It appears to have been compiled with Microsoft's Visual Studio c++ compiler.Įxeinfo PE doesn't think the file is packed, however given it's 862 KB size (and >70% of that is in the. I already mentioned in the intro that the sample is a c/c++ rewrite of Raccoon Stealer and is 32bit. If following along/reading this writeup at a date later than August 2022, your copy of PE studio likely uses the term "Flagged". Since then, the dev team for PEStudio has updated their tool to use the term "Flagged" as a replacement for "blacklisted". I need to work on my x86 assembly reverse engineering for the OSED exam anyway, so that's my justification for taking some time away from the Offensive Security labs to tackle this sample.ĭisclaimer Dec 14 2022: At the original time of writing this series (August 2022) the tool PEStudio used the term "blacklisted" to point out various items that were deemed suspicious. This sample is a 32bit natively compiled PE format executable. This is going to be a multi-part writeup, both because I don't want to post something that takes over half an hour to read in additional to me also working towards my OSED certification at the moment. Analysis is being conducted on an isolated lab VM that DOES have a connection to the internet, but I will disable the virtual NIC when needed prior to behavioral or dynamic analysis. The sample I'm analyzing in this writeup is from Malware Bazaar, and was originally uploaded by Malware Bazaar's primary account from Abuse.ch.
The Racoon Stealer malware family is an MaaS (Malware as a Service) "product" available for sale in online black markets that is primarily reported to be a password/credential stealer. RecordBreaker malware (AKA Raccoon Stealer V2) is reported to be a "full rewrite in C/C++" of Raccoon Stealer.
0 kommentar(er)
