raccoon

Sharing

General

Target

54601d45a229469f2909404bc448ce2fcb6d90319d7b62adcbb36d48560b3500
Size

1.1MB
Sample

241022-wnk5lazejq
MD5

db2082d65265145d992f05920fcaf442
SHA1

84edb3496b2bb8db9fab5dbfaa388724aa3b2214
SHA256

54601d45a229469f2909404bc448ce2fcb6d90319d7b62adcbb36d48560b3500
SHA512

55b05af2666a47d7728e90c0bacdeef50d1401ef423d63ecf20c0400a6a82f86004f1af166857684a097e0c960a9ba1d18ef86144ed8d2bdf98b477bfcc08ebf
SSDEEP

24576:pAT8QE+kiVNpJc7YMQGOna45spYKQMtQY/IYHiQqA245zVYjqGSQy:pAI+XNpJc7YMVItmftJ/UQ12qG5SQy

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

vidar

Version

53.8

Botnet

1571

https://t.me/spmhaus

https://c.im/@tiagoa33

Attributes

profile_id
1571

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

vidar

Version

53.8

Botnet

1521

http://62.204.41.126:80

Attributes

profile_id
1521

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

http://193.56.146.177

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Extracted

Family

raccoon

Botnet

76426c3f362f5a47a469f0e9d8bc3eef

http://45.95.11.158/

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Targets

- Target
  
  54601d45a229469f2909404bc448ce2fcb6d90319d7b62adcbb36d48560b3500
- Size
  
  1.1MB
- MD5
  
  db2082d65265145d992f05920fcaf442
- SHA1
  
  84edb3496b2bb8db9fab5dbfaa388724aa3b2214
- SHA256
  
  54601d45a229469f2909404bc448ce2fcb6d90319d7b62adcbb36d48560b3500
- SHA512
  
  55b05af2666a47d7728e90c0bacdeef50d1401ef423d63ecf20c0400a6a82f86004f1af166857684a097e0c960a9ba1d18ef86144ed8d2bdf98b477bfcc08ebf
- SSDEEP
  
  24576:pAT8QE+kiVNpJc7YMQGOna45spYKQMtQY/IYHiQqA245zVYjqGSQy:pAI+XNpJc7YMVItmftJ/UQ12qG5SQy
Score

10^/10

raccoon redline vidar 1521 1571 5 76426c3f362f5a47a469f0e9d8bc3eef afb5c633c4650f69312baef49db9dfa4 nam3 discovery infostealer persistence stealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

RedLine

RedLine payload

Vidar

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2