Derin Statik Analiz — Raccoon | Tehdit: high
Dosya Kimligi
| SHA256 | d60d4da2cfe120138a3fde66694b40ae2710cfc2af33cb7810b3a0e9b1663a4f |
|---|---|
| MD5 | d113b3debc7e0a2da4369dd8d1dbad53 |
| SHA1 | 78e17bd7e30c66aaef91a5b5fcb36a036a1074b7 |
| Boyut | 23151176 byte |
| Tur | /opt/ksentinel/samples/d60d4da2cfe12013_KSPSService.exe: PE32 executable (GUI) I |
| Derleme | Bilinmiyor |
| Packer | UPX |
C2 / Dropper Domainleri
| Adres | Tip | Durum |
|---|---|---|
arena.cc | Domain | Unknown |
cacerts.digicert.com | Domain | Unknown |
coded_stream.cc | Domain | Unknown |
crl3.digicert.com | Domain | Unknown |
crl.globalsign.com | Domain | Unknown |
crl.microsoft.com | Domain | Unknown |
crl.usertrust.com | Domain | Unknown |
crt.usertrust.com | Domain | Unknown |
descriptor.cc | Domain | Unknown |
descriptor_database.cc | Domain | Unknown |
IOC Listesi
| Deger | Tip |
|---|---|
arena.cc | Domain |
cacerts.digicert.com | Domain |
coded_stream.cc | Domain |
crl3.digicert.com | Domain |
crl.globalsign.com | Domain |
crl.microsoft.com | Domain |
http://cacert | URL |
http://crl3.digicert.com/DigiCertA | URL |
http://crl3.digicert.com/DigiCertTru | URL |
http://crl.global | URL |
Global\SecureDesktopInput_mem | Mutex |
Global\SecureDesktop_MovieStream | Mutex |
Yetenekler
- Screenshot
- TCP Socket C2
- Anti-Debug
SMTP Konfigurasyonu
!"#$%&'()*+,-./0123CCrypto::Base64Decode CCrypto::Base64Decode: insufficient output buffer (up to n*3/4+2 bytes required) CCrypto::HexDecode CCrypto::HexDecode: insufficient output buffer (input lengt
Gelistirici Ipuclari
PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|'
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^
Email: appro@openssl.org v@C.At
Telegram: @0D0H0L0 @0D0H0L0P0T0X0 @0D0H0L0T0l0 @0D0H0P0 @0D0P0X0
PE Analizi
Guvenlik Taramasi
file entropy: 7.962831 (probably packed) fpu anti-disassembly: yes imagebase: normal entrypoint: normal DOS stub:
Import Tablosu
Imported functions
Library
Name: KERNEL32.dll
Functions
Function
Hint: 430
Name: FreeLibrary
Function
Hint: 631
Name: GetModuleFileNameW
FunctionBinwalk / Packer
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Microsoft executable, portable (PE) 17408
Aile Tespiti
String kaniti bulunamadi (sifrelenmis/obfuskeli).
Raccoon — Malware Profile
Raccoon Stealer credential hırsızı. ProtonVPN gizleme. Telegram C2 destegi. Browser/kripto cüzdan hedef.
Malware Type
Infostealer
Programming Language
C++
C2 Protocol
HTTP
Target Systems
Windows
Also Known As (AKA)
RecordBreaker
Technical Details
C++/C, HTTP/HTTPS C2, SQLite credential extraction (browser login data), browser history/autofill, kripto wallet stealer (Ethereum/Bitcoin), email client stealer, custom stealer panel (PHP), fingerprint (HWID/IP)
Capabilities & Behavior
Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı
IOC List (20 indicators)
IOC — Raccoon
#
78e17bd7e30c66aaef91a5b5fcb36a036a1074b7
# SHA256
d60d4da2cfe120138a3fde66694b40ae2710cfc2af33cb7810b3a0e9b1663a4f
# MD5
d113b3debc7e0a2da4369dd8d1dbad53
# DOMAIN
arena.cc
# DOMAIN
cacerts.digicert.com
# DOMAIN
coded_stream.cc
# DOMAIN
crl3.digicert.com
# DOMAIN
crl.globalsign.com
# DOMAIN
crl.microsoft.com
# DOMAIN
crl.usertrust.com
# DOMAIN
crt.usertrust.com
# MUTEX
Global\SecureDesktopInput_mem
# MUTEX
Global\SecureDesktop_MovieStream
# FILEPATH
bash: -c: line 1: syntax error near unexpected token `|'
# FILEPATH
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
# URL
http://cacert
# URL
http://crl3.digicert.com/DigiCertA
# URL
http://crl3.digicert.com/DigiCertTru
# URL
http://crl.global
# URL
http://crl.micro
| Type | Value | Note |
|---|---|---|
| 78e17bd7e30c66aaef91a5b5fcb36a036a1074b7 | ||
| sha256 | d60d4da2cfe120138a3fde66694b40ae2710cfc2af33cb7810b3a0e9b1663a4f | |
| md5 | d113b3debc7e0a2da4369dd8d1dbad53 | |
| domain | arena.cc | |
| domain | cacerts.digicert.com | |
| domain | coded_stream.cc | |
| domain | crl3.digicert.com | |
| domain | crl.globalsign.com | |
| domain | crl.microsoft.com | |
| domain | crl.usertrust.com | |
| domain | crt.usertrust.com | |
| mutex | Global\SecureDesktopInput_mem | |
| mutex | Global\SecureDesktop_MovieStream | |
| filepath | bash: -c: line 1: syntax error near unexpected token `|' | |
| filepath | bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10' | |
| url | http://cacert | |
| url | http://crl3.digicert.com/DigiCertA | |
| url | http://crl3.digicert.com/DigiCertTru | |
| url | http://crl.global | |
| url | http://crl.micro |
C2 Servers (7 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| arena.cc | domain | — | HTTP | active | — |
| cacerts.digicert.com | domain | — | HTTP | active | — |
| crl3.digicert.com | domain | — | HTTP | active | — |
| crl.globalsign.com | domain | — | HTTP | active | — |
| 45.139.199.83 | ip | 443 | HTTPS | inactive | RU |
| coded_stream.cc | domain | — | HTTP | inactive | — |
| 92.255.57.48 | ip | 80 | HTTP | sinkholed | UA |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.