raccoon

General

Target

b684c98dabb8b3e8338f906d1832ca09a8d34d7d79bf33262589b05133e550ed.exe
Size

2.7MB
Sample

220907-nxwnpahbgm
MD5

0e16d556ebee32aa41b5c6acd340b847
SHA1

575fa046410acacf4a3421a4e27f85eb8bce8a8c
SHA256

b684c98dabb8b3e8338f906d1832ca09a8d34d7d79bf33262589b05133e550ed
SHA512

f49ecff6cde2949168484bf977cdb142a01eb43ba532c7a4c4194025ce292eaf705c0ec653e44a8f10004818ca2340da85b30e35bec2f354c0c5aff5e2ef4bd2
SSDEEP

49152:N1FU4g6WyUPsuT1u8JLurz/i/5LMbT3j0DVfB1fBYwYTbk25k5p:NgDkwNFJLuHdoDVTmTj0

Score

10^/10

raccoon 0e6f37cd2c483e430ee4dbe4b89d2227e20f3536cfc31b768e86a384a0ee02523f5c39b9b2e4e24195bae0a638f4bc7cc979 8eb14caca01131f5f4ff62ef8a0fcab4 aad43a9495219ecfd527f326f75f305bacde370295d0a48a59f58b3f3b02492c942c6c8d8e6afde9d56dfebdfd8fc7437b39 discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

AAD43A9495219ECFD527F326F75F305BACDE370295D0A48A59F58B3F3B02492C942C6C8D8E6AFDE9D56DFEBDFD8FC7437B39DC2BE6DFB3E0B64F798C9D26073554496F59B70122FC57286FD6F4985A61C4EC457066BD3CA3854D04E6EBCE84ECACDC9E8290FBB06CA6B8DDBB8D9B557F4CD70CD6244D9B892D00F93366B963003AFDFB8CE34DF7C07A96B29F17B57B97B53B99C50E7DDD9DDF4B4E5EBB2F166219F15234FFC3B476B73973EA44933C932739AE436324571A1FF37C1B3CD17DF3A39FFA5886A98A257CA9C54D3C584E9A59A9BB56DDEB8A17B30E5FBDEEF00BAF3558BF24468C61979747E6562F1DC5162452F675FB416E1BC3273F990089E648

rc4.plain

Extracted

Family

raccoon

Botnet

8eb14caca01131f5f4ff62ef8a0fcab4

C2

http://135.181.147.255/

http://5.252.23.100/

rc4.plain

Extracted

Family

raccoon

Botnet

0E6F37CD2C483E430EE4DBE4B89D2227E20F3536CFC31B768E86A384A0EE02523F5C39B9B2E4E24195BAE0A638F4BC7CC97945BBC94708274A7D1DDB98C7A5AB7A423D9AE5BD994B6FB807CCD7723A467CDB2521DD023557E1C3C10B3E1DAF2D76D7260D6ADDA558BD280E1ACFD4940F9FDF6C9B69D64C2F9426DC46941E4257C5EC60F21B3F08A099AFB972F46E203A5D7866AB28526F74C42625100FB5B7EA17529F6E514263A803447F94080FF390DEC7259FBB0C338AE67BFE9B9D91EA0214F10F54EAC59478E31693EB68ABEA824A999FD7B54BCA64CE18A57DA01F995A6A20B415D7746A2B3CA6E0BB98AAE2B9E4565BBB5D1DF8683340468688397770

rc4.plain

Targets

- Target
  
  b684c98dabb8b3e8338f906d1832ca09a8d34d7d79bf33262589b05133e550ed.exe
- Size
  
  2.7MB
- MD5
  
  0e16d556ebee32aa41b5c6acd340b847
- SHA1
  
  575fa046410acacf4a3421a4e27f85eb8bce8a8c
- SHA256
  
  b684c98dabb8b3e8338f906d1832ca09a8d34d7d79bf33262589b05133e550ed
- SHA512
  
  f49ecff6cde2949168484bf977cdb142a01eb43ba532c7a4c4194025ce292eaf705c0ec653e44a8f10004818ca2340da85b30e35bec2f354c0c5aff5e2ef4bd2
- SSDEEP
  
  49152:N1FU4g6WyUPsuT1u8JLurz/i/5LMbT3j0DVfB1fBYwYTbk25k5p:NgDkwNFJLuHdoDVTmTj0
Score

10^/10

raccoon 8eb14caca01131f5f4ff62ef8a0fcab4 aad43a9495219ecfd527f326f75f305bacde370295d0a48a59f58b3f3b02492c942c6c8d8e6afde9d56dfebdfd8fc7437b39 discovery evasion spyware stealer trojan 0e6f37cd2c483e430ee4dbe4b89d2227e20f3536cfc31b768e86a384a0ee02523f5c39b9b2e4e24195bae0a638f4bc7cc979
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2