#RaccoonStealer admin will be extradited to the US, charged for computer crimeshttps://www.malwarebytes.com/blog/news/2022/11/racoon-stealer-admin-will-be-extradited-to-the-us-charged-for-computer-crimes

#hacking #MalwareAsAService

Sophos has observed some #RecordBreaker / #RaccoonStealer activity following a search for cracked software.
🔎 Google Search: fences download crack
Cracked Software Site:
➡️ hxxps[://]pesktop[.]com/en/windows/stardock_fences_setup
Download Button + Instructions:
➡️ hxxps[://]adainstaller[.]com/aofiler/<>-pesktop[.]php

Redirection Chain:
↪️ hxxps[://]xdrt656y[.]cfd/?i=Also-Download-its-Full-Activator&u=<>&site=hxxps[://]tinyurl[.]com
↪️ hxxps[://]href[.]li/?hxxps[://]vghu896yh[.]cfd/?56_56=<>&file=Also-Download-its-Full-Activator&h={pubid}
↪️ hxxps[://]vghu896yh[.]cfd/?56_56=<>&file=Also-Download-its-Full-Activator&h={pubid}
↪️ hxxps[://]href[.]li/?hxxps[://]bit[.]ly/New_FullLatestFile--Here
↪️ hxxps[://]bit[.]ly/New_FullLatestFile--Here
↪️ hxxps[://]href[.]li/?hxxps[://]www[.]mediafire[.]com/file/xkv5ulf2kwf7roo/Use-2022_As_PasW0rD-LatestFile-L4[.]rar/file
⬇️ hxxps[://]www[.]mediafire[.]com/file/xkv5ulf2kwf7roo/Use-2022_As_PasW0rD-LatestFile-L4[.]rar/file

Sample: https://www.virustotal.com/gui/file/b01c4534af8c636a787c821e14a5f85890eb78906f4390fb0a8ee2f65b4ab961/relations
PE: a44b78a4cf37bf69a8b750d0a057c228f6bf80362911911950044638c2a2f462

Communicates via port 80 to C2:
hxxp://79.137.197[.]190/45c8e6f57dca0fdb5db9c679b502e12b
#threatintel #infostealer

Sophos has observed some #RecordBreaker / #RaccoonStealer activity following a search for cracked software.
🔎 Google Search: fences download crack
Cracked Software Site:
➡️ hxxps[://]pesktop[.]com/en/windows/stardock_fences_setup
Download Button + Instructions:
➡️ hxxps[://]adainstaller[.]com/aofiler/<>-pesktop[.]php

Redirection Chain:
↪️ hxxps[://]xdrt656y[.]cfd/?i=Also-Download-its-Full-Activator&u=<>&site=hxxps[://]tinyurl[.]com
↪️ hxxps[://]href[.]li/?hxxps[://]vghu896yh[.]cfd/?56_56=<>&file=Also-Download-its-Full-Activator&h={pubid}
↪️ hxxps[://]vghu896yh[.]cfd/?56_56=<>&file=Also-Download-its-Full-Activator&h={pubid}
↪️ hxxps[://]href[.]li/?hxxps[://]bit[.]ly/New_FullLatestFile--Here
↪️ hxxps[://]bit[.]ly/New_FullLatestFile--Here
↪️ hxxps[://]href[.]li/?hxxps[://]www[.]mediafire[.]com/file/xkv5ulf2kwf7roo/Use-2022_As_PasW0rD-LatestFile-L4[.]rar/file
⬇️ hxxps[://]www[.]mediafire[.]com/file/xkv5ulf2kwf7roo/Use-2022_As_PasW0rD-LatestFile-L4[.]rar/file

Sample: https://www.virustotal.com/gui/file/b01c4534af8c636a787c821e14a5f85890eb78906f4390fb0a8ee2f65b4ab961/relations
PE: a44b78a4cf37bf69a8b750d0a057c228f6bf80362911911950044638c2a2f462

Communicates via port 80 to C2:
hxxp://79.137.197[.]190/45c8e6f57dca0fdb5db9c679b502e12b
#threatintel #infostealer

Sophos has observed some #RecordBreaker / #RaccoonStealer activity following a search for cracked software.
🔎 Google Search: fences download crack
Cracked Software Site:
➡️ hxxps[://]pesktop[.]com/en/windows/stardock_fences_setup
Download Button + Instructions:
➡️ hxxps[://]adainstaller[.]com/aofiler/<>-pesktop[.]php

Redirection Chain:
↪️ hxxps[://]xdrt656y[.]cfd/?i=Also-Download-its-Full-Activator&u=<>&site=hxxps[://]tinyurl[.]com
↪️ hxxps[://]href[.]li/?hxxps[://]vghu896yh[.]cfd/?56_56=<>&file=Also-Download-its-Full-Activator&h={pubid}
↪️ hxxps[://]vghu896yh[.]cfd/?56_56=<>&file=Also-Download-its-Full-Activator&h={pubid}
↪️ hxxps[://]href[.]li/?hxxps[://]bit[.]ly/New_FullLatestFile--Here
↪️ hxxps[://]bit[.]ly/New_FullLatestFile--Here
↪️ hxxps[://]href[.]li/?hxxps[://]www[.]mediafire[.]com/file/xkv5ulf2kwf7roo/Use-2022_As_PasW0rD-LatestFile-L4[.]rar/file
⬇️ hxxps[://]www[.]mediafire[.]com/file/xkv5ulf2kwf7roo/Use-2022_As_PasW0rD-LatestFile-L4[.]rar/file

Sample: virustotal.com/gui/file/b01c45
PE: a44b78a4cf37bf69a8b750d0a057c228f6bf80362911911950044638c2a2f462

Communicates via port 80 to C2:
hxxp://79.137.197[.]190/45c8e6f57dca0fdb5db9c679b502e12b
#threatintel #infostealer

Sophos has observed some #RecordBreaker / #RaccoonStealer activity following a search for cracked software.
🔎 Google Search: fences download crack
Cracked Software Site:
➡️ hxxps[://]pesktop[.]com/en/windows/stardock_fences_setup
Download + Instructions:
➡️ hxxps[://]adainstaller[.]com/aofiler/<>-pesktop[.]php
Redirection Chain:
↪️ hxxps[://]xdrt656y[.]cfd/?i=Also-Download-its-Full-Activator&u=<>&site=hxxps[://]tinyurl[.]com
↪️ hxxps[://]href[.]li/?hxxps[://]vghu896yh[.]cfd/?56_56=<>&file=Also-Download-its-Full-Activator&h={pubid}
↪️ hxxps[://]vghu896yh[.]cfd/?56_56=<>&file=Also-Download-its-Full-Activator&h={pubid}
↪️ hxxps[://]href[.]li/?hxxps[://]bit[.]ly/New_FullLatestFile--Here
↪️ hxxps[://]bit[.]ly/New_FullLatestFile--Here
↪️ hxxps[://]href[.]li/?hxxps[://]www[.]mediafire[.]com/file/xkv5ulf2kwf7roo/Use-2022_As_PasW0rD-LatestFile-L4[.]rar/file
⬇️hxxps[://]www[.]mediafire[.]com/file/xkv5ulf2kwf7roo/Use-2022_As_PasW0rD-LatestFile-L4[.]rar/file

Sample: https://www.virustotal.com/gui/file/b01c4534af8c636a787c821e14a5f85890eb78906f4390fb0a8ee2f65b4ab961/relations
PE: a44b78a4cf37bf69a8b750d0a057c228f6bf80362911911950044638c2a2f462

Communicates via port 80 to C2:
hxxp://79.137.197[.]190/45c8e6f57dca0fdb5db9c679b502e12b
#threatintel #infostealer

Sophos has observed some #RecordBreaker / #RaccoonStealer activity following a search for cracked software.
🔎 Google Search: fences download crack
Cracked Software Site:
➡️ hxxps[://]pesktop[.]com/en/windows/stardock_fences_setup
Download + Instructions:
➡️ hxxps[://]adainstaller[.]com/aofiler/<>-pesktop[.]php
↪️ Redirection Chain:
- hxxps[://]xdrt656y[.]cfd/?i=Also-Download-its-Full-Activator&u=<>&site=hxxps[://]tinyurl[.]com
- hxxps[://]href[.]li/?hxxps[://]vghu896yh[.]cfd/?56_56=<>&file=Also-Download-its-Full-Activator&h={pubid}
- hxxps[://]vghu896yh[.]cfd/?56_56=<>&file=Also-Download-its-Full-Activator&h={pubid}
- hxxps[://]href[.]li/?hxxps[://]bit[.]ly/New_FullLatestFile--Here
- hxxps[://]bit[.]ly/New_FullLatestFile--Here
- hxxps[://]href[.]li/?hxxps[://]www[.]mediafire[.]com/file/xkv5ulf2kwf7roo/Use-2022_As_PasW0rD-LatestFile-L4[.]rar/file

Sample: https://www.virustotal.com/gui/file/b01c4534af8c636a787c821e14a5f85890eb78906f4390fb0a8ee2f65b4ab961/relations
PE: a44b78a4cf37bf69a8b750d0a057c228f6bf80362911911950044638c2a2f462

Communicates via port 80 to C2:
hxxp://79.137.197[.]190/45c8e6f57dca0fdb5db9c679b502e12b
#threatintel #infostealer

Sophos has observed some #RecordBreaker / #RaccoonStealer activity following a search for cracked software.

🔎 Google Search: fences download crack
Cracked Software Site
➡️ hxxps[://]pesktop[.]com/en/windows/stardock_fences_setup
Instructions + Redirection
➡️ hxxps[://]adainstaller[.]com/aofiler/hjksdgfd4657i687iyouhkjgfrctxy5uerytukj-pesktop[.]php
Redirection Chain
↪️ hxxps[://]xdrt656y[.]cfd/?i=Also-Download-its-Full-Activator&u=1675670242&t=82&site=hxxps[://]tinyurl[.]com
↪️ hxxps[://]href[.]li/?hxxps[://]vghu896yh[.]cfd/?56_56=vjxRHYBnsOtTEqDMNa6VWzb4Ki2LowImSklQyAp&file=Also-Download-its-Full-Activator&h={pubid}
↪️ hxxps[://]vghu896yh[.]cfd/?56_56=vjxRHYBnsOtTEqDMNa6VWzb4Ki2LowImSklQyAp&file=Also-Download-its-Full-Activator&h={pubid}
↪️ hxxps[://]href[.]li/?hxxps[://]bit[.]ly/New_FullLatestFile--Here
↪️ hxxps[://]bit[.]ly/New_FullLatestFile--Here
↪️ hxxps[://]href[.]li/?hxxps[://]www[.]mediafire[.]com/file/xkv5ulf2kwf7roo/Use-2022_As_PasW0rD-LatestFile-L4[.]rar/file

Sample: https://www.virustotal.com/gui/file/b01c4534af8c636a787c821e14a5f85890eb78906f4390fb0a8ee2f65b4ab961/relations
PE: a44b78a4cf37bf69a8b750d0a057c228f6bf80362911911950044638c2a2f462

Communicates via port 80 to C2:
hxxp://79.137.197[.]190/45c8e6f57dca0fdb5db9c679b502e12b

#threatintel #infostealer

Cluster of #C2 servers hosted by #PartnerLLC on 77.73.133[.]0/24 ☢️

Includes:
- #Lilith bot 🤖
- #RaccoonStealer 🕵️‍♂️​
- #CobaltStrike - especially active at 77.73.133[.]20, 77.73.133[.]93, 77.73.133[.]120
- #RedLineStealer 🕵️

I’m working to rebuild my automated C2 tracking over on https://abjuri5t.github.io/SarlackLab/. Figured I’d start sharing some of the data I have gathered with the community.

As per @pixelnull‘s suggestion, I’m tagging this with #IOC for threat intel visibility

Cluster of #C2 servers hosted by #PartnerLLC on 77.73.133[.]0/24 ☢️

Includes:
- #Lilith bot 🤖
- #RaccoonStealer 🕵️‍♂️​
- #CobaltStrike - especially active at 77.73.133[.]20, 77.73.133[.]93, 77.73.133[.]120
- #RedLineStealer 🕵️

I’m working to rebuild my automated C2 tracking over on https://abjuri5t.github.io/SarlackLab/. Figured I’d start sharing some of the data I have gathered with the community.

As per @pixelnull‘s suggestion, I’m tagging this with #IOC for threat intel visibility

Just created a bot account for #RaccoonStealer updates. It isn't active yet, but meant to be a project for me. The bot will live at @RaccoonStealerBot! 🦝​

Side note, I used DALL·E to generate the images and I love them.

Accused ‘Raccoon’ Malware Developer Fled Ukraine After Russian Invasion https://krebsonsecurity.com/2022/10/accused-raccoon-malware-developer-fled-ukraine-after-russian-invasion/ #RaccoonInfostealer #Ne'er-Do-WellNews #ALittleSunshine #F.AndinoReynal #MarkSokolovsky #RaccoonStealer #AlexJones

Accused ‘Raccoon’ Malware Developer Fled Ukraine After Russian Invasion - A 26-year-old Ukrainian man is awaiting extradition from The Netherlands to the Un... https://krebsonsecurity.com/2022/10/accused-raccoon-malware-developer-fled-ukraine-after-russian-invasion/ #raccooninfostealer #neer-do-wellnews #alittlesunshine #f.andinoreynal #marksokolovsky #raccoonstealer #alexjones

My latest rule is for #RaccoonStealer v2 which I've been following since June!

https://github.com/FirehaK/YARA/blob/master/RaccoonV2/RaccoonV2.yar

Come infetta un malware e come evitare di dare le proprie password ai criminali - Matrice Digitale #browser #chrome #cybersecurity #evidenza #Firefox #malware #raccoonstealer #sideloading #tutorial #2luglio https://parliamodi.news/article/aHR0cHM6Ly93d3cubWF0cmljZWRpZ2l0YWxlLml0L25vdGl6aWUvY29tZS1pbmZldHRhLXVuLW1hbHdhcmUtZS1jb21lLWV2aXRhcmUtZGktZGFyZS1sZS1wcm9wcmllLXBhc3N3b3JkLWFpLWNyaW1pbmFsaS8=