Arquivo Kimligi
| SHA256 | 1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91 |
|---|---|
| Lure Arquivo Adi | ProtonVPN_3.0.5.exe |
| Dahili Ad (ProductName) | CrazyTooth |
| String Sayisi | 1.278 (C++ native) |
Kimlik ve Lure
Bu ornek ProtonVPN 3.0.5.exe olarak dagilmaktadir. Gizlilik odakli bir VPN uygulamasi gorunumunde sunulmasi, gizliligi onemsyen ve ozellikle kisisel guvenligine dikkat eden kullanicilari hedef almayi amaclamaktadir. Dahili ProductName: CrazyTooth
Obfuscated Mutex (RecordBreaker Imzasi)
ZakidefurarugafUTahocefecapuv godu yohasikolaki legakaz xezedifu tez nodiraxu cehajixo xasibifobijilaJXuzi poriseg pipidahi fidelamirayite foyahocepige fakabulob gunopaxivoname
Bu uzun anlamsiz dizi Raccoon Stealer V2 (RecordBreaker) ailesinin karakteristik obfuscated mutex yapisidir. Staticanalizde bu pattern, RecordBreaker ailesinin kesin bir gostergesidir.
Raccoon V2 Yetenekleri
- Tarayici kimlik bilgileri (Chrome/Firefox/Edge/Brave — 60+ tarayici)
- Cookie calma ve oturum hırsızligi
- Kripto cuizdan: MetaMask, Exodus, Atomic, Electrum, Coinbase
- Email: Outlook, Thunderbird
- FTP: FileZilla, WinSCP
- Ekran goruntusu
- Sistem bilgisi ve yontemli veri paketiyle C2'ye gönderim
IOC
| SHA256 | 1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91 |
|---|---|
| Lure | ProtonVPN_3.0.5.exe |
| Dahili Ad | CrazyTooth |
| Mutex | Obfuscated (ZakidefurarugafU...) |
| C2 | Sifrelenmis (Telegram bot dead-drop + HTTP) |
Raccoon — Perfil do malware
Raccoon Stealer credential hırsızı. ProtonVPN gizleme. Telegram C2 destegi. Browser/kripto cüzdan hedef.
Detalhes técnicos
C++/C, HTTP/HTTPS C2, SQLite credential extraction (browser login data), browser history/autofill, kripto wallet stealer (Ethereum/Bitcoin), email client stealer, custom stealer panel (PHP), fingerprint (HWID/IP)
Capacidades e comportamento
Lista IOC (1 indicadores)
# SHA256
1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91
| Tipo | Valor | Nota |
|---|---|---|
| sha256 | 1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91 |
Servidores C2 (7 servidores registrados para esta família)
| Endereço | Tipo | Porta | Protocolo | Status | País |
|---|---|---|---|---|---|
| arena.cc | domain | — | HTTP | active | — |
| cacerts.digicert.com | domain | — | HTTP | active | — |
| crl3.digicert.com | domain | — | HTTP | active | — |
| crl.globalsign.com | domain | — | HTTP | active | — |
| 45.139.199.83 | ip | 443 | HTTPS | inactive | RU |
| coded_stream.cc | domain | — | HTTP | inactive | — |
| 92.255.57.48 | ip | 80 | HTTP | sinkholed | UA |
Os endereços C2 são fornecidos apenas a partir de amostras de malware verificadas manualmente pela equipe KEYDAL. O uso comercial é proibido.