raccoon

Sharing

General

Target

7c2a21d3187176310f83181a3e6c8c58.exe
Size

860KB
Sample

220809-vfn1vadcen
MD5

7c2a21d3187176310f83181a3e6c8c58
SHA1

f5d472d3a3d201a788194d3c0b41d830ed443f21
SHA256

72a40d2a9f86e23a04a0748441fb122b7c931e1b58b2cba7ca2f5fd7c3ffd4b0
SHA512

85851af414f93a095e31164f00df9961a7363cc8e43f398d8417f2337c7b4ddcd0b0042a617f2905d7c40b7cca5ae1089eba3688465e3ef19ce7fd5e489bdbbe

Score

10^/10

raccoon redline 4 5076357887 @tag12312341 afb5c633c4650f69312baef49db9dfa4 alfa f0c8034c83808635df0d9d8726d1bfd6 nam3 discovery evasion exploit infostealer persistence spyware stealer upx

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:18728

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

31.41.244.134:11643

Attributes

auth_value
a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

alfa

46.175.148.142:32178

Attributes

auth_value
5f6c4b42c0bce31d7557ce1726a401c5

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

http://77.73.132.74

rc4.plain

Extracted

Family

raccoon

Botnet

f0c8034c83808635df0d9d8726d1bfd6

http://45.95.11.158/

rc4.plain

Targets

- Target
  
  7c2a21d3187176310f83181a3e6c8c58.exe
- Size
  
  860KB
- MD5
  
  7c2a21d3187176310f83181a3e6c8c58
- SHA1
  
  f5d472d3a3d201a788194d3c0b41d830ed443f21
- SHA256
  
  72a40d2a9f86e23a04a0748441fb122b7c931e1b58b2cba7ca2f5fd7c3ffd4b0
- SHA512
  
  85851af414f93a095e31164f00df9961a7363cc8e43f398d8417f2337c7b4ddcd0b0042a617f2905d7c40b7cca5ae1089eba3688465e3ef19ce7fd5e489bdbbe
Score

10^/10

raccoon redline 4 5076357887 @tag12312341 afb5c633c4650f69312baef49db9dfa4 alfa f0c8034c83808635df0d9d8726d1bfd6 nam3 discovery evasion exploit infostealer spyware stealer upx persistence
- Modifies security service
  evasion
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates VirtualBox DLL files
- Looks for VirtualBox drivers on disk
  evasion
- Looks for VirtualBox executables on disk
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Looks for VMWare drivers on disk
  evasion
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2