raccoon | 1d9aec53a2dad6df3abd17708fee9e5224b1c5da396d19791b992c62208e5550 | Triage

Sharing

General

Target

b0ad1e810fe8f03af643aab5913fb0d40a282a0b290385db95e2478a0bd3e381.zip
Size

9.7MB
Sample

230321-r38f8abd65
MD5

48ca142b276a13f94318b2e51f3f9059
SHA1

49282b9cf4981a413b24abb128b1c40151e4fafd
SHA256

1d9aec53a2dad6df3abd17708fee9e5224b1c5da396d19791b992c62208e5550
SHA512

95beb70b8eae7543193e5017b183d13b00e2aab05f9987c247cf818f7900f6e0ba8726e68220fbb79d5790568ccf2b6220be5d3393197bdc3a2fb35cbf92e5dd
SSDEEP

196608:hp8/ueuDp8nMlbbCRIZzEbWxExywXgzakVIanxxPWQJA1i+mN32LRE+QYRNMhsWO:hpqfuKwX+xyfzaKp0DmNEbQ2K2H

Score

10^/10

raccoon f49765d62e02586d0fe162b5d3a934ad discovery spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

f49765d62e02586d0fe162b5d3a934ad

C2

http://78.153.130.123/

http://212.113.119.35/

http://212.113.119.48/

http://212.113.106.218/

rc4.plain

Targets

- Target
  
  b0ad1e810fe8f03af643aab5913fb0d40a282a0b290385db95e2478a0bd3e381.exe
- Size
  
  10.0MB
- MD5
  
  8b718c053968e68100029bc709579e63
- SHA1
  
  61b0ed38b226d15f0116f9781882d76d8ec3f4fe
- SHA256
  
  b0ad1e810fe8f03af643aab5913fb0d40a282a0b290385db95e2478a0bd3e381
- SHA512
  
  393a4d47d28e00543b6ee37f527352381702a6c454df4b63afa59c3832a2b95dbe89694a7d8ff38f7eedb973d4d23bae142e1afe5da5be27ad21f785e1d7dbe8
- SSDEEP
  
  196608:Ga95hrgeuf+YfsgUyYuoI+l2C+NTh+gvlx5SdkIeSC5rdfqVWHJiCocTRlz:Ga9brpumJgRnC+Tx9x5SdkC4fQgJro+L
Score

10^/10

raccoon f49765d62e02586d0fe162b5d3a934ad discovery spyware stealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

raccoonf49765d62e02586d0fe162b5d3a934addiscoveryspywarestealer

behavioral2

raccoonf49765d62e02586d0fe162b5d3a934addiscoveryspywarestealer