Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Inside Raccoon Stealer V2

November 2, 2022

Raccoon Thief is back on the information once again. United States authorities detained Mark Sokolovsky, among the malware stars behind this program. In July 2022, after a number of months of the closure, a Raccoon Thief V2 went viral. Recently, the Division of Justice’s news release mentioned that the malware accumulated 50 million qualifications.

This short article will certainly offer a fast overview to the current details thief’s variation.

What is Raccoon infostealer V2?

Raccoon Stealer is a sort of malware that swipes numerous information from a contaminated computer system. It’s fairly a standard malware, however cyberpunks have actually made Raccoon preferred with exceptional solution and also easy navigating.

In 2019, Raccoon infostealer was just one of one of the most talked about malware. For $75 each week and also $200 monthly, cybercriminals offered this easy however functional details stealer as a MaaS. The malware succeeded in striking a variety of systems. In March 2022, nonetheless, danger writers discontinued to run.

An upgraded variation of this malware was launched in July 2022. Because of this, Raccoon Thief V2 has actually gone viral and also acquired a brand-new name – RecordBreaker.

Raccoon v2’s methods & strategies in ANY.RUN Sandbox

Exactly how to evaluate Raccoon thief V2

Implementation procedure

What Raccoon malware does

Downloads WinAPI collections

Makes use of kernel32.dll!LoadLibraryW

Obtains WinAPI features’ addresses

Makes use of kernel32.dll!GetProcAddress

Strings and also C2 web servers file encryption

Secures with RC4 or XOR formula, can be no file encryption whatsoever, or mix of various alternative

Collision triggers

CIS nations area, mutex

System/LocalSystem degree opportunity check

Makes Use Of Advapi32.dll!GetTokenInformation and also Advapi32.dll!ConvertSidToStringSidW contrasting StringSid with L “S-1-5-18”

Refine list

Makes Use Of the TlHelp32 API (kernel32.dll!CreateToolhelp32Snapshot to catch procedures and also kernel32.dll!Process32First/ kernel32.dll!Process32Next).

Linking to C2 web servers

Produces a string:
machineId= {machineguid}|{username} & configId= {rc4_c2_key}

After that sends out an article demand

Individual and also system information collection

  • the OS bitness
  • details regarding RAM, CPU
  • applications mounted in the system
  • cookies
  • autofill information
  • autofill type information

Sending out of accumulated information

article demands to C2.

Obtaining a response from the C2

C2 sends out “obtained”

Completing procedures

Takes a screenshot( s), launches the continuing to be alloted sources, dumps the collections, and also completes its job

We have actually triaged numerous Raccoon thief V2 examples, accumulated common habits tasks, and also briefly explained its implementation procedure.

Review much deeper and also a lot more comprehensiveRaccoon stealer 2.0 malware analysis In the short article, you can adhere to all actions and also obtain a total image of the details thief’s habits. Besides this extensive research study, you obtain a possibility to essence malware arrangement by yourselves– duplicate the Python manuscript of Raccoon thief and also unpack memory discards to remove C&C web servers and also tricks.

Raccoon v2 malware arrangement

Where to evaluate malware

Do you intend to evaluate destructive data and also web links? There is a rapid and also simple option: obtain prefabricated setups in ANY.RUN online malware sandbox and also examine questionable data throughout. Attempt to break any kind of malware utilizing an interactive technique:

Create the “HACKERNEWS” promotion code at [email protected] utilizing your company e-mail address and also obtain 2 week of ANY.RUN costs membership free of cost!

The ANY.RUN sandbox allows you evaluate malware rapidly, browse with the research study procedure conveniently, spot also advanced malware, and also obtain described records. Usage clever devices and also search malware efficiently.

Posted in SecurityTags:
Write a comment