Malware Analysis: Raccoon Stealer Malware, Part 2
Tags
Common Information
Type | Value |
---|---|
UUID | 8df9cf12-26d5-4abe-939d-817065928faf |
Fingerprint | f9facd0a21f0f19 |
Analysis status | DONE |
Considered CTI value | 2 |
Text language | |
Published | Nov. 14, 2024, midnight |
Added to db | Dec. 19, 2024, 9:33 p.m. |
Last updated | Dec. 23, 2024, 11:17 a.m. |
Headline | eSentire Threat Intelligence Malware Analysis: Raccoon Stealer v2, Part 2 |
Title | Malware Analysis: Raccoon Stealer Malware, Part 2 |
Detected Hints/Tags/Attributes | 115/4/58 |
Source URLs
URL Provider
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | Domain | 1 | behind.com |
|
Details | Domain | 1 | ferret.com |
|
Details | Domain | 6 | so.com |
|
Details | Domain | 1 | www.severe.com |
|
Details | Domain | 1 | www.whirlwind.com |
|
Details | Domain | 1 | www.bias.com |
|
Details | Domain | 1 | www.labourer.com |
|
Details | Domain | 1 | www.intensity.com |
|
Details | Domain | 1 | www.family.com |
|
Details | Domain | 1 | www.divorce.com |
|
Details | Domain | 1 | www.football.com |
|
Details | Domain | 1 | www.refectory.com |
|
Details | Domain | 1 | www.barium.com |
|
Details | Domain | 1 | www.piglet.com |
|
Details | Domain | 1 | www.phrase.com |
|
Details | Domain | 1 | www.behold.com |
|
Details | Domain | 1 | www.alcove.com |
|
Details | Domain | 1 | www.titanium.com |
|
Details | Domain | 1 | www.though.com |
|
Details | Domain | 1 | www.salute.com |
|
Details | Domain | 1 | www.absorb.com |
|
Details | Domain | 1 | www.nimble.com |
|
Details | Domain | 1 | www.cooked.com |
|
Details | Domain | 1 | www.pheasant.com |
|
Details | Domain | 1 | www.handicap.com |
|
Details | Domain | 1 | www.birdbath.com |
|
Details | Domain | 1 | www.cannibal.com |
|
Details | Domain | 1 | www.pentagon.com |
|
Details | Domain | 282 | www.esentire.com |
|
Details | Domain | 240 | learn.microsoft.com |
|
Details | File | 1 | raccoon-2.dll |
|
Details | File | 1 | 0-4.exe |
|
Details | File | 1348 | explorer.exe |
|
Details | File | 65 | cookies.sql |
|
Details | File | 18 | formhistory.sql |
|
Details | File | 69 | logins.json |
|
Details | File | 33 | prefs.js |
|
Details | File | 5 | scrnsht_screenshot.jpeg |
|
Details | File | 27 | payload.dll |
|
Details | File | 1 | raccoonstealerv2_c2_mutex_extract.py |
|
Details | File | 1 | raccoon_stealer_string_decrypt_idapython.py |
|
Details | Github username | 11 | russianpanda95 |
|
Details | md5 | 1 | 59b3f1bab2aee7c6ded44ab444c93d6b |
|
Details | MITRE ATT&CK Techniques | 198 | T1189 |
|
Details | MITRE ATT&CK Techniques | 406 | T1204.002 |
|
Details | MITRE ATT&CK Techniques | 188 | T1555 |
|
Details | MITRE ATT&CK Techniques | 245 | T1033 |
|
Details | MITRE ATT&CK Techniques | 241 | T1113 |
|
Details | MITRE ATT&CK Techniques | 112 | T1020 |
|
Details | MITRE ATT&CK Techniques | 135 | T1134 |
|
Details | Url | 1 | https://www.justice.gov/usao-wdtx/pr/newly-unsealed-indictment-charges-ukrainian-national-international-cybercrime-operation |
|
Details | Url | 2 | https://krebsonsecurity.com/2022/10/accused-raccoon-malware-developer-fled-ukraine-after-russian-invasion |
|
Details | Url | 2 | https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-raccoon-stealer-v2-0 |
|
Details | Url | 2 | https://learn.microsoft.com/en-us/windows/win32/api |
|
Details | Url | 1 | https://github.com/russianpanda95/configuration_extractors/blob/main/raccoonstealerv2_c2_mutex_extract.py |
|
Details | Url | 1 | https://github.com/russianpanda95/idapython/blob/main/raccoonstealer/raccoon_stealer_string_decrypt_idapython.py |
|
Details | Windows Registry Key | 11 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography |
|
Details | Yara rule | 1 | rule RaccoonStealerv2 { meta: author = "eSentire Threat Intelligence team" date = "04/17/2023" description = "Detects the latest unpacked/unobfuscated build 2.1.0-4" strings: $pattern1 = { B9 ?? ?? ?? 00 E8 ?? ?? ?? 00 ?? ?? 89 45 E8 } $pattern2 = { 68 ?? ?? ?? 00 ?? 68 01 00 1F 00 } $pattern3 = { 68 ?? ?? ?? 00 ?? ?? 68 01 00 1F 00 FF 15 64 ?? ?? 00 } $m1 = { 68 ?? ?? ?? 00 ?? 00 68 01 00 1F 00 FF 15 64 ?? ?? 00 } $m2 = { 68 ?? ?? ?? 00 ?? 68 01 00 1F 00 FF 15 64 ?? ?? 00 } condition: 2 of ($pattern*) and uint16(0) == 0x5A4D and 1 of ($m*) and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB } |