raccoon

General

Target

c7f5c384308015d5340d87ae3588ca772c4a8354fb3416d6fabb9fff0aff3342
Size

373.7MB
Sample

220925-qqe4gagacm
MD5

99fbb32a50ce3128a868798b3b28e52d
SHA1

bf141ee005bfa3fb4b2186149f9c96939473340d
SHA256

c7f5c384308015d5340d87ae3588ca772c4a8354fb3416d6fabb9fff0aff3342
SHA512

b5d574a4a3d2a211f69b1c453b9f4234c7b08271e5d31ed780e3f240881bcc61218e563ee1499dfe0a03c9c63bba4caa2b0e2f3513414a9b4dd461d2bdb49a70
SSDEEP

98304:sMvRRvDwBFpikP+ttpvehb69sb+Ay3fTo9zYdC5:sMXo0ehb69i+AmQMdC

Score

10^/10

Malware Config

Extracted

Family

raccoon

Botnet

fd5357b9b9e2bfce7e54508485f0716e

C2

http://45.142.215.91/

http://5.182.36.233/

rc4.plain

Targets

- Target
  
  c7f5c384308015d5340d87ae3588ca772c4a8354fb3416d6fabb9fff0aff3342
- Size
  
  373.7MB
- MD5
  
  99fbb32a50ce3128a868798b3b28e52d
- SHA1
  
  bf141ee005bfa3fb4b2186149f9c96939473340d
- SHA256
  
  c7f5c384308015d5340d87ae3588ca772c4a8354fb3416d6fabb9fff0aff3342
- SHA512
  
  b5d574a4a3d2a211f69b1c453b9f4234c7b08271e5d31ed780e3f240881bcc61218e563ee1499dfe0a03c9c63bba4caa2b0e2f3513414a9b4dd461d2bdb49a70
- SSDEEP
  
  98304:sMvRRvDwBFpikP+ttpvehb69sb+Ay3fTo9zYdC5:sMXo0ehb69i+AmQMdC
Score

10^/10

raccoon fd5357b9b9e2bfce7e54508485f0716e discovery evasion spyware stealer themida trojan upx
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2