Wednesday, November 2, 2022
HomeHackerInside Raccoon Stealer V2

Inside Raccoon Stealer V2


Raccoon Stealer is again on the information once more. US officers arrested Mark Sokolovsky, one of many malware actors behind this program. In July 2022, after a number of months of the shutdown, a Raccoon Stealer V2 went viral. Final week, the Division of Justice’s press launch acknowledged that the malware collected 50 million credentials.

This text will give a fast information to the newest information stealer’s model.

What’s Raccoon infostealer V2?

Raccoon Stealer is a form of malware that steals varied knowledge from an contaminated pc. It is fairly a primary malware, however hackers have made Raccoon in style with glorious service and easy navigation.

In 2019, Raccoon infostealer was some of the mentioned malware. In alternate for $75 per week and $200 per 30 days, cybercriminals offered this straightforward however versatile information stealer as a MaaS. The malware was profitable in attacking various methods. In March 2022, nevertheless, menace authors ceased to function.

An up to date model of this malware was launched in July 2022. Because of this, Raccoon Stealer V2 has gone viral and gained a brand new title – RecordBreaker.

Raccoon v2’s ways & methods in ANY.RUN Sandbox

Methods to analyze Raccoon stealer V2

Execution course of

What Raccoon malware does

Downloads WinAPI libraries

Makes use of kernel32.dll!LoadLibraryW

Will get WinAPI features’ addresses

Makes use of kernel32.dll!GetProcAddress

Strings and C2 servers encryption

Encrypts with RC4 or XOR algorithm, might be no encryption in any respect, or mixture of various choice

Crash triggers

CIS nations locale, mutex

System/LocalSystem degree privilege test

Makes use of Advapi32.dll!GetTokenInformation and Advapi32.dll!ConvertSidToStringSidW evaluating StringSid with L “S-1-5-18”

Course of enumeration

Makes use of the TlHelp32 API (kernel32.dll!CreateToolhelp32Snapshot to seize processes and kernel32.dll!Process32First / kernel32.dll!Process32Next).

Connecting to C2 servers

Creates a string:
machineId={machineguid}|{username}&configId={rc4_c2_key}

Then sends a POST request

Consumer and system knowledge assortment

  • the OS bitness
  • details about RAM, CPU
  • purposes put in within the system
  • cookies
  • autofill knowledge
  • autofill type knowledge

Sending of collected knowledge

POST requests to C2.

Getting a solution from the C2

C2 sends “obtained”

Ending operations

Takes a screenshot(s), releases the remaining allotted sources, unloads the libraries, and finishes its work

We’ve triaged a number of Raccoon stealer V2 samples, collected typical habits actions, and briefly described its execution course of.

Learn deeper and extra detailed Raccoon stealer 2.0 malware evaluation. Within the article, you possibly can observe all steps and get an entire image of the information stealer’s habits. Moreover this profound analysis, you get an opportunity to extract malware configuration by yourselves – copy the Python script of Raccoon stealer and unpack reminiscence dumps to extract C&C servers and keys.

Raccoon v2 malware configuration

The place to investigate malware

Do you need to analyze malicious information and hyperlinks? There’s a quick and simple resolution: get ready-made configurations in ANY.RUN on-line malware sandbox and examine suspicious information in and out. Attempt to crack any malware utilizing an interactive method:

Write the “HACKERNEWS” promo code at assist@any.run utilizing your online business e mail deal with and get 14 days of ANY.RUN premium subscription at no cost!

The ANY.RUN sandbox helps you to analyze malware rapidly, navigate by way of the analysis course of simply, detect even refined malware, and get detailed reviews. Use good instruments and hunt malware efficiently.



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments