raccoon | 8a5b1fc43aff285156e99bbb4c816ac1c7ae3b0eefe31336928f3a14e48525a4 | Triage

Submit
Reports

Overview

overview

Static

static

ZTGB7oKVjd.exe

windows7-x64

1

ZTGB7oKVjd.exe

windows10-2004-x64

Sharing

General

Target

sample-547923-d6ee61a194362a68846db5fdd1948cc0.zip
Size

1.5MB
Sample

220926-29zsrscbd4
MD5

a15f255078175def544b709add9342a2
SHA1

91b92eb7b93e93eac54b29cfc4342d345b2ec944
SHA256

8a5b1fc43aff285156e99bbb4c816ac1c7ae3b0eefe31336928f3a14e48525a4
SHA512

61db9728d8888e374ffa89ae8876229b115651dee6435898f0240930e725550f0a5c7ced96f6b544a5032a1df167b57e67205de2a23aa3656c9944255a203578
SSDEEP

24576:LQqPjVABtSPkwTDldHyEtVC50ciXeVlmGC9VjFMkhW01utYwIsUrUpvY3:zPBU+TDFVXciKaVjmmgvw

Score

10^/10

raccoon 9b19cf60d9bdf65b8a2495aa965456c3 evasion spyware stealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

ZTGB7oKVjd.exe

Resource

win7-20220812-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

ZTGB7oKVjd.exe

Resource

win10v2004-20220812-en

raccoon 9b19cf60d9bdf65b8a2495aa965456c3 evasion spyware stealer themida trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

C2

http://94.131.107.206

rc4.plain

Targets

- Target
  
  ZTGB7oKVjd.exe
- Size
  
  3.7MB
- MD5
  
  d6ee61a194362a68846db5fdd1948cc0
- SHA1
  
  31e543a199e488255096d17cf3a90a0f2b91ce86
- SHA256
  
  e77e9313e5dd2402c4b4246eee58eb712eba23418f26ecd99cfc6709637473cd
- SHA512
  
  cb05a3fcb83187a42cda64b2730fbc6ee5ab131ac3cb13047205094330cd7d56b9697267b5c9d9fc33df20679ea00f849700f39e53ef77bfb13c95f21a2c5d1e
- SSDEEP
  
  24576:mEVHBMSvlgJTrQX1AqSlqqYQSLU/NHagP/SzLys1lfzT4uPJludr9sIi5OVIRR:ZVHBMMgJH0ONwosFlgqXOmT
Score

10^/10

raccoon 9b19cf60d9bdf65b8a2495aa965456c3 evasion spyware stealer themida trojan
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

raccoon9b19cf60d9bdf65b8a2495aa965456c3evasionspywarestealerthemidatrojan

© 2018-2024

Terms | Privacy