e6e3bd358504c267588fd3f73466f93c5e5c16f3d3febbb6885545ff3a9c
Size

338KB
Sample

220802-qmjbqafca3
MD5

fbd35d25adc8d0b6c596873080fca897
SHA1

ff7181b2404ae6160588cae61ccf55b30a31df88
SHA256

88a1e6e3bd358504c267588fd3f73466f93c5e5c16f3d3febbb6885545ff3a9c
SHA512

1fca6790d2d8bc6e3b7fe93c40db37b3e460ad4a21e43853d81fa01f2ceeebbcf0030f4f375e6b2ee17fbf4a7d61f5068b36f3d223ca702bc37b75a96b039bb8

Score

10^/10

Malware Config

Extracted

Family

raccoon

Botnet

125a9422607402ad773f580d72e3170b

C2

http://91.242.229.142/

rc4.plain

Extracted

Family

socelars

C2

https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/

Targets

- Target
  
  88a1e6e3bd358504c267588fd3f73466f93c5e5c16f3d3febbb6885545ff3a9c
- Size
  
  338KB
- MD5
  
  fbd35d25adc8d0b6c596873080fca897
- SHA1
  
  ff7181b2404ae6160588cae61ccf55b30a31df88
- SHA256
  
  88a1e6e3bd358504c267588fd3f73466f93c5e5c16f3d3febbb6885545ff3a9c
- SHA512
  
  1fca6790d2d8bc6e3b7fe93c40db37b3e460ad4a21e43853d81fa01f2ceeebbcf0030f4f375e6b2ee17fbf4a7d61f5068b36f3d223ca702bc37b75a96b039bb8
Score

10^/10

raccoon socelars 125a9422607402ad773f580d72e3170b spyware stealer vmprotect
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1