raccoon

General

Target

ver2_file.rar
Size

12.2MB
Sample

240404-qg418sgg8s
MD5

2ff11907cc13c6cca9812b6170150912
SHA1

b82afec6758b785e262d40e01f3ffc1224eb78e2
SHA256

c985faf904c1c089dab9972207f3c17edeaf0c2cfbd1480cc017252ee95ded38
SHA512

fefc5ace043f59cb8e4dc0b4cdfc3e44bd8ca1fc1a79f3e6714eb7d42561dac05e8e6853934c5650c11b707bde34a68d7356f31a6b470bc5d104b1b572621351
SSDEEP

196608:faxkZRLSQrJPMaaTg6EVNCHntJuzN+CifT6aiMrCn+vJyLR90WV7BQL6pUn8:sqRnrlMaavAIHtJcNdkqMrCnr99dDKc/

Score

10^/10

Malware Config

Extracted

Family

raccoon

Botnet

fda6c8debb0b6b5a1d9698b54b255a7d

C2

http://91.92.255.182:80/

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Targets

- Target
  
  LiteRes.dll
- Size
  
  735KB
- MD5
  
  88962410244bc5c03482b82a7e3cb5e1
- SHA1
  
  4622be2d3deda305bf0a16c0e01bc2ecf9d56fad
- SHA256
  
  afa884228afc5c05f4b47e90b6de42854d5a8886ec5ed15a253faeccd5309036
- SHA512
  
  c6e7667f91c1439e33ad4d9e2052b7c9fcc3ca2c7688d9e2bc0550b71a5762b76aa76427331df0217429d9bd984925997c7a8d009f25e44e2776c5ce7cc9d98c
- SSDEEP
  
  6144:x9Ej/jb82/HRoXO1q2pt+Mc1/PDPicsUzM+gYESoE/wOuET8F62bH5vnGfcJvl+b:fqptG/PDPo0no2Iq8F6CHBTWqU
Score

1^/10
behavioral1 behavioral2
- Target
  
  LiteSkinUtils.dll
- Size
  
  48KB
- MD5
  
  059d94e8944eca4056e92d60f7044f14
- SHA1
  
  46a491abbbb434b6a1a2a1b1a793d24acd1d6c4b
- SHA256
  
  9fa7cacb5730faacc2b17d735c45ee1370130d863c3366d08ec013afe648bfa6
- SHA512
  
  0f45fe8d5e80a8fabf9a1fd2a3f69b2c4ebb19f5ffdcfec6d17670f5577d5855378023a91988e0855c4bd85c9b2cc80375c3a0acb1d7a701aff32e9e78347902
- SSDEEP
  
  768:FPGeoWyuTx6vrP/zAdWQS6Z9CSKh64crVKTl9inMUAK:tGeJxIHepSKzjVK9iMUAK
Score

1^/10
behavioral3 behavioral4
- Target
  
  setup.exe
- Size
  
  736.0MB
- MD5
  
  73e0b140c77442a77eb4ca4d42c0faaf
- SHA1
  
  2e62d30b2837ccf14cd45a90ae8d63a78ddd00a2
- SHA256
  
  fa5dc4671c6338f598367e382e64370063381b131a5cdc9e237742df4fb326b7
- SHA512
  
  e089f03706b4002e52f65157adaea76e7211822ca60c55baf6fe2018b08051e6ba0e499d54832390f0d819764fd7967eb2c470fefe9bd6e85b58c5d80fecf2fd
- SSDEEP
  
  98304:/Ewxwl8gfUbi8kKnUH9naKErAOUEsFUITL46KceYsL4NZsktqzEU3w/5:/HwCgfUbVrOFahVhs+ITHY4rEBw
Score

10^/10

evasion raccoon fda6c8debb0b6b5a1d9698b54b255a7d discovery spyware stealer
- Modifies firewall policy service
  evasion
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V2 payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral5 behavioral6