Datei Kimligi
| SHA256 | 1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91 |
|---|---|
| Lure Datei Adi | ProtonVPN_3.0.5.exe |
| Dahili Ad (ProductName) | CrazyTooth |
| String Sayisi | 1.278 (C++ native) |
Kimlik ve Lure
Bu ornek ProtonVPN 3.0.5.exe olarak dagilmaktadir. Gizlilik odakli bir VPN uygulamasi gorunumunde sunulmasi, gizliligi onemsyen ve ozellikle kisisel guvenligine dikkat eden kullanicilari hedef almayi amaclamaktadir. Dahili ProductName: CrazyTooth
Obfuscated Mutex (RecordBreaker Imzasi)
ZakidefurarugafUTahocefecapuv godu yohasikolaki legakaz xezedifu tez nodiraxu cehajixo xasibifobijilaJXuzi poriseg pipidahi fidelamirayite foyahocepige fakabulob gunopaxivoname
Bu uzun anlamsiz dizi Raccoon Stealer V2 (RecordBreaker) ailesinin karakteristik obfuscated mutex yapisidir. Staticanalizde bu pattern, RecordBreaker ailesinin kesin bir gostergesidir.
Raccoon V2 Yetenekleri
- Tarayici kimlik bilgileri (Chrome/Firefox/Edge/Brave — 60+ tarayici)
- Cookie calma ve oturum hırsızligi
- Kripto cuizdan: MetaMask, Exodus, Atomic, Electrum, Coinbase
- Email: Outlook, Thunderbird
- FTP: FileZilla, WinSCP
- Ekran goruntusu
- Sistem bilgisi ve yontemli veri paketiyle C2'ye gönderim
IOC
| SHA256 | 1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91 |
|---|---|
| Lure | ProtonVPN_3.0.5.exe |
| Dahili Ad | CrazyTooth |
| Mutex | Obfuscated (ZakidefurarugafU...) |
| C2 | Sifrelenmis (Telegram bot dead-drop + HTTP) |
Raccoon — Malware-Profil
Raccoon Stealer credential hırsızı. ProtonVPN gizleme. Telegram C2 destegi. Browser/kripto cüzdan hedef.
Technische Details
C++/C, HTTP/HTTPS C2, SQLite credential extraction (browser login data), browser history/autofill, kripto wallet stealer (Ethereum/Bitcoin), email client stealer, custom stealer panel (PHP), fingerprint (HWID/IP)
Fähigkeiten & Verhalten
IOC-Liste (1 Indikatoren)
# SHA256
1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91
| Typ | Wert | Bemerkung |
|---|---|---|
| sha256 | 1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91 |
C2-Server (7 erfasste Server für diese Familie)
| Adresse | Typ | Port | Protokoll | Status | Land |
|---|---|---|---|---|---|
| arena.cc | domain | — | HTTP | active | — |
| cacerts.digicert.com | domain | — | HTTP | active | — |
| crl3.digicert.com | domain | — | HTTP | active | — |
| crl.globalsign.com | domain | — | HTTP | active | — |
| 45.139.199.83 | ip | 443 | HTTPS | inactive | RU |
| coded_stream.cc | domain | — | HTTP | inactive | — |
| 92.255.57.48 | ip | 80 | HTTP | sinkholed | UA |
C2-Adressen stammen ausschließlich aus vom KEYDAL-Team manuell verifizierten Malware-Samples. Kommerzielle Nutzung ist untersagt.