raccoon

General

Target

aef9a431c2c2d80a9026e9bac2fdddad7a2c9e2dccb7b094034e704890dd1ca3
Size

345KB
Sample

221003-ejsv7sgedj
MD5

81f64aa51d334df32af477937bcaa229
SHA1

96dee5c07ad3285d45b4120481a8ada23a0619a4
SHA256

aef9a431c2c2d80a9026e9bac2fdddad7a2c9e2dccb7b094034e704890dd1ca3
SHA512

cf2378eb0aba4d9276c3068415d7824af4c1fc97155894007bb01c6abe6f25199f48226ef67cd14bd660d2bb69fd75010c7b631515a385a466f446e8010d5ce5
SSDEEP

6144:26S1ZVdum8KDJUOER/YMT8yC4ohO6BV3Cz+WEmCQRjsMYo9TKV9RqvP:EPecUOIYyC4oSz+WEORjsDo9TM9Rqv

Score

10^/10

Malware Config

Extracted

Family

raccoon

Botnet

da1ba149e19b3857d89846c73b541f1f

C2

http://135.148.104.11/

rc4.plain

Targets

- Target
  
  aef9a431c2c2d80a9026e9bac2fdddad7a2c9e2dccb7b094034e704890dd1ca3
- Size
  
  345KB
- MD5
  
  81f64aa51d334df32af477937bcaa229
- SHA1
  
  96dee5c07ad3285d45b4120481a8ada23a0619a4
- SHA256
  
  aef9a431c2c2d80a9026e9bac2fdddad7a2c9e2dccb7b094034e704890dd1ca3
- SHA512
  
  cf2378eb0aba4d9276c3068415d7824af4c1fc97155894007bb01c6abe6f25199f48226ef67cd14bd660d2bb69fd75010c7b631515a385a466f446e8010d5ce5
- SSDEEP
  
  6144:26S1ZVdum8KDJUOER/YMT8yC4ohO6BV3Cz+WEmCQRjsMYo9TKV9RqvP:EPecUOIYyC4oSz+WEORjsDo9TM9Rqv
Score

10^/10

raccoon xmrig da1ba149e19b3857d89846c73b541f1f evasion miner spyware stealer themida trojan upx
- Modifies security service
  evasion
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2