raccoon | payload_curved[.]bin | Triage

Sharing

Copy URL Twitter E-mail

General

Target

payload_curved.bin
Size

97KB
MD5

b26d66e7808fb7684a747f665f184397
SHA1

4a2a6c79bc80a42d14838eb60f8ef6c1ef8560b3
SHA256

6e1e63045d5b794d450aaa86763ab893b18c0282838a78980e1ef1e029d35742
SHA512

6043e284f8bf879fc56069ca4925e00804a3e35911db090e78a607241c4c8325cb7c71c9231603a82a735cc9633322b1ee9a7411d2270f77f28e8338dde3645b
SSDEEP

3072:yEfIr0usN5rtB+U7ITo+StATErFDYpcO:yyttI0PtZR

Score

10^/10

0da2e3700aa6f05465fdfc323d371488 raccoon

Malware Config

Extracted

Family

raccoon

Botnet

0da2e3700aa6f05465fdfc323d371488

C2

http://94.142.138.19:80

Attributes

user_agent
GeekingToTheMoon

xor.plain

Signatures

Raccoon Stealer payload 1 IoCs

resource	yara_rule
sample	family_raccoon

Raccoon family
raccoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
payload_curved.bin

Files

payload_curved.bin
.exe windows:6 windows x86

0fcb7632c48018563e5af2f63681ece5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

OutputDebugStringA
FindClose
CreateMutexA
LocalAlloc
ReleaseMutex
CancelWaitableTimer
GetLastError
SetEvent
LoadLibraryA
ReleaseSemaphore
LoadLibraryW
ResetEvent
CreateWaitableTimerA
GetProcAddress
LocalFree
SetEnvironmentVariableA
CreateFileMappingW
CreateSemaphoreA
CreateEventA
lstrlenA
CloseHandle
FindFirstFileA

advapi32

RegOpenKeyExA

ole32

CoInitialize

Sections

.text
Size: 73KB - Virtual size: 72KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE