raccoon | tmp | Triage

Sharing

Copy URL Twitter E-mail

General

Target

tmp
Size

80KB
MD5

ede233a63da01db0d70ab02350da20da
SHA1

0015d4d884ffec9249ea5b7fe7ac1e7405b0fad0
SHA256

367c36048caf0ed341ce8d41f979c99c7803104ea98fb14d996f9e8b36445a92
SHA512

cb6d0b853ff0de5be67bd6560c95d79dab23c5c7d1b41419f6e1102f8b2fc381df4a3ea1bb9f60718d517b44921a65586ae43c0f7b89370add73d35db8794dc6
SSDEEP

1536:KX0PI6ORWFPekAZZ0XCkSBIPV1Fn1p06QcKUp3wFqH:9PI6GWpeVsXCLMrxbQOpgFqH

Score

10^/10

6d6cad4d6bee72630ba625134a27cc3f raccoon

Malware Config

Extracted

Family

raccoon

Botnet

6d6cad4d6bee72630ba625134a27cc3f

C2

http://185.242.86.86:80/

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon Stealer V2 payload 1 IoCs

resource	yara_rule
sample	family_raccoon_v2

Raccoon family
raccoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
tmp

Files

tmp
.exe windows:6 windows x86 arch:x86

52fcc5c1bcda70fa4759c08995c5a5fb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

FindFirstFileA
ReleaseSemaphore
OutputDebugStringA
FindClose
CreateMutexA
LocalAlloc
ReleaseMutex
CancelWaitableTimer
GetLastError
GetProcAddress
CloseHandle
ResetEvent
CreateWaitableTimerA
LocalFree
SetEnvironmentVariableA
CreateFileMappingW
CreateSemaphoreA
CreateEventA
lstrlenA
SetEvent
LoadLibraryA

advapi32

RegOpenKeyExA

ole32

CoInitialize

Sections

.text
Size: 63KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE