raccoon

General

Target

a769aa375d2ec5578afbde3ae08c42ed86a2b632c275a30e2498fa0947e532aa.exe
Size

2.8MB
Sample

220907-nwqfaahbfr
MD5

f2576d7a297918830727e54ea56c1457
SHA1

fe57441899dc7405a261980c42a7acbc292b9426
SHA256

a769aa375d2ec5578afbde3ae08c42ed86a2b632c275a30e2498fa0947e532aa
SHA512

5886c1b2e9aa13ba252dd51cd53262a2c20cbc8bd1595a296fcd4e23aeea0ecea7241d251b57f025bd5e2792248b91855b9a0f954492c97ed5544dc77e5d7abf
SSDEEP

49152:f0EJnxNDCGRBQ9kyp1hjqNpermK+DOXjjQg+ipVJCyiYZKnjKXIK:s8nD2GOnIpeYDOXjjQlE7rToHK

Score

10^/10

Malware Config

Extracted

Family

raccoon

Botnet

sual Studio Source Control Solution Root Metadata File' { val 'NoOpen' = s '' 'DefaultIcon' = s '%MODULE%,0' { } } } HKLM { %REGROOTBEGIN% 'ShellFileAssociations' { '.vsscc' = s '%PROGID_APPIDNAME%.vsscc.%PROGID_VERSION%' } %REGROOTEND% }

rc4.plain

Extracted

Family

raccoon

Botnet

8eb14caca01131f5f4ff62ef8a0fcab4

C2

http://135.181.147.255/

http://5.252.23.100/

rc4.plain

Targets

- Target
  
  a769aa375d2ec5578afbde3ae08c42ed86a2b632c275a30e2498fa0947e532aa.exe
- Size
  
  2.8MB
- MD5
  
  f2576d7a297918830727e54ea56c1457
- SHA1
  
  fe57441899dc7405a261980c42a7acbc292b9426
- SHA256
  
  a769aa375d2ec5578afbde3ae08c42ed86a2b632c275a30e2498fa0947e532aa
- SHA512
  
  5886c1b2e9aa13ba252dd51cd53262a2c20cbc8bd1595a296fcd4e23aeea0ecea7241d251b57f025bd5e2792248b91855b9a0f954492c97ed5544dc77e5d7abf
- SSDEEP
  
  49152:f0EJnxNDCGRBQ9kyp1hjqNpermK+DOXjjQg+ipVJCyiYZKnjKXIK:s8nD2GOnIpeYDOXjjQlE7rToHK
Score

10^/10

raccoon 8eb14caca01131f5f4ff62ef8a0fcab4 sual studio source control solution root metadata file' { val 'noopen' = s '' 'defaulti discovery evasion spyware stealer trojan
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2