Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Stealer malware is very popular among cybercriminals as they are easily configurable and only requires the victim to execute the binary for an attacker to receive the list of exfiltrated data. Most stealers operate under Malware-as-a-Service (MaaS) model, where the user can purchase the stealer, pack it, and distribute it mostly via fake cracked software.
This malware analysis delves deeper into the technical details of how the Raccoon Stealer v2.0 malware functions and our security recommendations to protect your organization from being exploited.
Raccoon Stealer first appeared on hacking forums around April 2019 and was advertised as a stealer written in C/C++ and can run on 32-bit and 64-bit systems without .NET dependencies (Figure 1). It came with a Telegram bot that sent the exfiltrated data directly to the attacker’s Telegram.
The original version also included multiple capabilities such as grabbing FileZilla sessions, acting as a dropper, grabbing system information, passwords, and cookies from browsers, stealing cryptocurrency wallets (Atomic, Jaxx liberty, Ripple, Ronin, Raven, Dash, Coinomi etc. wallets).
Raccoon Stealer also sold a malicious program known as Raccoon Clipper that worked on the following crypto wallets:
The clipper program monitors the user’s clipboard for specific data and replaces it with the data defined by an attacker. In this case, if the user attempts to send Bitcoins to someone, the clipper replaces the copied wallet address with the attacker’s wallet address.
On March 25th, 2022, Raccoon Stealer operators announced a break and shut down the Raccoon Stealer MaaS project for a couple of months due to the loss of the main developer. However, they promised a comeback with Raccoon Stealer version 2.0 (Figure 2).
On June 1, 2022, Raccoon Stealer announced the release of Raccoon Stealer 2.0 Beta test version that was developed from scratch with completely new front-end and back-end features (Figure 3).
On June 21, 2022, the official public Raccoon Stealer channel on Telegram became active again with an advertisement for a new version (Figure 4).
On June 30th, 2022, the official announcement of the new version appeared on a Russian-speaking hacking forum. The beta version 2.0 was in testing mode for 2 months.
The new version of the stealer is priced at $150/week, $275/month, and $750/3 months.
The first samples of the new stealer started appearing in the wild on June 8, 2022. Threat researchers named the unknown malware as ‘RecordBreaker’ from the user-agent “Record” that it leverages during the communication with the C2 server.
Raccoon Stealer version 2.0 comes with a build written in C++. The size of the file is advertised to be significantly lighter than the previous version, approximately 55KB compared to 580KB since the run-time dependencies (CRT) are claimed to be removed.
The import functions are dynamically linked, almost all browsers are supported for cookies and credential exfiltration, Chrome cookie files, passwords are being decrypted on the C2 Server, supported crypto wallets include Coinbase, MetaMask, Brave, and Ronin.
The new stealer version also comes with a loader and a grabber, supports Chinese language for the stealer panel as well as Telegram bot configuration. The loader component allows an attacker to execute additional payloads on the infected system, the supported commands and file extensions for execution:
In the new version, an attacker can also choose a custom location (LocalLow, Temp, AppData) to drop the additional payloads.
The grabber component can do the recursive search and search across the entire disk, including mounted USB drives, using the command %DSK_235% or %DSK23% (the seller claims that it only takes 15-20 seconds for the full scan).
The stealer model has also changed. The attacker needs to install their own proxy server (up to 5 proxy IPs) through which the stealer binary, or build, will communicate. According to the seller, this increases the rates for successful malware execution and better performance.
It should be noted that in version 1.0, the stealer communicated with two requests:
As a result, the data was sent in parts during the collection process – browser profiles, screenshots, system information, and crypto wallets were sent separately. This was done to ensure that the attacker would still get at least some part of the exfiltrated data even if the antivirus detected the stealer in a runtime.
Recently eSentire’s Threat Response Unit (TRU) team has observed multiple Raccoon Stealer v2.0 samples. We will look at one of the samples (MD5: 1aa8b18e333b780fe844b1d02c809324) that was delivered by a drive-by download.
The stealer spreads through the fake cracked software in a password-protected archive. The packed stealer is a 32-bit executable and weighs over 400MB and is packed with Themida packer and MPacker. Upon unpacking the stealer in the runtime, we extracted the payload (MD5: 42dd369c7b3312f4f8a6b20adae0f04d) which is approximately 7.85 MB. The payload contains the RC4 encrypted and Base64 encoded strings (Figure 5).
What makes Raccoon Stealer v2.0 unique is that it uses the hardcoded RC4 key “edinayarossiya” which translates to “United Russia” in Russian language (Figure 6).
The Table 1 shows the decrypted strings found in the sample. Some of the strings such as password.txt, autofill.txt, cookies.txt show the threat actor(s) intentions to exfiltrate sensitive data.
Table 1: Decrypted strings
RAM: %d MB\n | CPU: %s (%d cores)\n | Display size: %dx%d\n |
Display Devices:\n%s\n | OS: %s\n | Locale: %s\n |
cookies.sqlite | formhistory.sqlite | ews_ |
encryptedUsername":" | grbr_ | sqlite3_close |
sqlite3_column_text16 | sqlite3_column_bytes16 | sqlite3_column_blob |
sqlite3_finalize | sqlite3_open16 | sqlite3_step |
sqlite3_prepare_v2 | sqlite3.dll | sstmnfo_ |
stats_version":" | scrnsht_ | pera |
wallets | wlts_ | token: |
tlgrm_ | encrypted_key":" | encryptedPassword":" |
guid": | httpRealm": | &configId= |
NUM:%s\nHOLDER:%s\nEXP:%s/%s\n | NSS_Shutdown | NSS_Init |
MachineGuid | Low | BitBlt |
CreateCompatibleBitmap | CreateCompatibleDC | Content-Disposition: form-dat |
Content-Type: application/x-w | Content-Type: multipart/form- | Content-Type: text/plain; |
Content-Type: application/x-o | GetObjectW | Gdi32.dll |
GdiPlus.dll | GdiplusStartup | GdipSaveImageToFile |
GdipCreateBitmapFromHBITMAP | GdipGetImageEncoders | GdipGetImageEncodersSize |
GdipDisposeImage | GET | DeleteObject |
\\passwords.txt | \\autofill.txt | \\cookies.txt |
\\CC.txt | Stable | StretchBlt |
SetStretchBltMode | SelectObject | SELECT origin_url, username_v |
SELECT host_key, path, is_sece | SELECT name_on_card, card_num | SECITEM_FreeItem |
SOFTWARE\\Microsoft\\Windows NT | SProductName | Profiles |
POST | PATH | PK11_Authenticate |
PK11_GetInternalKeySlot | PK11_FreeSlot | PK11SDR_Decrypt |
User Data | URL:%s\nUSR:%s\nPASS:%s\n | Web Data |
image/jpeg | hostname":" | nss3.dll |
machineId= | logins.json | ldr_ |
Table 2: List of crypto wallets (wtls_) and file extensions the stealer searches for
wlts_exodus:Exodus;26;exodus;*;*partitio*,*cache*,*dictionar* |
wlts_atomic:Atomic;26;atomic;*;*cache*,*IndexedDB* |
wlts_jaxxl:JaxxLiberty;26;com.liberty.jaxx;*;*cache* |
wlts_binance:Binance;26;Binance;*app-store.*;- |
wlts_coinomi:Coinomi;28;Coinomi\Coinomi\wallets;*;- |
wlts_electrum:Electrum;26;Electrum\wallets;*;- |
wlts_elecltc:Electrum-LTC;26;Electrum-LTC\wallets;*;- |
wlts_elecbch:ElectronCash;26;ElectronCash\wallets;*;- |
wlts_guarda:Guarda;26;Guarda;*;*cache*,*IndexedDB* |
wlts_green:BlockstreamGreen;28;Blockstream\Green;*;cache,gdk,*logs* |
wlts_ledger:Ledger Live;26;Ledger Live;*;*cache*,*dictionar*,*sqlite* |
wlts_daedalus:Daedalus;26;Daedalus Mainnet;*;log*,*cache,chain,dictionar* |
wlts_mymonero:MyMonero;26;MyMonero;*;*cache* |
wlts_xmr:Monero;5;Monero\\wallets;*.keys;- |
wlts_wasabi:Wasabi;26;WalletWasabi\\Client;*;*tor*,*log* |
Table 3: List of browser crypto wallet extensions (ews_) the stealer searches for
ews_ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings | ews_meta:nkbihfbeogaeaoehlefnkodbefgpgknn;MetaMask;Local Extension Settings |
ews_metax:mcohilncbfahbmgdjkbpemcciiolgcge;MetaX;Local Extension Settings | ews_xdefi:hmeobnfnfcmdkdcmlblgagmfpfboieaf;XDEFI;IndexedDB |
ews_waveskeeper:lpilbniiabackdjcionkobglmddfbcjo;WavesKeeper;Local Extension Settings | ews_solflare:bhhhlbepdkbapadjdnnojkbgioiodbic;Solflare;Local Extension Settings |
ews_rabby:acmacodkjbdgmoleebolmdjonilkdbch;Rabby;Local Extension Settings | ews_cyano:dkdedlpgdmmkkfjabffeganieamfklkm;CyanoWallet;Local Extension Settings |
ews_coinbase:hnfanknocfeofbddgcijnmhnfnkdnaad;Coinbase;IndexedDB | ews_auromina:cnmamaachppnkjgnildpdmkaakejnhae;AuroWallet;Local Extension Settings |
ews_khc:hcflpincpppdclinealmandijcmnkbgn;KHC;Local Extension Settings | ews_tezbox:mnfifefkajgofkcjkemidiaecocnkjeh;TezBox;Local Extension Settings |
ews_coin98:aeachknmefphepccionboohckonoeemg;Coin98;Local Extension Settings | ews_temple:ookjlbkiijinhpmnjffcofjonbfbgaoc;Temple;Local Extension Settings |
ews_iconex:flpiciilemghbmfalicajoolhkkenfel;ICONex;Local Extension Settings | ews_sollet:fhmfendgdocmcbmfikdcogofphimnkno;Sollet;Local Extension Settings |
ews_clover:nhnkbkgjikgcigadomkphalanndcapjk;CloverWallet;Local Extension Settings | ews_polymesh:jojhfeoedkpkglbfimdfabpdfjaoolaf;PolymeshWallet;Local Extension Settings |
ews_neoline:cphhlgmgameodnhkjdmkpanlelnlohao;NeoLine;Local Extension Settings | ews_keplr:dmkamcknogkgcdfhhbddcghachkejeap;Keplr;Local Extension Settings |
ews_terra_e:ajkhoeiiokighlmdnlakpjfoobnjinie;TerraStation;Local Extension Settings | ews_terra:aiifbnbfobpmeekipheeijimdpnlpgpp;TerraStation;Local Extension Settings |
ews_liquality:kpfopkelmapcoipemfendmdcghnegimn;Liquality;Local Extension Settings | ews_saturn:nkddgncdjgjfcddamfgcmfnlhccnimig;SaturnWallet;Local Extension Settings |
ews_guild:nanjmdknhkinifnkgdcggcfnhdaammmj;GuildWallet;Local Extension Settings | ews_phantom:bfnaelmomeimhlpmgjnjophhpkkoljpa;Phantom;Local Extension Settings |
ews_tronlink:ibnejdfjmmkpcnlpebklmnkoeoihofec;TronLink;Local Extension Settings | ews_brave:odbfpeeihdkbihmopkbjmoonfanlbfcl;Brave;Local Extension Settings |
ews_meta_e:ejbalbakoplchlghecdalmeeeajnimhm;MetaMask;Local Extension Settings | ews_ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings |
ews_mewcx:nlbmnnijcnlegkjjpcfjclmcfggfefdm;MEW_CX;Sync Extension Settings | ews_ton:cgeeodpfagjceefieflmdfphplkenlfk;TON;Local Extension Settings |
ews_goby:jnkelfanjkeadonecabehalmbgpfodjm;Goby;Local Extension Settings | ews_ton_ex:nphplpgoakhhjchkkhmiggakijnkhfnd;TON;Local Extension Settings |
ews_Cosmostation:fpkhgmpbidmiogeglndfbkegfdlnajnf;Cosmostation;Local Extension Settings | ews_bitkeep:jiidiaalihmmhddjgbnbgdfflelocpak;BitKeep;Local Extension Settings |
ews_gamestopext:pkkjjapmlcncipeecdmlhaipahfdphkd;GameStop;Local Extension Settings | ews_stargazer:pgiaagfkgcbnmiiolekcfmljdagdhlcm;Stargazer;Local Extension Settings |
ews_clv:nhnkbkgjikgcigadomkphalanndcapjk;CloverWallet;Local Extension Settings | ews_jaxxlibertyext:cjelfplplebdjjenllpjcblmjkfcffne;JaxxLibertyExtension;Local Extension Settings |
We observed the following Certificate information for the packed stealer binary:
Performing the search based on the serial number of the certificate, we found multiple Raccoon Stealer v2.0 samples (Figure 7).
Raccoon Stealer v2.0 uses run-time dynamic linking technique (Figure 8) to access the libraries or DLLs, only when needed, with the help of LoadLibrary and GetProcAddress functions:
The non-crypted and clean version of Raccoon Stealer v2.0 weighs only 55 KB as advertised and consists of 78 functions. The Raccoon Stealer distributor prohibits using the stealer without the crypter (the software that obfuscates and encrypts malware) and scanning the builds through virus scanners to prevent the increase of the detection rate and making the clean sample publicly available. Raccoon Stealer provides its own crypter to the clients for an extra payment.
Upon execution, the stealer makes two C2 connections: the first connection is to the main C2 server where the exfiltrated data is sent (45.133.216[.]200) while the second connection is to the IP that serves as a loader for the secondary payload (94.158.244[.]119) (Figure 9).
The IP address which serves the secondary payload was initially hosting the 32-bit binary “84897964387342609301” (MD5: 9f7bbc47a68cd4e2756f3b93ed11a992) that is disguised as Wmiprvse.exe (WMI Provider Host) (Figure 10).
Table 4: Upon analyzing the loader sample, we were able to extract the following strings:
jW5fQ5e-C7lR7tC1q | 1AE12eEvYob8e5WVSkhainaDoFydHcxziz |
3CXesBxRrLoQrhtXBzixcELUQqR94XyTan | bc1qmla5mlcydy5ly4za7tf5xrwamuxt0jz6w62sl8 |
LggmPWTNgTPpY6evKrED2dy72wN9EDzgBQ | MM1UY3oCPcBAbJWNL5f8CdaPgxFeM8KEmh |
ltc1qf78tyv7ygtvnhlyak026956uhfh6wrpjgnuvsp | 0xbbadfb56f56d37601f62039c8d368e13c3d5e210 |
433JgHYcvGfb5zCFFbfH3zW3HB6nz5ah1J6zSW8p2Ac6AvXCHzWacQdZD2snEnijjZVbhUxsMxVxwPHwopCGXFHWGDo59vU | 832XKsTJiDCUSNjtnjcWVvXNwYKgzCoXPTejxnMhKHhNhb55RMyBgBMJpqS9RX7ywoKoV5pmTRdvvCMb3XsY4o9KHy5GLGE |
D7kjwr9bTZCd4u8ws7KLvKsv71ai53vppJ | addr1qxfaxxg87zn7y08wj784235sjussh5d0tvnf553nfqf3c2yn6vvs0u98ug7wa9u024rfp9epp0g67kexnffrxjqnrs5qlq308g |
Ae2tdPwUPEZ4SGK88ZzwuAzcUsos6SBQA1rDpbMNZhJo2TezusztfvxkfU7 | t1T8AFPn2G9oXE5ZPgAQSiipGwYyvgxavyX |
bnb1zh48nf24wpcarq8clwfmxg5uggwwa9cqtpz6xk | TGkPLc2XbSiDLdrxaiZpAzFu8WL37j1TYM |
AaK9Z1EG6sZLfeVM3SkqUXFuamkDvBRfMy | cosmos1ljx6qdfud54mhquec20nncrsp9zn0pmvlhjfuy |
AGVDbNVutgwiep6615bjTJnQkScwWuUEMuU95NredRG5 | XLZZIN45UKRRZIYERPIP3NLHZLRJB5MPBBK5NVDSCKCM6TY3CP4MJJYOWE |
ronin:bbadfb56f56d37601f62039c8d368e13c3d5e210 | Xb2miQJ1JjBJA6CTh1GYfDnzduSfRacTVg |
rHDfnp9vP5aV81QqehsZZAEeKrgZUs3KyH | RUG3uyX1vvgV3uadKnBPbgatH391U5E3E7 |
kernel32.dll | Shlwapi.dll |
ntdll.dll | Shell32.dll |
Ole32.dll | User32.dll |
\Microsoft\AddIns | \WmiPrvSE.exe |
hC5zF4xW4pD6iF6a.xml | NodeJSEnvironmentUpdateTask |
/C /create /F /sc minute /mo 5 /tn " | " /tr " |
C:\Windows\System32\schtasks.exe | /C /create /F /tn " |
" /XML " | /C /Query /XML /TN " |
The secondary payload appears to be a clipper, also known as Clipboard Hijacker, we mentioned previously. Some of the extracted strings are the attacker’s crypto wallet addresses (Figures 11-12).
The clipper creates persistence via Scheduled Tasks:
The first scheduled task runs the clipper every 5 minutes. The second scheduled task runs the task that is defined within the created XML file (Figure 13). This task is also named “NodeJSEnvironmentUpdateTask” and runs every 5 minutes, but it will run the dropped file named NodeDisplay.Container.exe (MD5: 74744fc068f935608dff34ecd0eb1f96) under C:\Users\<username>\AppData\Roaming\Microsoft\AddIns\.
Both executable payloads are clippers and contain the same wallet addresses.
It should be noted that the attacker also started serving a different 32-bit payload named “7788926473349244” (MD5: 2481b1a178d02579fae34366bf6b37b7) from the same IP address. The payload appears to be also a Clipboard Hijacker containing the previously mentioned wallet addresses of an attacker and disguised as Excel.exe application (Figure 14).
The persistence is also achieved via Scheduled Task:
The XML file runs the clipper binary C:\Users\<username>\AppData\Roaming\Microsoft\Excel\cellexprev.exe every 5 minutes.
eSentire’s Threat Response Unit (TRU) team assesses with high confidence that the same threat actor is behind the “84897964387342609301” campaign and the “7788926473349244” campaign.
The stealer is distributed through the fake cracked software (Figure 15). The user then gets redirected to MediaFire or MEGA file hosting services to download the packed stealer. The malicious files have the common name “Setup.exe”, the IP address hosting and delivering the secondary payload is the same (94.158.244[.]119), and the files are also packed with Themida.
Raccoon Stealer v2.0 supports three languages: Russian, Chinese, and English. The panel uses Cloudflare for DNS records so we assume that Raccoon Stealer operators also implemented the advertised DDoS (Distributed Denial of Service) protection from Cloudflare services.
The panel settings contain the options to set up a Telegram bot to receive the logs, 2FA, language interface, time zone, and the option to choose a blockchain explorer to check for the stolen wallet balances based on their addresses (Figure 16).
It takes approximately 5-7 minutes to get the logs sent by a Telegram bot after a successful infection. The example of the Telegram logs sent to an attacker is shown in Figure 16.
It takes approximately 5-7 minutes to get the logs sent by a Telegram bot after a successful infection. The example of the Telegram logs sent to an attacker is shown in Figure 17.
The builds page contains the builds or stealer executables (Figure 18).
It should be noted that the stealer payload can be either an executable or DLL. The DLL payload is just slightly heavier than the executable (52.5 KB), and contains the ordinal _Start@16 and has the same functionality as the executable.
Interestingly enough, the encrypted DLL sample has the strings in cleartext compared to the binary (Figure 19).
The configuration can be added to the build to specify the rules for the loader and grabber (Figure 20). The build is tied to the personal proxy server, which the logs will go through. For the grabber, an attacker can specify which file extension to exfiltrate and folders as well as the maximum size. The loader capabilities have been previously mentioned.
The Logs panel (Figure 21) contains the successfully infected machines and their IP addresses.
An attacker can conveniently search for specific logs captured based on the countries, cookies, wallets, passwords within the panel using the Search option without having to directly download the exfiltrated data (Figure 23).
Raccoon Stealer v2.0 provides the support over Telegram (Figure 24). It also has a public and private channel. The private channel currently has 140 members in it and most of the members are native Russian speakers (Figure 24).
The communication with the C2 server is unencrypted over port 80/HTTP. First the infected machine would send a POST request to the C2 server using user-agent “mozzzzzzzzzzz” (eSentire TRU also observed the user-agent “record” used in the first POST request), the initial request contains the following command:
machineId=<MachineGuid>|<username>&configId=<stealer_build_value>
Then the C2 server starts serving the infected machine with all the DLL dependencies that the stealer needs to properly function that is later dropped under the %APPDATA%/LocalLow folder (Figure 26).
With the second POST request the infected machine sends the “System Info” text file which contains system information and installed applications (Figure 27).
The third POST request contains the cookie text file with all the cookies extracted from browsers (Figure 28).
The last POST request contains the screenshot.jpg file captured on the infected host.
After each POST requests that contains “System Info.txt”, “ffcookies.txt” and “Screenshot.jpeg” files, the C2 server sends out a “received” command back to the infected host (Figure 29).
The summary of the C2 communications is outlined in Figure 30.
We can also observe the stealer attempting to grab Telegram data and the loader component delivering the Clipboard Hijacker that we have mentioned previously. The secondary payload is delivered to %APPDATA% folder as an exe file (Figure 31). An example of the grabber component would look like this in the network traffic, where 400 is the maximum amount of data (KB) to grab:
grbr_Desktop:%USERPROFILE%\Desktop|*.txt,*.dat,*wallet*.*,*2fa*.*,*.exe|-|400|1|1|files
The attacker receives the logs in ZIP archive over Telegram, they also have the ability to download the logs over the link that supports multi-downloading from the panel. Multi-download is another feature that was introduced in Raccoon Stealer v2.0 to speed up the logs upload time. In the previous version the logs were collected from different servers, now the ZIP archive is collected on one server locally. The ZIP archive contains all the extracted data including cookies, passwords, binaries, screenshot, system information (Figures 32-33).
Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a full-scale response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against RacoonStealerV2 malware:
While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.
eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Name | Indicators |
Setup.exe | 1aa8b18e333b780fe844b1d02c809324 |
Setup.exe | 2b222b532216497e5851077d65b1a61c |
Extracted/unpacked payload | 42dd369c7b3312f4f8a6b20adae0f04d |
Clipper/Clipboard Hijacker (84897964387342609301.bin or WmiPrvSE.exe) | 9f7bbc47a68cd4e2756f3b93ed11a992 |
hC5zF4xW4pD6iF6a.xml (Scheduled Task) | f2c435a91cf9a3c700ad67e06438293b |
Clipper/Clipboard Hijacker (NodeDisplay.Container.exe) | 74744fc068f935608dff34ecd0eb1f96 |
Clipper/Clipboard Hijacker (7788926473349244.bin or cellexprev.exe) | 2481b1a178d02579fae34366bf6b37b7 |
yqtfncwkobl.xml (Scheduled Task) | a81596dd465b096a127a19523c8f23e7 |
Raccoon Stealer v2.0 Delphi sample | d8e94b2e2ed7b34360a676ee6a47bcb9 |
Secondary payload hosting server | 94.158.244[.]119 |
Raccoon Stealer C2 | 45.133.216[.]200 |
Raccoon Stealer C2 | 45.8.144[.]53 |
Raccoon Stealer C2 | 77.91.102[.]57/td> |
Raccoon Stealer C2 | 193.43.146[.]17/td> |
rule RaccoonStealer_v2 { meta: author = "eSentire TI" date = "07/05/2022" strings: $beginning_of_decryption_func = {BF 44 C8 40 00 8D 4D FC 57 51 ?? ?? ?? 40 00 50 8B CE E8 ?? 46 00 00} $encrypted_string1 = {41 42 56 4C 6E 69 46 35 6A 4D 66 78 53 51 3D 3D} $encrypted_string2 = {5A 56 63 4D 75 42 77 77 67 6F 6A 78 4C 46 49 3D} $user_agent = {72 00 65 00 63 00 6F 00 72 00 64} $user_agent2 = {6D 00 6F 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A 00 7A} $rc4_key = {65 64 69 6E 61 79 61 72 6F 73 73 69 79 61} $cleartext1 = "ews_" $cleartext2 = "tlgrm_" $cleartext3 = "grbr_" condition: 3 of them and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) }
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.