Trojan:Win32/Raccoon.RJ!MTB

Raccoon is a stealer that usually gets delivered as payload through different loader modules. Here it uses Smoke Loader as its first layer binary. Smoke Loader is a bot application that can be used to load, drop, or download other malware.

Runtime DLL load

It uses LoadLibrary or GetModuleHandleA application programming interface (API) to get the handle of the library, and is usually followed by GetProcAddress API to get the handle of the API to be used.

API resolving

As mentioned above, it fetches libraries during runtime and is dedicated to resolving APIs that it could use later. Below is a list of resolved APIs:

Crypter activity

It uses VirtualAlloc/GlobalAlloc API to allocate virtual space and decrypts some code content responsible for further malware activity.

Anti-Debug/Anti-VM Techniques

• SetErrorModeAPI with parameter 0x400
• GetVersionEx API to retrieve the OS information and check it with 0x06
• RegOpenKey API to check the values under "Disk/Enum" registry and compare them to "qemu, virtual, vmware, xen"
• Return abuse – uses ret 4 instructions instead of normal ret
• Process enumeration using CreateToolhelp32Snapshot, Process32First and Process32Next APIs. Some of the blocklisted processes are:

Process injection

It performs process hollowing to inject itself to other process. Mostly it is injected into explorer.exe or svchost.exe.

Configuration file

The URL/IP address is subject to change when a new command-and-control (C2) is registered.

The above request downloads and drops Raccoon stealer to the %Temp% folder.

Once Raccoon stealer launches, it retrieves some basic information it sends to the C2, such as

• Language of the user – GetUserDefaultLocaleName API
• Cryptography detail – from HKLM\\SOFTWARE\\Microsoft\\Cryptography registry
• MachineGuid from MachineGuid registry entry
• Username - GetUserName API

Once these are retrieved, Raccoon combines these data and then adds a config id to end so that these details can be sent to the C2 IP.

The C2 URL, Bot ID, and RC4_Key can vary depending on the campaign and stealer version.

The stealer then creates a new folder under the %Appdata% location to store all the sensitive data it extracts from the device.

• Cryptocurrency wallet address is stored in C:\Users\*\AppData\Roaming\Bitcoin\wallet.dat
• Screenshot stored in %appdata%\\<random file name>

Raccoon can also perform SQL query to retrieve information from the database. The information collected is encrypted using the RC4 key and sent back to the C2.