General
-
Target
480b2368794c0de14154d86500b63e1bc1c3b8dd4ca02df24108ef04d5c3d5c8
-
Size
373.3MB
-
Sample
220925-qpc8gsege9
-
MD5
bd1bb2b71f6025a6729d01fc3af63520
-
SHA1
8442785cb73204df876827798ae20d6e4039cf0e
-
SHA256
480b2368794c0de14154d86500b63e1bc1c3b8dd4ca02df24108ef04d5c3d5c8
-
SHA512
16f5feaa942ae878ce694b12be5e4956461359133211da7aaf44df9d4c725316f38f827e5eeebd0d663d0653d579066a6b285c29ddbf9f8c8e7caee3d77e2ec8
-
SSDEEP
98304:DjKzEfJGli3D5OX/grVTxoxZg+B1RvLeupA:DOSJ53anB1Rv1
Malware Config
Extracted
raccoon
ae0c92bd5e48b563012900d8437d590b
http://45.142.215.91/
http://5.182.36.233/
Extracted
raccoon
�L�����ư
Targets
-
-
Target
480b2368794c0de14154d86500b63e1bc1c3b8dd4ca02df24108ef04d5c3d5c8
-
Size
373.3MB
-
MD5
bd1bb2b71f6025a6729d01fc3af63520
-
SHA1
8442785cb73204df876827798ae20d6e4039cf0e
-
SHA256
480b2368794c0de14154d86500b63e1bc1c3b8dd4ca02df24108ef04d5c3d5c8
-
SHA512
16f5feaa942ae878ce694b12be5e4956461359133211da7aaf44df9d4c725316f38f827e5eeebd0d663d0653d579066a6b285c29ddbf9f8c8e7caee3d77e2ec8
-
SSDEEP
98304:DjKzEfJGli3D5OX/grVTxoxZg+B1RvLeupA:DOSJ53anB1Rv1
Score10/10-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-