raccoon | fa5ac27700f443ba8bc0509f2ce8c1c0be408e3dbca55a07de27f7d1bcb5de16 | Triage

Sharing

General

Target

DRBFSJC.bin
Size

3.7MB
Sample

220928-xjr8sahhhl
MD5

fcdb10a4ed519ba71aa3c715e0785977
SHA1

39634afc86ffe83e71e1a5a387d1b4314f33d2fe
SHA256

fa5ac27700f443ba8bc0509f2ce8c1c0be408e3dbca55a07de27f7d1bcb5de16
SHA512

12b66c3f4f1b8d11b223d61cb3429d11a9eda83a4a28484dcf0e3ce4f0f55ebf5ede2433fb114e4f20ddf2c749e9f2e7028210cefc04e3eee030849ba516b153
SSDEEP

49152:LqgtfkiCBPMP2vdBUEyVJwjQ1pxDG2OTINXRA1ked1iutOdj:2N5MeBUbVOjKpxDROcN4keHVwd

Score

10^/10

raccoon 9b19cf60d9bdf65b8a2495aa965456c3 evasion spyware stealer themida trojan

Malware Config

Extracted

Family

raccoon

Botnet

9b19cf60d9bdf65b8a2495aa965456c3

C2

http://5.2.70.65/

rc4.plain

Targets

- Target
  
  DRBFSJC.bin
- Size
  
  3.7MB
- MD5
  
  fcdb10a4ed519ba71aa3c715e0785977
- SHA1
  
  39634afc86ffe83e71e1a5a387d1b4314f33d2fe
- SHA256
  
  fa5ac27700f443ba8bc0509f2ce8c1c0be408e3dbca55a07de27f7d1bcb5de16
- SHA512
  
  12b66c3f4f1b8d11b223d61cb3429d11a9eda83a4a28484dcf0e3ce4f0f55ebf5ede2433fb114e4f20ddf2c749e9f2e7028210cefc04e3eee030849ba516b153
- SSDEEP
  
  49152:LqgtfkiCBPMP2vdBUEyVJwjQ1pxDG2OTINXRA1ked1iutOdj:2N5MeBUbVOjKpxDROcN4keHVwd
Score

10^/10

raccoon 9b19cf60d9bdf65b8a2495aa965456c3 evasion spyware stealer themida trojan
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

raccoon9b19cf60d9bdf65b8a2495aa965456c3evasionspywarestealerthemidatrojan