raccoon | 47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8 | Triage

Submit
Reports

Overview

overview

Static

static

1

NoEscape.zip

windows10-2004-x64

Resubmissions

08-05-2023 15:57

230508-tecqradc2s 10

08-05-2023 15:42

230508-s5j23sbd86 10

Sharing

General

Target

NoEscape.zip
Size

616KB
Sample

230508-tecqradc2s
MD5

ef4fdf65fc90bfda8d1d2ae6d20aff60
SHA1

9431227836440c78f12bfb2cb3247d59f4d4640b
SHA256

47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8
SHA512

6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9
SSDEEP

12288:1PQuO1JLx2auoA82iqOxdOc7XPkmpOw6mqc5m937hnTMktj1H:1PVqJx2auYqw7dOw6mql3nNBd

Score

10^/10

raccoon ee2a3d190100b91c20d8bc284238dda6 evasion stealer themida trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

NoEscape.zip

Resource

win10v2004-20230220-en

raccoon ee2a3d190100b91c20d8bc284238dda6 evasion stealer themida trojan upx

windows10-2004-x64

32 signatures

1800 seconds

Malware Config

Extracted

Family

raccoon

Botnet

ee2a3d190100b91c20d8bc284238dda6

C2

http://94.142.138.176/

xor.plain

Targets

- Target
  
  NoEscape.zip
- Size
  
  616KB
- MD5
  
  ef4fdf65fc90bfda8d1d2ae6d20aff60
- SHA1
  
  9431227836440c78f12bfb2cb3247d59f4d4640b
- SHA256
  
  47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8
- SHA512
  
  6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9
- SSDEEP
  
  12288:1PQuO1JLx2auoA82iqOxdOc7XPkmpOw6mqc5m937hnTMktj1H:1PVqJx2auYqw7dOw6mql3nNBd
Score

10^/10

raccoon ee2a3d190100b91c20d8bc284238dda6 evasion stealer themida trojan upx
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Impair Defenses

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

raccoonee2a3d190100b91c20d8bc284238dda6evasionstealerthemidatrojanupx

© 2018-2024

Terms | Privacy