raccoon

Sharing

General

Target

6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115
Size

2.6MB
Sample

241022-wnc4zsxena
MD5

e0118ad4299455683d5d0708772742ef
SHA1

c80a27155317c3d08308cf8a55e4790f429bb2dd
SHA256

6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115
SHA512

c6e9de83cbc63505359fb745f5417977df30445ab87d848081d526c8afe1ecb1ffa075bb80370862cd7d57b50c5dc23e68aac784f8e845a9d7195e6eb1ed99ec
SSDEEP

49152:pAI+1NpJc7YrEa2u2hq3PGh0p4EyqaeFEqLh09fqNZesF+AxnMtQSOanD9:pAI+vc8rHJ283PGi4EyduRLh0MNZesFS

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

53.8

Botnet

1571

https://t.me/spmhaus

https://c.im/@tiagoa33

Attributes

profile_id
1571

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

vidar

Version

53.9

Botnet

1616

https://t.me/v_total

https://mas.to/@tiaga01

Attributes

profile_id
1616

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

redline

Botnet

Molecule JK

insttaller.com:40915

Attributes

auth_value
abb046f9600c78fd9272c2e96c3cfe48

Extracted

Family

vidar

Version

53.9

Botnet

1521

http://62.204.41.126:80

Attributes

profile_id
1521

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

http://193.56.146.177

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Extracted

Family

raccoon

Botnet

76426c3f362f5a47a469f0e9d8bc3eef

http://45.95.11.158/

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Extracted

Family

raccoon

Botnet

f23fda14afd5f9052a211b216bdaaf79

http://77.232.39.101

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Targets

- Target
  
  6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115
- Size
  
  2.6MB
- MD5
  
  e0118ad4299455683d5d0708772742ef
- SHA1
  
  c80a27155317c3d08308cf8a55e4790f429bb2dd
- SHA256
  
  6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115
- SHA512
  
  c6e9de83cbc63505359fb745f5417977df30445ab87d848081d526c8afe1ecb1ffa075bb80370862cd7d57b50c5dc23e68aac784f8e845a9d7195e6eb1ed99ec
- SSDEEP
  
  49152:pAI+1NpJc7YrEa2u2hq3PGh0p4EyqaeFEqLh09fqNZesF+AxnMtQSOanD9:pAI+vc8rHJ283PGi4EyduRLh0MNZesFS
Score

10^/10

raccoon redline vidar 1521 1571 1616 5 5076357887 76426c3f362f5a47a469f0e9d8bc3eef afb5c633c4650f69312baef49db9dfa4 f23fda14afd5f9052a211b216bdaaf79 molecule jk nam3 discovery infostealer persistence stealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2