Malware Analysis: Raccoon Stealer Malware, Part 2
Common Information
Type Value
UUID 8df9cf12-26d5-4abe-939d-817065928faf
Fingerprint f9facd0a21f0f19
Analysis status DONE
Considered CTI value 2
Text language
Published Nov. 14, 2024, midnight
Added to db Dec. 19, 2024, 9:33 p.m.
Last updated Dec. 23, 2024, 11:17 a.m.
Headline eSentire Threat Intelligence Malware Analysis: Raccoon Stealer v2, Part 2
Title Malware Analysis: Raccoon Stealer Malware, Part 2
Detected Hints/Tags/Attributes 115/4/58
Attributes
Details Type #Events CTI Value
Details Domain 1
behind.com
Details Domain 1
ferret.com
Details Domain 6
so.com
Details Domain 1
www.severe.com
Details Domain 1
www.whirlwind.com
Details Domain 1
www.bias.com
Details Domain 1
www.labourer.com
Details Domain 1
www.intensity.com
Details Domain 1
www.family.com
Details Domain 1
www.divorce.com
Details Domain 1
www.football.com
Details Domain 1
www.refectory.com
Details Domain 1
www.barium.com
Details Domain 1
www.piglet.com
Details Domain 1
www.phrase.com
Details Domain 1
www.behold.com
Details Domain 1
www.alcove.com
Details Domain 1
www.titanium.com
Details Domain 1
www.though.com
Details Domain 1
www.salute.com
Details Domain 1
www.absorb.com
Details Domain 1
www.nimble.com
Details Domain 1
www.cooked.com
Details Domain 1
www.pheasant.com
Details Domain 1
www.handicap.com
Details Domain 1
www.birdbath.com
Details Domain 1
www.cannibal.com
Details Domain 1
www.pentagon.com
Details Domain 282
www.esentire.com
Details Domain 240
learn.microsoft.com
Details File 1
raccoon-2.dll
Details File 1
0-4.exe
Details File 1348
explorer.exe
Details File 65
cookies.sql
Details File 18
formhistory.sql
Details File 69
logins.json
Details File 33
prefs.js
Details File 5
scrnsht_screenshot.jpeg
Details File 27
payload.dll
Details File 1
raccoonstealerv2_c2_mutex_extract.py
Details File 1
raccoon_stealer_string_decrypt_idapython.py
Details Github username 11
russianpanda95
Details md5 1
59b3f1bab2aee7c6ded44ab444c93d6b
Details MITRE ATT&CK Techniques 198
T1189
Details MITRE ATT&CK Techniques 406
T1204.002
Details MITRE ATT&CK Techniques 188
T1555
Details MITRE ATT&CK Techniques 245
T1033
Details MITRE ATT&CK Techniques 241
T1113
Details MITRE ATT&CK Techniques 112
T1020
Details MITRE ATT&CK Techniques 135
T1134
Details Url 1
https://www.justice.gov/usao-wdtx/pr/newly-unsealed-indictment-charges-ukrainian-national-international-cybercrime-operation
Details Url 2
https://krebsonsecurity.com/2022/10/accused-raccoon-malware-developer-fled-ukraine-after-russian-invasion
Details Url 2
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-raccoon-stealer-v2-0
Details Url 2
https://learn.microsoft.com/en-us/windows/win32/api
Details Url 1
https://github.com/russianpanda95/configuration_extractors/blob/main/raccoonstealerv2_c2_mutex_extract.py
Details Url 1
https://github.com/russianpanda95/idapython/blob/main/raccoonstealer/raccoon_stealer_string_decrypt_idapython.py
Details Windows Registry Key 11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
Details Yara rule 1
rule RaccoonStealerv2 {
	meta:
		author = "eSentire Threat Intelligence team"
		date = "04/17/2023"
		description = "Detects the latest unpacked/unobfuscated build 2.1.0-4"
	strings:
		$pattern1 = { B9 ?? ?? ?? 00 E8 ?? ?? ?? 00 ?? ?? 89 45 E8 }
		$pattern2 = { 68 ?? ?? ?? 00 ?? 68 01 00 1F 00 }
		$pattern3 = { 68 ?? ?? ?? 00 ?? ?? 68 01 00 1F 00 FF 15 64 ?? ?? 00 }
		$m1 = { 68 ?? ?? ?? 00 ?? 00 68 01 00 1F 00 FF 15 64 ?? ?? 00 }
		$m2 = { 68 ?? ?? ?? 00 ?? 68 01 00 1F 00 FF 15 64 ?? ?? 00 }
	condition:
		2 of ($pattern*) and uint16(0) == 0x5A4D and 1 of ($m*) and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB
}