Manuel Statik Analiz (LLM Okumali) — Raccoon Stealer V2 (RecordBreaker) | Tehdit: YUKSEK

Fichier Kimligi

SHA2561599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91
Lure Fichier AdiProtonVPN_3.0.5.exe
Dahili Ad (ProductName)CrazyTooth
String Sayisi1.278 (C++ native)

Kimlik ve Lure

Bu ornek ProtonVPN 3.0.5.exe olarak dagilmaktadir. Gizlilik odakli bir VPN uygulamasi gorunumunde sunulmasi, gizliligi onemsyen ve ozellikle kisisel guvenligine dikkat eden kullanicilari hedef almayi amaclamaktadir. Dahili ProductName: CrazyTooth

Obfuscated Mutex (RecordBreaker Imzasi)

ZakidefurarugafUTahocefecapuv godu yohasikolaki legakaz
xezedifu tez nodiraxu cehajixo xasibifobijilaJXuzi poriseg
pipidahi fidelamirayite foyahocepige fakabulob gunopaxivoname

Bu uzun anlamsiz dizi Raccoon Stealer V2 (RecordBreaker) ailesinin karakteristik obfuscated mutex yapisidir. Staticanalizde bu pattern, RecordBreaker ailesinin kesin bir gostergesidir.

Raccoon V2 Yetenekleri

  • Tarayici kimlik bilgileri (Chrome/Firefox/Edge/Brave — 60+ tarayici)
  • Cookie calma ve oturum hırsızligi
  • Kripto cuizdan: MetaMask, Exodus, Atomic, Electrum, Coinbase
  • Email: Outlook, Thunderbird
  • FTP: FileZilla, WinSCP
  • Ekran goruntusu
  • Sistem bilgisi ve yontemli veri paketiyle C2'ye gönderim

IOC

SHA2561599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91
LureProtonVPN_3.0.5.exe
Dahili AdCrazyTooth
MutexObfuscated (ZakidefurarugafU...)
C2Sifrelenmis (Telegram bot dead-drop + HTTP)

Raccoon — Profil du malware

Raccoon Stealer credential hırsızı. ProtonVPN gizleme. Telegram C2 destegi. Browser/kripto cüzdan hedef.

Type de malware
Infostealer
Langage de programmation
C++
Protocole C2
HTTP
Systèmes ciblés
Windows
Aussi connu sous (AKA)
RecordBreaker

Détails techniques

C++/C, HTTP/HTTPS C2, SQLite credential extraction (browser login data), browser history/autofill, kripto wallet stealer (Ethereum/Bitcoin), email client stealer, custom stealer panel (PHP), fingerprint (HWID/IP)

Capacités et comportement

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

Liste IOC (1 indicateurs)

IOC — Raccoon
# SHA256 1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91
TypeValeurNote
sha256 1599a612187565c699dfe4f10b04f5621ba04df9ae3c7b5e2d1f0a8b4c6e7a91

Serveurs C2 (7 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
arena.cc domain — HTTP active —
cacerts.digicert.com domain — HTTP active —
crl3.digicert.com domain — HTTP active —
crl.globalsign.com domain — HTTP active —
45.139.199.83 ip 443 HTTPS inactive RU
coded_stream.cc domain — HTTP inactive —
92.255.57.48 ip 80 HTTP sinkholed UA

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
raccoonraccoon-v2recordbreakerinfostealerprotonvpn-lureobfuscated-mutexcppcrazytooth