raccoon | f6f3590cf6271c390ec4fc617afbbcbf214dfe3cbc9b708d1e97c729cd3ac069 | Triage

Sharing

General

Target

installer.rar
Size

6.1MB
Sample

220922-wr74jafher
MD5

733a0cd35d2c315b245a3d4d8e77c728
SHA1

ee2e2c71c737788cb059a7bb1bcf529eda29f958
SHA256

f6f3590cf6271c390ec4fc617afbbcbf214dfe3cbc9b708d1e97c729cd3ac069
SHA512

f0d326c368433805bea0a63d25a0def80d9297e910d314b8c542e88a36cb29dd221176fc34df64e44d7369c671ec9189644c95ad157ac2d389b1a339aedc1523
SSDEEP

196608:tuGB4nsVHGcC4O4eOucJIPL/+VpdnztXXWL+Fz:/B4sVmcC4JoL2VZXlFz

Score

10^/10

raccoon 985151cfbc2662a774d6e7f7d992c04d linux stealer

Malware Config

Extracted

Family

raccoon

Botnet

985151cfbc2662a774d6e7f7d992c04d

C2

http://89.185.85.53/

rc4.plain

Targets

- Target
  
  helper.bat
- Size
  
  7KB
- MD5
  
  0bd944749ac1e405d5739a54c0696188
- SHA1
  
  d443018ef6ff362437bd10855137749f129e21f3
- SHA256
  
  75a18ce835c6fedf9bb7fd9bb3b1fd9d2b5aa727987b4832dafcb8d1b8f658ae
- SHA512
  
  8fcbb52fae1dcf52e2d3610c415ce70f93fcfa18c143d0828a65908155d6b652f4211219f98fbcad6bfc5e29cd33be142ee06eaaba1fd29f1c80e6b6fef32fc4
- SSDEEP
  
  96:xR2VnXMPWwzxKUUkKwB160+IvcuhS1U1DLVpesppVJA/mi:eVnXMPlzxKUUgp+INTLVnJqD
Score

1^/10
behavioral1 behavioral2
- Target
  
  install_modules.sh
- Size
  
  3KB
- MD5
  
  05a28430f97b6db328b9f748005718cc
- SHA1
  
  da28f7c62b43f2cb97e5b6a2e71eb8199bdbae5c
- SHA256
  
  d05559d26e8db46d562314ecc55bb8f0f17518f313cf0f2e0cff690f4240aacf
- SHA512
  
  d2f64b14e83b668c03af5c4f9495a7b268a7756220b74df82e54fba0edea3f374e353dd69b9c293cd51fbd6c5ecaea86072ce2895f91a09451bf0cbd2019cbdf
Score

8^/10
- Modifies hosts file
  Adds to hosts file used for mapping hosts to IP addresses.
- Writes DNS configuration
  Writes data to DNS resolver config file.
- Write file to user bin folder
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral3 behavioral4 behavioral5 behavioral6
- Target
  
  installer.exe
- Size
  
  726.3MB
- MD5
  
  347ba6013752fbe969bc3026639b0104
- SHA1
  
  d9e476cb7b09efdc98aedeb3baf5e8d1bbfec6fb
- SHA256
  
  64f9fe0eeaf1e21c27879c85f0b2fbb5cba9d760fc3a73ae58a490ebe4dced42
- SHA512
  
  60edc7ee42912f988d3df461f79d2c1059f01180514a994e6980258136c8a7937cb5d97b599d127a5caaf564c4891e18b9577b7eb14a57e34613b40bd16d3a88
- SSDEEP
  
  98304:lCPkOmG+sbBOcINYWcrdY6N+Q/tvW0qXNa6ntZQoTlNKD6RGb2Uv1P7mgjqwGaxj:lCP1xbZdY6gQ1uv9a+vNKDfJ1jmzwzj
Score

10^/10

raccoon 985151cfbc2662a774d6e7f7d992c04d stealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8
- Target
  
  libraries.dll
- Size
  
  118KB
- MD5
  
  01249bb3f9b8e4da9950f53a4e569865
- SHA1
  
  7e16f5eabdd0fcaa708832ff4eb82f7bdef7206d
- SHA256
  
  6396d6670598c51c5ae723f8209d850bfba736b0814e42e5432cc16bbdde0703
- SHA512
  
  389128c32377af7257b5c719abc2c95132f78b95c103bb2e9e8780430d7ab94f1eab0ef84607bfec31bf9dffee4d0daa0694c6f9bfd5f4416813b784f2e63f5a
- SSDEEP
  
  1536:Nt5rrjRrUw13Vsw13VVw13V2HI3SjnFf3h1OOr41r4bFJj5ftereQkeZegz:NtJPhrhn/5OKHV4reQXg4
Score

1^/10
behavioral9 behavioral10 behavioral11 behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

Privilege Escalation

Hijack Execution Flow

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

raccoon985151cfbc2662a774d6e7f7d992c04dstealer

behavioral8

raccoon985151cfbc2662a774d6e7f7d992c04dstealer

behavioral9

behavioral10

behavioral11

behavioral12