raccoon | 3099f11a5d7e56fd714b21b76b411de53348237257938be932ed3d4e084d487d | Triage

Submit
Reports

Overview

overview

Static

static

1

PassKey-55...V8.rar

windows7-x64

PassKey-55...V8.rar

windows10-2004-x64

Sharing

General

Target

PassKey-55551-CompleteFileV8.rar
Size

14.9MB
Sample

230510-16f1taae87
MD5

00de82c2721f4d97f728febbc4758036
SHA1

528eb4965630e9d051f2c2b3a9ffe6ddb78ffe75
SHA256

3099f11a5d7e56fd714b21b76b411de53348237257938be932ed3d4e084d487d
SHA512

0b9ad8446b9e06215f671875f7b845b6aaf0b3abc45b9ed022922f3a771ccfdfd97486f7d4b4188431b421076e79501b14b1b37e73e4df9076032694a6df1253
SSDEEP

393216:wLq2Hr2ghmHDNHhxhfSXMcgyI8cQWWoPBJl:wLq2SZj5D5Sc0cZW0J

Score

10^/10

raccoon ee2a3d190100b91c20d8bc284238dda6 discovery spyware stealer vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

PassKey-55551-CompleteFileV8.rar

Resource

win7-20230220-es

raccoon ee2a3d190100b91c20d8bc284238dda6 discovery spyware stealer vmprotect

windows7-x64

17 signatures

1800 seconds

Behavioral task

behavioral2

Sample

PassKey-55551-CompleteFileV8.rar

Resource

win10v2004-20230220-es

raccoon ee2a3d190100b91c20d8bc284238dda6 stealer vmprotect

windows10-2004-x64

9 signatures

1800 seconds

Malware Config

Extracted

Family

raccoon

Botnet

ee2a3d190100b91c20d8bc284238dda6

C2

http://94.142.138.176/

xor.plain

Targets

- Target
  
  PassKey-55551-CompleteFileV8.rar
- Size
  
  14.9MB
- MD5
  
  00de82c2721f4d97f728febbc4758036
- SHA1
  
  528eb4965630e9d051f2c2b3a9ffe6ddb78ffe75
- SHA256
  
  3099f11a5d7e56fd714b21b76b411de53348237257938be932ed3d4e084d487d
- SHA512
  
  0b9ad8446b9e06215f671875f7b845b6aaf0b3abc45b9ed022922f3a771ccfdfd97486f7d4b4188431b421076e79501b14b1b37e73e4df9076032694a6df1253
- SSDEEP
  
  393216:wLq2Hr2ghmHDNHhxhfSXMcgyI8cQWWoPBJl:wLq2SZj5D5Sc0cZW0J
Score

10^/10

raccoon ee2a3d190100b91c20d8bc284238dda6 discovery spyware stealer vmprotect
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

raccoonee2a3d190100b91c20d8bc284238dda6discoveryspywarestealervmprotect

behavioral2

raccoonee2a3d190100b91c20d8bc284238dda6stealervmprotect

© 2018-2024

Terms | Privacy