Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7

  • Size

    662KB

  • Sample

    240429-em6apshh7s

  • MD5

    f99b2b80dc83b0d952687d771833164c

  • SHA1

    e872f0b4be582132c9486b0c5b86f56b12ed677e

  • SHA256

    d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7

  • SHA512

    8d3af87306d1196862d681c0ae20cba17606e3b1c3a7a441b9739cbd71417088622b977dae9e084a3feb589a73681a2763259f20e1901eaae332ce62c3549add

  • SSDEEP

    12288:8bbrYKOCV65d6qGwqa2tqftXPoZe7YUWWd/v4ibj2xy/2+VDRceX+:8bfjOF76qGwbnVP7WWxv48j2xy/2+VH+

Score
10/10
raccoonfda6c8debb0b6b5a1d9698b54b255a7ddiscoveryspywarestealer

Malware Config

Extracted

Family

raccoon

Botnet

fda6c8debb0b6b5a1d9698b54b255a7d

C2

http://91.92.255.182:80/

Attributes
  • user_agent

    MrBidenNeverKnow

xor.plain

Targets

    • Target

      d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7

    • Size

      662KB

    • MD5

      f99b2b80dc83b0d952687d771833164c

    • SHA1

      e872f0b4be582132c9486b0c5b86f56b12ed677e

    • SHA256

      d21558f6acc3a23c174172d9d930b98ff5b5fba1e433bbc00b4a2ec4131269f7

    • SHA512

      8d3af87306d1196862d681c0ae20cba17606e3b1c3a7a441b9739cbd71417088622b977dae9e084a3feb589a73681a2763259f20e1901eaae332ce62c3549add

    • SSDEEP

      12288:8bbrYKOCV65d6qGwqa2tqftXPoZe7YUWWd/v4ibj2xy/2+VDRceX+:8bfjOF76qGwbnVP7WWxv48j2xy/2+VH+

    Score
    10/10
    raccoonfda6c8debb0b6b5a1d9698b54b255a7dspywarestealerdiscovery

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Raccoon Stealer V2 payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks