Raccoon Stealer is back on the information once more. US officers arrested Mark Sokolovsky, one of the malware actors guiding this plan. In July 2022, following many months of the shutdown, a Raccoon Stealer V2 went viral. Last 7 days, the Office of Justice’s push launch mentioned that the malware collected 50 million credentials.
This short article will give a swift manual to the most current details stealer’s edition.
What is Raccoon infostealer V2?
Raccoon Stealer is a variety of malware that steals different details from an infected computer system. It can be very a primary malware, but hackers have made Raccoon well known with superb assistance and straightforward navigation.
In 2019, Raccoon infostealer was one of the most reviewed malware. In trade for $75 per 7 days and $200 for each month, cybercriminals sold this straightforward but adaptable information stealer as a MaaS. The malware was productive in attacking a variety of techniques. In March 2022, nevertheless, risk authors ceased to function.
An up to date model of this malware was introduced in July 2022. As a outcome, Raccoon Stealer V2 has absent viral and gained a new name – RecordBreaker.
Raccoon v2’s ways & techniques in ANY.Operate Sandbox
How to evaluate Raccoon stealer V2
Execution method
What Raccoon malware does
Downloads WinAPI libraries
Takes advantage of kernel32.dll!LoadLibraryW
Receives WinAPI functions’ addresses
Employs kernel32.dll!GetProcAddress
Strings and C2 servers encryption
Encrypts with RC4 or XOR algorithm, can be no encryption at all, or blend of different possibility
Crash triggers
CIS countries locale, mutex
Method/LocalSystem amount privilege test
Uses Advapi32.dll!GetTokenInformation and Advapi32.dll!ConvertSidToStringSidW evaluating StringSid with L “S-1-5-18”
Method enumeration
Works by using the TlHelp32 API (kernel32.dll!CreateToolhelp32Snapshot to capture processes and kernel32.dll!Approach32First / kernel32.dll!Approach32Next).
Connecting to C2 servers
Produces a string: machineId=machineguid|username&configId=rc4_c2_critical
Then sends a Submit request
User and procedure info assortment
- the OS bitness
- info about RAM, CPU
- applications set up in the system
- cookies
- autofill data
- autofill kind facts
Sending of gathered data
Post requests to C2.
Receiving an remedy from the C2
C2 sends “acquired”
Ending functions
Will take a screenshot(s), releases the remaining allocated resources, unloads the libraries, and finishes its operate
We have triaged various Raccoon stealer V2 samples, gathered standard actions actions, and briefly described its execution process.
Browse further and additional specific Raccoon stealer 2. malware investigation. In the short article, you can abide by all methods and get a total image of the info stealer’s actions. Aside from this profound exploration, you get a prospect to extract malware configuration by yourselves – copy the Python script of Raccoon stealer and unpack memory dumps to extract C&C servers and keys.
Raccoon v2 malware configuration
Wherever to assess malware
Do you want to analyze malicious information and back links? There is a rapidly and easy remedy: get ready-built configurations in ANY.Run on line malware sandbox and look into suspicious files inside and out. Attempt to crack any malware utilizing an interactive strategy:
Compose the “HACKERNEWS” promo code at [email protected] utilizing your small business email tackle and get 14 times of ANY.Run premium membership for free!
The ANY.Run sandbox allows you analyze malware immediately, navigate via the analysis system simply, detect even refined malware, and get comprehensive experiences. Use intelligent applications and hunt malware productively.
Found this report fascinating? Follow THN on Fb, Twitter and LinkedIn to study more unique content material we post.
Some parts of this article are sourced from:
thehackernews.com