raccoon

Sharing

General

Target

36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a
Size

916KB
Sample

241022-wsqwmszfqn
MD5

c980f514625b05414eb98e9430c5989b
SHA1

ab83c9ff1a8216bf3f4bbec203740b43a9be5658
SHA256

36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a
SHA512

b39863ac1fd9c0da7bcac00952ca006bdcc4c17b05118698a57910f7f39438812d5264a3e74e2cd8570540531dd220d63c9a5ca9aeb394e052809891dd6c9da5
SSDEEP

24576:pAT8QE+kLVNpJc7Ycw4Th7k16ThM5dJ5OS6tT7oA5i69t:pAI+UNpJc7Yc7dXUxOSAXo07

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

53.8

Botnet

1571

http://77.91.103.114:80

http://45.159.248.189:80

http://45.159.248.173:80

Attributes

profile_id
1571

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

vidar

Version

53.8

Botnet

1521

http://62.204.41.126:80

Attributes

profile_id
1521

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

http://193.56.146.177

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Extracted

Family

raccoon

Botnet

76426c3f362f5a47a469f0e9d8bc3eef

http://45.95.11.158/

Attributes

user_agent
mozzzzzzzzzzz

xor.plain

Targets

- Target
  
  36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a
- Size
  
  916KB
- MD5
  
  c980f514625b05414eb98e9430c5989b
- SHA1
  
  ab83c9ff1a8216bf3f4bbec203740b43a9be5658
- SHA256
  
  36d62ba86ad6bfdd5638cef785d1a06ef770d0c6594477f8a0d9244dd8eecc8a
- SHA512
  
  b39863ac1fd9c0da7bcac00952ca006bdcc4c17b05118698a57910f7f39438812d5264a3e74e2cd8570540531dd220d63c9a5ca9aeb394e052809891dd6c9da5
- SSDEEP
  
  24576:pAT8QE+kLVNpJc7Ycw4Th7k16ThM5dJ5OS6tT7oA5i69t:pAI+UNpJc7Yc7dXUxOSAXo07
Score

10^/10

raccoon redline vidar 1521 1571 5 5076357887 76426c3f362f5a47a469f0e9d8bc3eef afb5c633c4650f69312baef49db9dfa4 nam3 discovery infostealer stealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

RedLine

RedLine payload

Vidar

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2