raccoon

General

Target

45338c1d023c92b2529ff21c6516eda1849c2fb71200e02ed28a9bc091c88f6f
Size

345KB
Sample

221005-ec96xadcc2
MD5

cfd6acbde5f6548139556dc3e65de3e2
SHA1

4bd13b08fb680bde85f6c162718f0dcba4d4aa37
SHA256

45338c1d023c92b2529ff21c6516eda1849c2fb71200e02ed28a9bc091c88f6f
SHA512

0e40b4cb0788d9ed27b9d19bc0f44e30f96e0ce02ec6ff541e226da5c4c82e0eca6681c6d008b3028d2158cc3764160483d90d2111ae2698da427eae2086bc32
SSDEEP

6144:E6S1ZVlum8KDJUOER/YMK8yC4ohqk92ApEndnMveN+nOY8Z6:WPmcUOIvyC4ovBOQeA

Score

10^/10

Malware Config

Extracted

Family

raccoon

Botnet

bd3a3a503834ef8e836d8a99d1ecff54

C2

http://135.148.104.11/

rc4.plain

Targets

- Target
  
  45338c1d023c92b2529ff21c6516eda1849c2fb71200e02ed28a9bc091c88f6f
- Size
  
  345KB
- MD5
  
  cfd6acbde5f6548139556dc3e65de3e2
- SHA1
  
  4bd13b08fb680bde85f6c162718f0dcba4d4aa37
- SHA256
  
  45338c1d023c92b2529ff21c6516eda1849c2fb71200e02ed28a9bc091c88f6f
- SHA512
  
  0e40b4cb0788d9ed27b9d19bc0f44e30f96e0ce02ec6ff541e226da5c4c82e0eca6681c6d008b3028d2158cc3764160483d90d2111ae2698da427eae2086bc32
- SSDEEP
  
  6144:E6S1ZVlum8KDJUOER/YMK8yC4ohqk92ApEndnMveN+nOY8Z6:WPmcUOIvyC4ovBOQeA
Score

10^/10

raccoon xmrig bd3a3a503834ef8e836d8a99d1ecff54 evasion miner spyware stealer themida trojan upx
- Modifies security service
  evasion
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2