Overview

overview

10

Static

static

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sample.zip

  • Size

    7.8MB

  • Sample

    220913-qffl9abdgn

  • MD5

    3fc9e9117798d8846a236d89665dd3eb

  • SHA1

    827b32bc9b97a4d77b331ce7102ebacfbdea44e3

  • SHA256

    75fddd0d88efc7ec0bc29b95633c6be8e96247357a49d3f50922ee0ee233f3d1

  • SHA512

    9692e207a75ec705f8eb0ad1a24bddb416b05f746a892be5fe27cba5810ef6cbda89947e8f7c3437f50452fd5017a4aa6f49933bccbd63cc0dfe92b5bb2141f3

  • SSDEEP

    196608:1BU9ON3qXh6MC4wyIT5glAI9H1z53q4+Wo7HsF8naPlyuNEX:DsXERBr1glAGphL+lIF8naPoeU

Score
10/10
raccoon8eb14caca01131f5f4ff62ef8a0fcab4discoveryevasionspywarestealertrojan

Malware Config

Extracted

Family

raccoon

Botnet

8eb14caca01131f5f4ff62ef8a0fcab4

C2

http://5.182.39.77/

http://45.67.229.149/
rc4.plain

Targets

    • Target

      Setup.exe

    • Size

      366.5MB

    • MD5

      1a59909bd1196572c19064fc8cd0ce57

    • SHA1

      9df8d12b7405ae6205529b2a3fb70b11b84ddc4f

    • SHA256

      fb8bbcd3b86d796755451613963e53fe6beee3537b21d440adf0b32873731442

    • SHA512

      44a9182fc4b5ce841d81292a5d48333fd4099ed395f5f18738bf1bab4cd33a1f91d637d6fd0e6731df435a577745eb4b261d349a0bef77cbb850e8e0f5bc9850

    • SSDEEP

      98304:fqZxjp/7m4TzlME5XeUZfHCl8yeHI/OQCut0h4EPerFGkl+7oVNHZ5tpN+am/JBt:MRpDm4TRNOyCl8P1A38kloOrTUaSqO

    Score
    10/10
    raccoon8eb14caca01131f5f4ff62ef8a0fcab4discoveryevasionspywarestealertrojan

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks