raccoon

General

Target

tmp
Size

2.6MB
Sample

220831-cdwnssfccl
MD5

82e25bfeff307afea4b8e46ade8cd8fb
SHA1

deb0195486a73676ae740c0c3b98cf00dc41a6d5
SHA256

18e1de18c5e3e78a5749c174fb6b8999f930a818e40bb4c3ffd7800d635d23a9
SHA512

e28aa77c896844bc5450d6ac06e0074c5fe5ff2cd0814faf0d3c9057032355bdc30298ac6f378ceb689584847ee49f2ff2598c3a165f57ef6399763404f372b1
SSDEEP

49152:pAI+nNpJc7YrEa2u2h9swu+AU3Z9CcVL2wD+aRpXPaAt1DD4U3:pAI+Zc8rHJ2jHxZYOTDrRxaAt1DEo

Score

10^/10

raccoon redline 5 5076357887 76426c3f362f5a47a469f0e9d8bc3eef afb5c633c4650f69312baef49db9dfa4 nam3 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

C2

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

5076357887

C2

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

5

C2

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

C2

http://193.56.146.177

rc4.plain

Extracted

Family

raccoon

Botnet

76426c3f362f5a47a469f0e9d8bc3eef

C2

http://45.95.11.158/

rc4.plain

Targets

- Target
  
  tmp
- Size
  
  2.6MB
- MD5
  
  82e25bfeff307afea4b8e46ade8cd8fb
- SHA1
  
  deb0195486a73676ae740c0c3b98cf00dc41a6d5
- SHA256
  
  18e1de18c5e3e78a5749c174fb6b8999f930a818e40bb4c3ffd7800d635d23a9
- SHA512
  
  e28aa77c896844bc5450d6ac06e0074c5fe5ff2cd0814faf0d3c9057032355bdc30298ac6f378ceb689584847ee49f2ff2598c3a165f57ef6399763404f372b1
- SSDEEP
  
  49152:pAI+nNpJc7YrEa2u2h9swu+AU3Z9CcVL2wD+aRpXPaAt1DD4U3:pAI+Zc8rHJ2jHxZYOTDrRxaAt1DEo
Score

10^/10

raccoon redline 5 5076357887 76426c3f362f5a47a469f0e9d8bc3eef afb5c633c4650f69312baef49db9dfa4 nam3 discovery infostealer persistence spyware stealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2