General
-
Target
Setup.rar
-
Size
778KB
-
Sample
220923-bxl32agfcq
-
MD5
537ccec311c813053a1da7f6e18e4d72
-
SHA1
580b2e1773c961ab110bfc1fd0d6496666d48fc6
-
SHA256
d61baf5e3eb992ddab38f768d833a21b6f6d43bb2eb167d6858e79a10a6fb4dd
-
SHA512
28baf666634e59788cb582c2077c209d06e3521962b83b96dfaae5815d7bff8f85b4919282619f78558329f96af5c1d30d5203ed30fa253afef2debfea2547dc
-
SSDEEP
12288:4baGXhtgQoRWE+GIFIAUxKmOGOy0Rg+map9/gJRID1rGLlRWGQ01ZhTguvEji9w2:c9XhWQoRr+GMjzvZDD4lIzaZhI2ou
Malware Config
Extracted
raccoon
7be6431f3fa3eaa6e36b23bbc5559b9a
http://77.73.133.69/
Targets
-
-
Target
Setup/Setup.exe
-
Size
700.0MB
-
MD5
9438ae7dc36c6bdb54ab76d511d6f674
-
SHA1
e518a130b77432e5c266e33bf13eeb68237883a3
-
SHA256
aa546d18a4474e37352ceead9d799312f932f07b1cba26adf8e626d8ad0c152c
-
SHA512
9268d5b182713a8ebca656135c1407c3e64465d808111e3f975905da34a0745e2e6daafc432da3e9345feb3110854f6a898533c1995dc72d58b1b7b56b97d4f2
-
SSDEEP
1536:3Id1qx6P4H4+Y1fUukhVuM94fHqHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHz:H4+Y18fHOMMMMZMMMMMMMMMMMMJg
Score10/10-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-