Dosya Kimligi
| SHA256 | 1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91 |
|---|---|
| Lure Dosya Adi | ProtonVPN_3.0.5.exe |
| Dahili Ad (ProductName) | CrazyTooth |
| String Sayisi | 1.278 (C++ native) |
Kimlik ve Lure
Bu ornek ProtonVPN 3.0.5.exe olarak dagilmaktadir. Gizlilik odakli bir VPN uygulamasi gorunumunde sunulmasi, gizliligi onemsyen ve ozellikle kisisel guvenligine dikkat eden kullanicilari hedef almayi amaclamaktadir. Dahili ProductName: CrazyTooth
Obfuscated Mutex (RecordBreaker Imzasi)
ZakidefurarugafUTahocefecapuv godu yohasikolaki legakaz xezedifu tez nodiraxu cehajixo xasibifobijilaJXuzi poriseg pipidahi fidelamirayite foyahocepige fakabulob gunopaxivoname
Bu uzun anlamsiz dizi Raccoon Stealer V2 (RecordBreaker) ailesinin karakteristik obfuscated mutex yapisidir. Staticanalizde bu pattern, RecordBreaker ailesinin kesin bir gostergesidir.
Raccoon V2 Yetenekleri
- Tarayici kimlik bilgileri (Chrome/Firefox/Edge/Brave — 60+ tarayici)
- Cookie calma ve oturum hırsızligi
- Kripto cuizdan: MetaMask, Exodus, Atomic, Electrum, Coinbase
- Email: Outlook, Thunderbird
- FTP: FileZilla, WinSCP
- Ekran goruntusu
- Sistem bilgisi ve yontemli veri paketiyle C2'ye gönderim
IOC
| SHA256 | 1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91 |
|---|---|
| Lure | ProtonVPN_3.0.5.exe |
| Dahili Ad | CrazyTooth |
| Mutex | Obfuscated (ZakidefurarugafU...) |
| C2 | Sifrelenmis (Telegram bot dead-drop + HTTP) |
Raccoon — Malware Profile
Raccoon Stealer credential hırsızı. ProtonVPN gizleme. Telegram C2 destegi. Browser/kripto cüzdan hedef.
Technical Details
C++/C, HTTP/HTTPS C2, SQLite credential extraction (browser login data), browser history/autofill, kripto wallet stealer (Ethereum/Bitcoin), email client stealer, custom stealer panel (PHP), fingerprint (HWID/IP)
Capabilities & Behavior
IOC List (1 indicators)
# SHA256
1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91
| Type | Value | Note |
|---|---|---|
| sha256 | 1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91 |
C2 Servers (7 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| arena.cc | domain | — | HTTP | active | — |
| cacerts.digicert.com | domain | — | HTTP | active | — |
| crl3.digicert.com | domain | — | HTTP | active | — |
| crl.globalsign.com | domain | — | HTTP | active | — |
| 45.139.199.83 | ip | 443 | HTTPS | inactive | RU |
| coded_stream.cc | domain | — | HTTP | inactive | — |
| 92.255.57.48 | ip | 80 | HTTP | sinkholed | UA |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.