raccoon

Sharing

Copy URL

Twitter E-mail

General

Target

416.zip
Size

5.0MB
Sample

221112-d4jbtsde24
MD5

fe7e172e604ed0896708273fb4359893
SHA1

e5dbcc1f7e08c17c4dbdb2dfa92ad0dee7ab08f3
SHA256

2c7f86463ea0fbf195720c48288ec7fe03abec474b210865255bcf50e6108d94
SHA512

bdd62a6f60c680561f6f2bb91fd812c91bdfe489dda4d70536217b81915806fffc004cc3300798e815bc0997cafefadf0dbc0e56df3f1c73da84e525dbe2f56d
SSDEEP

98304:fURSQ1KeR19RIosM8TljqLd1bs8jBQJXF7ulXuNj8m40vBq1wxjMMIcYed:JQvKHYd1bsDXIlXW4Mpq1wGMR

Score

10^/10

Malware Config

Extracted

Family

raccoon

Botnet

517bb0d640c1242c3f069aab3d1018d6

http://51.195.166.178/

http://5.252.177.22

rc4.plain

Targets

- Target
  
  416/0e055e38861331920a9f5caec8cb9c1fa5d693e4c710d9bca7ff09df42026359.bin
- Size
  
  7KB
- MD5
  
  62a0412906c74d3fd1c962fe7d183059
- SHA1
  
  a01522a59a9f4bc1db2085e9e0b8de40bfcac704
- SHA256
  
  0e055e38861331920a9f5caec8cb9c1fa5d693e4c710d9bca7ff09df42026359
- SHA512
  
  c622773ccd3455b1be2783eec18e86479700259bdefb6cba9d343cffb01ed158ab2dcc82dc3347ae60269694b69063a188cc52bde8e2c7ce79f7944fa73f384c
- SSDEEP
  
  96:RmEhoOkn1znsSSalbum4o+R66TD3dNwqO9pfVEpw0bJCCozNth:1hobIwh/XrYDZOXVEBM
Score

1^/10
behavioral1 behavioral2
- Target
  
  416/1192e513c036fa5b640ccf1796790b03341fa50e6b20254e75f534d35e846a71.bin
- Size
  
  158KB
- MD5
  
  5a9d9ebc2f4122053702b6ba7f205a4f
- SHA1
  
  b30c4f46a1bc8db7f50ba937cc9e495ee14946df
- SHA256
  
  1192e513c036fa5b640ccf1796790b03341fa50e6b20254e75f534d35e846a71
- SHA512
  
  f3d0c12db709bd0c11ec369736fecf4f3db8d898e58189a3d47c8d42d6f43d1d9dab2694fec28a63a42c2dd1395b55a2eb0de011ecc64e6e0082f4ee02d59d1a
- SSDEEP
  
  3072:z2HGK/3NhIXAH9G4s1OYTesnOB6O8cElJib+Ku2rqpZHXME0fqY:z2HGK/3IXg927TeWOB6O8cEm22sZHXrv
Score

5^/10

ransomware
- Sets desktop wallpaper using registry
  ransomware
behavioral3 behavioral4
- Target
  
  416/442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571.bin
- Size
  
  4.9MB
- MD5
  
  219bb798c25ca37572626da432a34c7f
- SHA1
  
  57ec641c709495090ddc9c4fb32edd2a067260e8
- SHA256
  
  442068674b35f29fc923668486ef6dd33964f878f421a8216b973eb6a869f571
- SHA512
  
  95ade4c8d7f18514a786f2d17d9499f6f2b1b9289fd77efd77eceaa6275bf8197b5461d91434612031ce8d80e7c5a9eaacccee1262d022720e6ce34483ecfdc5
- SSDEEP
  
  49152:Kkriz5EgVfFuVx3J4feF48vdtgjUiNaWuwfGi4gblMejACsKa43wVrMVnd7btHf:KmMEg9nf+tltBWahdCjvD3wVraX
Score

10^/10

raccoon 517bb0d640c1242c3f069aab3d1018d6 stealer discovery spyware
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  416/444471a678be35837f0e4d1930a2187345a29b538a8b496cf071a810bfc85b1e.bin
- Size
  
  16KB
- MD5
  
  c102d7d8bbc66a26b07babbd43bffdd7
- SHA1
  
  b08d2cb5223e5d74b43093cdd0ffd7f26bbd9c3b
- SHA256
  
  444471a678be35837f0e4d1930a2187345a29b538a8b496cf071a810bfc85b1e
- SHA512
  
  0fbb209f4fb50eda48e86f36aa9dd0dae27565e7174b10984f7e681f09580d8cce1f4343a59954c0c045ea6e0a3eba4f09dbd2f9e59ef5c7ed2d9f97ab72b1e1
- SSDEEP
  
  384:QRvIOKg+vfGga8fBzJ2dJW16dad0bx19JIG9bR3ta:QpDK1vOga8fBze+dyoGNXa
Score

1^/10
behavioral7 behavioral8
- Target
  
  416/57b3e371843add6e8c0c6c146deec48661318c5326514570e7bad0b948f196ad.bin
- Size
  
  35KB
- MD5
  
  dbb82c0ea8d9cc0e10cdf4af55ab097e
- SHA1
  
  8aa3b0f2997b5c70fb19ab69ff3c5eb6b861a214
- SHA256
  
  57b3e371843add6e8c0c6c146deec48661318c5326514570e7bad0b948f196ad
- SHA512
  
  46d83b7eb4553cece94ec96c600d533a566ea0fb354fb81674a99256c712a109c1c7dda80ca2794297c8816c55ded08de97fdbc919c26c016b8652163334714a
- SSDEEP
  
  768:y1DyElcWWdUFSvnfKYmsGSmRcVRG5cKocc9vRZrfJr:yAElbWdUF6nCY5ccVRZxr
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral10 behavioral9
- Target
  
  416/83111ab2f5139678b7db4a8ba74302e75442ac3367a78a4872cf0481b125cfa8.bin
- Size
  
  14KB
- MD5
  
  2da5139d3eb8dad06295e6e00c60104e
- SHA1
  
  aac626405ee0f02ca7742aa892c3ceec2164522d
- SHA256
  
  83111ab2f5139678b7db4a8ba74302e75442ac3367a78a4872cf0481b125cfa8
- SHA512
  
  be9ce3c148a810c5b5e28abce3135bb79ae0ccd24d2defdbaeef619b9bf7ed3117ddb9134fb3d6583878c72ef841f9dbcaa5fa00f945894b6b8bc52a330177d9
- SSDEEP
  
  192:j8yqASq7kbCTy+ZhM2y9TdBL67OG8SzJrbquGLBiZwXr1zmOmt:Qyq7Zx8yxLjG8SzFqbI6b1zmOm
Score

1^/10
behavioral11 behavioral12
- Target
  
  416/9fb365eaecb9b0859c75c7ee4fc8d6affa9d1d5ded2bb2453fffd9723f3d260d.bin
- Size
  
  883KB
- MD5
  
  8561f84f5a8dab75fe09da755b5020c3
- SHA1
  
  3a7e8fab6b8400e29652889b791c8ccffc52ebc3
- SHA256
  
  9fb365eaecb9b0859c75c7ee4fc8d6affa9d1d5ded2bb2453fffd9723f3d260d
- SHA512
  
  003f7d7bb91ea1d90afc2f7849780511fd70cfa5d6cebd7fd471f65222663e56c02ae8621e1408e8adef821b0df659805d8977126492efc3ae01370b578818c8
- SSDEEP
  
  24576:KVsDdCRO2AVy5KEIv2gIcuuXSuGSEY7eDRK7Qz:W5KEe51uuiuG+7eDRK7Q
Score

3^/10
behavioral13 behavioral14
- Target
  
  416/b0118d9d3be0bf1d5536dc98e1d2567dfbd60e5fde92b68591f8d595ea8fcd94.bin
- Size
  
  19KB
- MD5
  
  3d4c6c7381857837ad491dabb431571b
- SHA1
  
  9cae7afae2f7442c175641e5ed582964c8c050e8
- SHA256
  
  b0118d9d3be0bf1d5536dc98e1d2567dfbd60e5fde92b68591f8d595ea8fcd94
- SHA512
  
  a4f5c2d2947cf7e40934c58ff05ad506dde2f5c4b1ccb683c3d6a57c11013843e083771531a32b466250559693d5c55cd27e716ee23074492b6e642be30a7c68
- SSDEEP
  
  384:gBL4DQiXvVJQoJMGnbfO6vKbIRQQTSbbw7i/NN:gBEDZXQoJMCbfHTAbt7
Score

1^/10
behavioral15 behavioral16
- Target
  
  416/c30afd55859ca602b97e7708d0dbbf14f581256c352289ca88433bacd5da6335.bin
- Size
  
  2.1MB
- MD5
  
  32ba6d2a3203a511175d5a58eb78a09e
- SHA1
  
  3a44044aa7d504b064b5f62da800e51436548e33
- SHA256
  
  c30afd55859ca602b97e7708d0dbbf14f581256c352289ca88433bacd5da6335
- SHA512
  
  89843dcc33c052bb0b6f72b6291b5e058bd2d2c4c9e8d7f8f47d5d35a63716e044dda761bb7fceefab344bf1805f25b1691119166b099248661dcc1230db2240
- SSDEEP
  
  12288:IZrbTRfLDFuB5s7TgsuJnMSRZJy1Nivp449OK6kyWALaTMhTtQE:GPRTuJnLfJ3hLOK6eGTtQE
Score

3^/10
behavioral17 behavioral18
- Target
  
  416/d7175fc8f8d2c38619a6335a5f8c83de00108016aa80c8d34246be3d7afb8d6d.bin
- Size
  
  10KB
- MD5
  
  c9b2d5c36c6c0e00219c658c41f7cd46
- SHA1
  
  7f6b727cf8449441a4b15b4100750f5c1b9ee28d
- SHA256
  
  d7175fc8f8d2c38619a6335a5f8c83de00108016aa80c8d34246be3d7afb8d6d
- SHA512
  
  5055b818214644c8fd929d0de7e58890a05deb2071768a9ebf98ce99f92a2f522d4451de24b85afd009af941e5e526f3e8a085615ce29e539bf7a54eee912867
- SSDEEP
  
  192:mrxrZIMD7rZARRtIaTaVsTiIn5Yh4Og3a0npS7Vk:YN7rsRtIc9TiIn5A2aypSh
Score

1^/10
behavioral19 behavioral20
- Target
  
  416/e8b2756b2b62303253e51178f5a9f97657ee08cc0c879889b61dd960da4627bb.bin
- Size
  
  536KB
- MD5
  
  7dc05b5e8b721f19ecf2ff2092868cd0
- SHA1
  
  b39e584fe4f083d2ca466ae7d312d1e6e46d4c0f
- SHA256
  
  e8b2756b2b62303253e51178f5a9f97657ee08cc0c879889b61dd960da4627bb
- SHA512
  
  baed947d1790ccb706ae704dd70c6da7eb6f60050de37a8240ba8259616ca84e5f05e217fe905266ee7310db79dfc6b8145927862c8df21276351d8b828f8c10
- SSDEEP
  
  6144:SHmGNPK4dZ4pKZ8qpzlbKOcubMSt2bLjkjgXDxCDk7:SH5N3hJXlcYwjCgsk7
Score

3^/10
behavioral21 behavioral22
- Target
  
  416/ed8b3bd9953e58889521bbd62786a3f3b9d410b3a7f520847a422647591ccf0a.bin
- Size
  
  5KB
- MD5
  
  f16f48de1281de6cf8a65cf8878583de
- SHA1
  
  2ca75f3b4adb9966b6b328a2c3001dbe538d2d25
- SHA256
  
  ed8b3bd9953e58889521bbd62786a3f3b9d410b3a7f520847a422647591ccf0a
- SHA512
  
  ac52cb27bf91dce8fcc009c8fc4ba2f1f417c25d72d801973df8b52ac0673cc6f1f0aab298507e75f50b218392c1a5c87610a02dcbc76a366bb0b744d2f44bd1
- SSDEEP
  
  48:6GNhJPe3k8+hZ6NMuVY1X93MKeisXOthSUj88bNdGECtaTlr63FovpfbNtm:fPi++YzsXOz9j88ugp5zNt
Score

1^/10
behavioral23 behavioral24

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Tasks

Sharing

General

Malware Config

Extracted

Targets

Sets desktop wallpaper using registry

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24