In today's blog post I'll be conducting some basic static analysis on Raccoon Stealer. Raccoon Stealer has been around for several years around e-crime forums, and is advertised as a credential stealer targeting Chromium-based browsers.
File hash: a07c5c4122a2dff00a982499b7670fb48e63ba7fb70513f558c7190433c3da92
First I ran the sample through detect it easy to see if it seemed packed, and the results came back that the specimen was not, making our analysis that much easier:
In order to get a compilation time frame for the sample, I threw it into PEview and took a look at the IMAGE_FILE_HEADER portion. The time date stamp offers an idea of when the sample was compiled and how old or new this malware is. Note that this can be timestomped by threat actors that are trying to hide their tracks. Additionally, this is a 32-bit executable.
A specific operating system version isn't indicated in the headers. We also glean from the subsystem value in the IMAGE_OPTIONAL_HEADER that this is a GUI program.
Next, I took a look at the sample in PeStudio to assess the imports and take a quick look at the strings and see if I could extract any indicators from there. Right away, there were several imports that gave me an idea of what this specimen was doing:
Among the imports, the ones that caught my attention were:
CreateFileA (writes a file to the compromised endpoint)
GetModuleFilename (can be used to modify/copy files in the current process)
GetModuleHandle (can be leveraged to search for a good location to inject code)
VirtualAlloc (can be used to set up for process injection)
I then passed the specimen over to my REMnux instance to take a look using some of my tooling there. I ran the specimen through capa, and among the findings got:
So compared to the PeStudio findings, nothing groundbreaking there.
With just a few tools and a cursory look, we were able to determine more or less some of the functionality of this specimen. It has anti-debugging characteristics, the ability to write a file, and can possibly also inject code.