Manuel Statik Analiz (LLM Okumali) — Raccoon Stealer V2 (RecordBreaker) | Tehdit: YUKSEK

Dosya Kimligi

SHA2561599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91
Lure Dosya AdiProtonVPN_3.0.5.exe
Dahili Ad (ProductName)CrazyTooth
String Sayisi1.278 (C++ native)

Kimlik ve Lure

Bu ornek ProtonVPN 3.0.5.exe olarak dagilmaktadir. Gizlilik odakli bir VPN uygulamasi gorunumunde sunulmasi, gizliligi onemsyen ve ozellikle kisisel guvenligine dikkat eden kullanicilari hedef almayi amaclamaktadir. Dahili ProductName: CrazyTooth

Obfuscated Mutex (RecordBreaker Imzasi)

ZakidefurarugafUTahocefecapuv godu yohasikolaki legakaz
xezedifu tez nodiraxu cehajixo xasibifobijilaJXuzi poriseg
pipidahi fidelamirayite foyahocepige fakabulob gunopaxivoname

Bu uzun anlamsiz dizi Raccoon Stealer V2 (RecordBreaker) ailesinin karakteristik obfuscated mutex yapisidir. Staticanalizde bu pattern, RecordBreaker ailesinin kesin bir gostergesidir.

Raccoon V2 Yetenekleri

  • Tarayici kimlik bilgileri (Chrome/Firefox/Edge/Brave — 60+ tarayici)
  • Cookie calma ve oturum hırsızligi
  • Kripto cuizdan: MetaMask, Exodus, Atomic, Electrum, Coinbase
  • Email: Outlook, Thunderbird
  • FTP: FileZilla, WinSCP
  • Ekran goruntusu
  • Sistem bilgisi ve yontemli veri paketiyle C2'ye gönderim

IOC

SHA2561599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91
LureProtonVPN_3.0.5.exe
Dahili AdCrazyTooth
MutexObfuscated (ZakidefurarugafU...)
C2Sifrelenmis (Telegram bot dead-drop + HTTP)

Raccoon — Malware Profile

Raccoon Stealer credential hırsızı. ProtonVPN gizleme. Telegram C2 destegi. Browser/kripto cüzdan hedef.

Malware Type
Infostealer
Programming Language
C++
C2 Protocol
HTTP
Target Systems
Windows
Also Known As (AKA)
RecordBreaker

Technical Details

C++/C, HTTP/HTTPS C2, SQLite credential extraction (browser login data), browser history/autofill, kripto wallet stealer (Ethereum/Bitcoin), email client stealer, custom stealer panel (PHP), fingerprint (HWID/IP)

Capabilities & Behavior

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

IOC List (1 indicators)

IOC — Raccoon
# SHA256 1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91
TypeValueNote
sha256 1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91

C2 Servers (7 recorded servers for this family)

Address Type Port Protocol Status Country
arena.cc domain — HTTP active —
cacerts.digicert.com domain — HTTP active —
crl3.digicert.com domain — HTTP active —
crl.globalsign.com domain — HTTP active —
45.139.199.83 ip 443 HTTPS inactive RU
coded_stream.cc domain — HTTP inactive —
92.255.57.48 ip 80 HTTP sinkholed UA

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
raccoonraccoon-v2recordbreakerinfostealerprotonvpn-lureobfuscated-mutexcppcrazytooth