raccoon | b84ee931e8db117173345b24f6e25b1fd45e4179d0dc0c4057c07396df614d21 | Triage

Sharing

General

Target

setuptorrent.exe
Size

659KB
Sample

230225-s1b6nsdd31
MD5

75e0f3de613eb6ee9194115dc464966c
SHA1

d4fdea8d3b6370b74a8e3e5660db47f18fe423a1
SHA256

b84ee931e8db117173345b24f6e25b1fd45e4179d0dc0c4057c07396df614d21
SHA512

26090c3c943b3a5a60303281117c66e64c7799839605cc9f713f1ff625163f3b7ff1e22d8d00392a355146f57e90574656e69d54a92c722bf9ba2b54af899f08
SSDEEP

3072:PahKyd2n31qQ5DAoieXpw7vbKfShk8GMD2TKV435U9veML:PahOUoie5w7lf/9x

Score

10^/10

raccoon 8fb7b851641d456f39570978e99f780e persistence stealer

Malware Config

Extracted

Family

raccoon

Botnet

8fb7b851641d456f39570978e99f780e

C2

http://45.15.156.239/

rc4.plain

Targets

- Target
  
  setuptorrent.exe
- Size
  
  659KB
- MD5
  
  75e0f3de613eb6ee9194115dc464966c
- SHA1
  
  d4fdea8d3b6370b74a8e3e5660db47f18fe423a1
- SHA256
  
  b84ee931e8db117173345b24f6e25b1fd45e4179d0dc0c4057c07396df614d21
- SHA512
  
  26090c3c943b3a5a60303281117c66e64c7799839605cc9f713f1ff625163f3b7ff1e22d8d00392a355146f57e90574656e69d54a92c722bf9ba2b54af899f08
- SSDEEP
  
  3072:PahKyd2n31qQ5DAoieXpw7vbKfShk8GMD2TKV435U9veML:PahOUoie5w7lf/9x
Score

10^/10

persistence raccoon 8fb7b851641d456f39570978e99f780e stealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

raccoon8fb7b851641d456f39570978e99f780epersistencestealer