raccoon

Resubmissions

21-02-2023 11:28

230221-nla8lsge2x 10

15-02-2023 12:25

230215-pl5mwsbf93 10

Sharing

Copy URL

Twitter E-mail

General

Target

Use_15151_As_Passw0rd.rar
Size

15.9MB
Sample

230221-nla8lsge2x
MD5

5b5efab4ec1824eaa3cc49f1ccd6769e
SHA1

0a7583e3d18f787eedea9006d610041d557ea516
SHA256

49f23bba52c17eebb7e04e11d52042d8fee8098220a8283693bf7467e02fe674
SHA512

7fb903aa63ee402569e058cbdb2b7452152d700f43891042fd1949c3caac1f5825cefa6b23dac56d196ee82a4b99b25051ff3f45f3b7a869f660135b01b70d6f
SSDEEP

393216:UO7beLXxUkT+EuNxTV6Mga+F20jXa/ARspXCm/LO0F8cMek4RLsNT:UOO7xUkKwM2F20jK4RrmTt2cMkwNT

Score

10^/10

Malware Config

Extracted

Family

raccoon

Botnet

697fc5d9af6aa2a29510779d2fc54b97

http://83.217.11.27/

http://83.217.11.28/

rc4.plain

Targets

- Target
  
  Language/WinRar.exe
- Size
  
  3.2MB
- MD5
  
  b66dec691784f00061bc43e62030c343
- SHA1
  
  779d947d41efafc2995878e56e213411de8fb4cf
- SHA256
  
  26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370
- SHA512
  
  6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3
- SSDEEP
  
  98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8
Score

10^/10

discovery persistence
- Modifies system executable filetype association
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2
- Target
  
  Setup.exe
- Size
  
  727.0MB
- MD5
  
  0b37d4549b05f39e19c333b454434486
- SHA1
  
  01ab732286304f13a67dde62e426d1ce5bf63d9e
- SHA256
  
  e768f7dc93533a1208c1b3fa29c4820b827082f95f9b1e4fa955ffb1ae640582
- SHA512
  
  2f87d778d03962ecab465f8dc30f2cdee8d412b0381a45964cc7ff23283bd6b13e0b360b592c102c917e50371d86ff9efa80a50375f4b522659a6f0344f6c224
- SSDEEP
  
  196608:hJwaVL4x+Zr1By4jOrscVh6qpmMgkFbO8EV:QaVLACrvTOoiEqpmMxbk
Score

10^/10

raccoon 697fc5d9af6aa2a29510779d2fc54b97 stealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  en-US/AutoWorkplaceN.dll.mui
- Size
  
  2KB
- MD5
  
  a311c98e7cb3bc2c6f4ad9ca65e95810
- SHA1
  
  481168e5c9437731ab632fcacb9c88471c008d6b
- SHA256
  
  799cf32fc0515a4bcc0388d0d39618d9c67ee67a1c2000d7344c5a8120004e2e
- SHA512
  
  8eefd67ab748725145db643dab47f608b66582c194e42ed412bfe31f26c36b2bd2c4e157fa1bfaa582c697de267c242e5e809be109c7ab3f61f19bd6812e416a
Score

1^/10
behavioral5 behavioral6
- Target
  
  en-US/avicap32.dll.mui
- Size
  
  8KB
- MD5
  
  a5696b2d379fb322c7ee1e18c01ca920
- SHA1
  
  0063d4f4814d4565334b5937fd83b56287ab413a
- SHA256
  
  cb852e13a323c8e226b9bccc7786df3c55e4be16d9d63f4911ea0565ac879a9c
- SHA512
  
  01e93385f90fd0a25d8c7da31704cf8d04596113fbc9c19199506bbb5ba978f974c65a636ea663fec0c32408a931499814f806091ef7b3d9ca59c26fa01cdabd
- SSDEEP
  
  96:9XIEThBLwopUCfwpyIR3M7Pel5LdDzdlSjrviqEtp9JhZ47/5PYBtTdbhFYIDiqf:KKxy3M7P5vRULZ4S5HTbnWnUrTWQ
Score

1^/10
behavioral7 behavioral8
- Target
  
  vcomp140.dll
- Size
  
  176KB
- MD5
  
  884c6f8718fd95c25e16a4789ae3bf7a
- SHA1
  
  33f7e6846498871927d21bed11cc4ef41804112a
- SHA256
  
  f8d8aca399a0f7e40b2993584404b31f13bf18ea657a5feb85b37b15a249a275
- SHA512
  
  48384af2f6359ca3ee6996fc34df8c357164097f0c0c5cb30f5bd080baa6af3b4bcada17fb94933a99955f97c4ac0e554ca2373a5638e29db84e8318165c7b0c
- SSDEEP
  
  3072:+Pr3XpMvAiR3LQpxELm3uFX1TfgZhPlUDJR9ZURc/5:+znSvAiO+m3uFFOj+O6/5
Score

3^/10
behavioral10 behavioral9
- Target
  
  vcruntime140.dll
- Size
  
  94KB
- MD5
  
  11d9ac94e8cb17bd23dea89f8e757f18
- SHA1
  
  d4fb80a512486821ad320c4fd67abcae63005158
- SHA256
  
  e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e
- SHA512
  
  aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778
- SSDEEP
  
  1536:yDHLG4SsAzAvadZw+1Hcx8uIYNUzUnHg4becbK/zJrCT:yDrfZ+jPYNznHg4becbK/Fr
Score

3^/10
behavioral11 behavioral12
- Target
  
  win-api.config
- Size
  
  186B
- MD5
  
  9070d769fd43fb9def7e9954fba4c033
- SHA1
  
  de4699cdf9ad03aef060470c856f44d3faa7ea7f
- SHA256
  
  cbaf2ae95b1133026c58ab6362af2f7fb2a1871d7ad58b87bd73137598228d9b
- SHA512
  
  170028b66c5d2db2b8c90105b77b0b691bf9528dc9f07d4b3983d93e9e37ea1154095aaf264fb8b5e67c167239697337cc9e585e87ef35faa65a969cac1aa518
Score

1^/10
behavioral13 behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Modifies system executable filetype association

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Registers COM server for autorun

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14