[Mal Series #4] InfoStealer Raccoon

The malware is extract from the dropper which is similar to Aggah campaign.

Unfortunately, can’t proceed the analysis further as there is some issue with the respond from c2 server 😔. Maybe they removed the support for this build.

Error message from C2

However, still try my best to get all remaining the things done.

Functionalities

Get username
Windows API:
1) GetUserName

Get machine GUID
Get GUID by reading the value in regkey SOFTWARE/MICROSOFT/CRYPTOGRAPHY

Create bot_id by concatenate GUID and username

Windows API:
1) RegOpenKey
2) RegQueryValue
3) RegCloseKey

Check Country
Is Russian, Ukranian, Belarusian, Kazakh, Krygyz, Armenian, Tajik, Uzbek?
If yes, quit the process. No, continue malicious act.

Windows API:
1) GetLocaleInfoA
2) GetUserDefaultLCID

Get C2 url

https://drive.google.com/uc?export=download&id=%id%

Encrypted C2 strings from the google drive url respond

Get the config and require files

Send POST request to C2 server with parameter
bot_id=%machineGUID%_%username%&config_id=%configID%&data=null which is encoded wit base64.

Error from C2 makes my analysis stuck here …

IOC

GDrive Link (to reveal the address of C&C server)
https://drive[.]google[.]com/uc?export=download&id=%id%

C&C (To get the config and required files)
http://35[.]228[.]28[.]245/gate/log.php

Mutex
enote\%username%

Sha256:
676CD9FB27912FD01F6D9D5B09BCD8020ADFB385

References

Raccoon: The Story of a Typical Infostealer | CyberArk

Info Stealers | How Malware Hacks Private User Data - SentinelLabs

(Ab)using bash-fu to analyze recent Aggah sample