ioc[.]one - OSINT Cyber Threat Intelligence Database

In depth analysis of an infostealer: Raccoon

Tags

country:	Uzbekistan Russia Togo
attack-pattern:	Data Credentials - T1589.001 Malware - T1587.001 Malware - T1588.001 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Scheduled Task - T1053

Show in Graph

Common Information

Type	Value
UUID	f11d3ec6-f502-4497-88f8-be1e20baf125
Fingerprint	be1439fa8db70a8d
Analysis status	DONE
Considered CTI value	2
Text language
Published	Dec. 3, 2019, 1:50 p.m.
Added to db	Sept. 26, 2022, 9:31 a.m.
Last updated	Nov. 18, 2024, 11:24 a.m.
Headline	Secfreaks
Title	In depth analysis of an infostealer: Raccoon
Detected Hints/Tags/Attributes	57/2/79

Source URLs

	Redirection	Url
Details	Source	https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html

URL Provider

Details	Provider	Source level domain
Details	secfreaks.gr	www.secfreaks.gr

Attributes

Details	Type	#Events	Value
Details	Domain	75	tria.ge
Details	Domain	194	drive.google.com
Details	Domain	9	log.zip
Details	Domain	1	library.as
Details	Domain	2	ff-funcs.zip
Details	Domain	59	www.cybereason.com
Details	Domain	6	securityxploded.com
Details	Domain	16	www.codeproject.com
Details	Domain	4131	github.com
Details	File	13	'.txt
Details	File	1	c:\\users\\user\\appdata\\local\\temp\\log.zip
Details	File	1	'sqlite3.dll
Details	File	104	sqlite3.dll
Details	File	1	c:\\users\\user\\appdata\\local\\temp\\adlibs\\nss3.dll
Details	File	1	c:\\users\\user\\appdata\\local\\temp\\adlibs\\ff-funcs.zip
Details	File	1	'nss3.dll
Details	File	25	places.sql
Details	File	1	'machineinfo.txt
Details	File	8	screen.png
Details	File	1	'wallet.dat
Details	File	1	'log.zip
Details	File	58	password.txt
Details	File	13	cc.txt
Details	File	2	firefox_cookie.txt
Details	File	2	firefox_urls.txt
Details	File	2	chrome_urls.txt
Details	File	2	chrome_cookie.txt
Details	File	4	chrome_autofill.txt
Details	File	2	ie_autofill.txt
Details	File	2	ie_ftp_data.txt
Details	File	10	outlook.txt
Details	File	4	thunderbird.txt
Details	File	2	foxmail.txt
Details	File	5	machineinfo.txt
Details	File	65	info.txt
Details	File	37	'cmd.exe
Details	File	9	log.zip
Details	File	27	file.php
Details	File	5	libs.zip
Details	File	3	signed.exe
Details	File	2	iepasswordsecrets.php
Details	Github username	1	nlohmann
Details	Github username	1	secfreaks
Details	md5	1	126ed436b3531dd857b25b9da2c80462
Details	md5	1	3367E9FC3CDBE03D65460E5BF86EE16B
Details	md5	1	7effd829b15db71f1e5431670f17da25
Details	md5	1	121f7cba18bcb38e68bd4fc4f2e71815
Details	md5	1	f7bcb18e5814db9fd51d0ab05f2d7ee9
Details	md5	1	6556a3467ec8e58756af772aa72da99f
Details	md5	1	80072d5f4bfa1ff22c87be610438792e
Details	sha1	1	252c0d60af493e46d25e7da5e10207c77b5627de
Details	sha1	1	1f192856af8a097533d9b8f13e1d168af9f585ca
Details	sha1	1	7a48136f8f459660ec43988e0eb8bf0f77a00f0d
Details	sha1	1	2de257efd687492ea3537ea0beed2f3e026413c7
Details	sha1	1	48b77b41f7e1cb233dc4592900244912bdfe7892
Details	sha1	1	429835ce099536a23c41ea48c6907cc616a76273
Details	sha1	1	27c70127350a34268baf46dc23eb4e09fd24f547
Details	sha1	1	a044f29dbf33cf8013c2cb40b27fa7e8c07cc4d7
Details	sha1	1	2dfe29b8560662cbd03e409e04c32eb0a3e65028
Details	sha1	1	47de3ce52e822b60cd7e21a1d31dfb7a9a904ddf
Details	IPv4	198	1.1.1.1
Details	IPv4	1	34.89.185.248
Details	IPv4	1	34.77.197.252
Details	IPv4	1	34.76.145.229
Details	IPv4	1	34.65.76.39
Details	IPv4	1	35.197.207.160
Details	IPv4	1	185.161.210.244
Details	Url	1	http://34.89.185.248/file_handler/file.php?hash=252c0d60af493e46d25e7da5e10207c77b5627de&js=1f192856af8a097533d9b8f13e1d168af9f585ca&callback=http://34.89.185.248/gate","attachment_url":"http://34.89.185.248/gate/sqlite3.dll","libraries":"http://34.89.185.248/gate/libs.zip
Details	Url	1	http://34.77.197.252/file_handler/file.php?hash=7a48136f8f459660ec43988e0eb8bf0f77a00f0d&js=2de257efd687492ea3537ea0beed2f3e026413c7&callback=http://34.77.197.252/gate","attachment_url":"http://34.77.197.252/gate/sqlite3.dll","libraries":"http://34.77.197.252/gate/libs.zip
Details	Url	1	http://34.76.145.229/file_handler/file.php?hash=48b77b41f7e1cb233dc4592900244912bdfe7892&js=429835ce099536a23c41ea48c6907cc616a76273&callback=http://34.76.145.229/gate","attachment_url":"http://34.76.145.229/gate/sqlite3.dll","libraries":"http://34.76.145.229/gate/libs.zip
Details	Url	1	http://34.65.76.39/file_handler/file.php?hash=27c70127350a34268baf46dc23eb4e09fd24f547&js=a044f29dbf33cf8013c2cb40b27fa7e8c07cc4d7&callback=http://34.65.76.39/gate","attachment_url":"http://34.65.76.39/gate/sqlite3.dll","libraries":"http://34.65.76.39/gate/libs.zip
Details	Url	1	http://35.197.207.160/file_handler/file.php?hash=2dfe29b8560662cbd03e409e04c32eb0a3e65028&js=47de3ce52e822b60cd7e21a1d31dfb7a9a904ddf&callback=http://35.197.207.160/gate","attachment_url":"http://35.197.207.160/gate/sqlite3.dll","libraries":"http://35.197.207.160/gate/libs.zip","ip":"xxx","config":{"masks":null,"loader_urls":["http://185.161.210.244/signed.exe
Details	Url	1	https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems
Details	Url	1	https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block
Details	Url	1	https://securityxploded.com/iepasswordsecrets.php
Details	Url	2	https://www.codeproject.com/articles/1167943/the-secrets-of-internet-explorer-credentials
Details	Url	1	https://github.com/nlohmann/json
Details	Url	1	https://github.com/secfreaks/analysis/tree/master/raccoon/idascript
Details	Url	1	https://tria.ge/reports/191129-bykghah8ge/task1