Derin Statik Analiz — Raccoon | Tehdit: high

Dosya Kimligi

SHA256d60d4da2cfe120138a3fde66694b40ae2710cfc2af33cb7810b3a0e9b1663a4f
MD5d113b3debc7e0a2da4369dd8d1dbad53
SHA178e17bd7e30c66aaef91a5b5fcb36a036a1074b7
Boyut23151176 byte
Tur/opt/ksentinel/samples/d60d4da2cfe12013_KSPSService.exe: PE32 executable (GUI) I
DerlemeBilinmiyor
PackerUPX

C2 / Dropper Domainleri

AdresTipDurum
arena.ccDomainUnknown
cacerts.digicert.comDomainUnknown
coded_stream.ccDomainUnknown
crl3.digicert.comDomainUnknown
crl.globalsign.comDomainUnknown
crl.microsoft.comDomainUnknown
crl.usertrust.comDomainUnknown
crt.usertrust.comDomainUnknown
descriptor.ccDomainUnknown
descriptor_database.ccDomainUnknown

IOC Listesi

DegerTip
arena.ccDomain
cacerts.digicert.comDomain
coded_stream.ccDomain
crl3.digicert.comDomain
crl.globalsign.comDomain
crl.microsoft.comDomain
http://cacertURL
http://crl3.digicert.com/DigiCertAURL
http://crl3.digicert.com/DigiCertTruURL
http://crl.globalURL
Global\SecureDesktopInput_memMutex
Global\SecureDesktop_MovieStreamMutex

Yetenekler

  • Screenshot
  • TCP Socket C2
  • Anti-Debug

SMTP Konfigurasyonu

!"#$%&'()*+,-./0123CCrypto::Base64Decode
CCrypto::Base64Decode: insufficient output buffer (up to n*3/4+2 bytes required)
CCrypto::HexDecode
CCrypto::HexDecode: insufficient output buffer (input lengt

Gelistirici Ipuclari

PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|' bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^

Email: appro@openssl.org v@C.At

Telegram: @0D0H0L0 @0D0H0L0P0T0X0 @0D0H0L0T0l0 @0D0H0P0 @0D0P0X0

PE Analizi

Guvenlik Taramasi

file entropy:                    7.962831 (probably packed)
fpu anti-disassembly:            yes
imagebase:                       normal
entrypoint:                      normal
DOS stub:              

Import Tablosu

Imported functions
    Library
        Name:                            KERNEL32.dll
        Functions
            Function
                Hint:                            430
                Name:                            FreeLibrary
            Function
                Hint:                            631
                Name:                            GetModuleFileNameW
            Function

Binwalk / Packer

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Microsoft executable, portable (PE)
17408      

Aile Tespiti

String kaniti bulunamadi (sifrelenmis/obfuskeli).

Raccoon — Malware Profile

Raccoon Stealer credential hırsızı. ProtonVPN gizleme. Telegram C2 destegi. Browser/kripto cüzdan hedef.

Malware Type
Infostealer
Programming Language
C++
C2 Protocol
HTTP
Target Systems
Windows
Also Known As (AKA)
RecordBreaker

Technical Details

C++/C, HTTP/HTTPS C2, SQLite credential extraction (browser login data), browser history/autofill, kripto wallet stealer (Ethereum/Bitcoin), email client stealer, custom stealer panel (PHP), fingerprint (HWID/IP)

Capabilities & Behavior

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

IOC List (20 indicators)

IOC — Raccoon
# 78e17bd7e30c66aaef91a5b5fcb36a036a1074b7 # SHA256 d60d4da2cfe120138a3fde66694b40ae2710cfc2af33cb7810b3a0e9b1663a4f # MD5 d113b3debc7e0a2da4369dd8d1dbad53 # DOMAIN arena.cc # DOMAIN cacerts.digicert.com # DOMAIN coded_stream.cc # DOMAIN crl3.digicert.com # DOMAIN crl.globalsign.com # DOMAIN crl.microsoft.com # DOMAIN crl.usertrust.com # DOMAIN crt.usertrust.com # MUTEX Global\SecureDesktopInput_mem # MUTEX Global\SecureDesktop_MovieStream # FILEPATH bash: -c: line 1: syntax error near unexpected token `|' # FILEPATH bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10' # URL http://cacert # URL http://crl3.digicert.com/DigiCertA # URL http://crl3.digicert.com/DigiCertTru # URL http://crl.global # URL http://crl.micro
TypeValueNote
78e17bd7e30c66aaef91a5b5fcb36a036a1074b7
sha256 d60d4da2cfe120138a3fde66694b40ae2710cfc2af33cb7810b3a0e9b1663a4f
md5 d113b3debc7e0a2da4369dd8d1dbad53
domain arena.cc
domain cacerts.digicert.com
domain coded_stream.cc
domain crl3.digicert.com
domain crl.globalsign.com
domain crl.microsoft.com
domain crl.usertrust.com
domain crt.usertrust.com
mutex Global\SecureDesktopInput_mem
mutex Global\SecureDesktop_MovieStream
filepath bash: -c: line 1: syntax error near unexpected token `|'
filepath bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
url http://cacert
url http://crl3.digicert.com/DigiCertA
url http://crl3.digicert.com/DigiCertTru
url http://crl.global
url http://crl.micro

C2 Servers (7 recorded servers for this family)

Address Type Port Protocol Status Country
arena.cc domain &mdash; HTTP active &mdash;
cacerts.digicert.com domain &mdash; HTTP active &mdash;
crl3.digicert.com domain &mdash; HTTP active &mdash;
crl.globalsign.com domain &mdash; HTTP active &mdash;
45.139.199.83 ip 443 HTTPS inactive RU
coded_stream.cc domain &mdash; HTTP inactive &mdash;
92.255.57.48 ip 80 HTTP sinkholed UA

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
raccoonstatik-analizhighc2iocpe