Today > vulnerabilities   -   You can now download lists of IOCs here!

Raspberry Robin Analysis

Nov. 20, 2024, 9:29 a.m.

Tags
obfuscation
privilege-escalation
anti-analysis
tor
2024-11-19
raspberry robin
usb-spreading
network-propagation
CVE-2024-26229
CVE-2021-31969
External References
Description

Raspberry Robin, a malicious downloader discovered in 2021, has been circulating for years, primarily spreading through infected USB devices. It stands out due to its unique binary-obfuscation techniques, extensive use of anti-analysis methods, and privilege escalation exploits. The malware uses multiple code layers, each employing various obfuscation techniques. It communicates with command-and-control servers via the TOR network and can propagate through networks. Raspberry Robin employs numerous anti-analysis and evasion methods, including CPU performance checks, Windows API manipulations, and registry modifications. It uses UAC-bypass methods and local privilege escalation exploits to elevate privileges. The malware's primary goal is to download and execute payloads on compromised hosts, collecting extensive system information before requesting the payload.

Date

Published: Nov. 19, 2024, 9:59 p.m.

Created: Nov. 19, 2024, 9:59 p.m.

Modified: Nov. 20, 2024, 9:29 a.m.

Indicators

852ce7c57c68243a1189db61e750056041bed3802f2c48dcee4cfc189b4e4949

5b8043e178373d4b732c6bf1013173b9f9a1f30269996392da367547d6a4a70f

0632a600bd59a0fab86fd199a041b1d159162ae1d8d7ad62150270257bd9bc8b

240.0.0.0/4

224.0.0.0/4

127.0.0.0/8

https://yebmhucezgghpzwvgqi5y2djfufgtrwcbbta547oaxw5kzi6sa2hopad.onion:3054/

https://xbeopilgchtzd5u7yu36jlsp5cfgaqeuxkaon7yjle7lrtb3abi476id.onion:29454/

https://wwbshp6hgnvtqwtbychvrchldbwifnf7djlpnuvf45dgn5up7w4xqqqd.onion:43728/

https://wdmr4ow76xfig5rgffnufdu7o4abkowc7keqeaiq7fkrxofwsue5wtyd.onion:60499/

https://vwmnexb2eiaencaw64hcrvv7tucksas6qbms5acpa222m2c5wigq3syd.onion:22567/

https://vt6r47ek7oi2svzj2s4pguogzwumlulju4zkdf6nh7xnkugylxuy7tad.onion:23133/

https://vor57f3yvqw3ddq4o3gkzkqdvczenmf5isiyb7vp7tc7xiokrjxxzcqd.onion:30408/

https://vkz4q4hufi2ekksnwo2op4e5dgj7vatip2nvwmo2vsodmuau46yxmyyd.onion:37379/

https://vf4ucetbu7qcy3p3d7ayntpzhjo3fzlaszu3y4wzhq642hdw2ptxn7yd.onion:20898/

https://vbtzr7t7y7pxduueznc4mntv2zgrt66m4zvore5jahma2s7do7kguead.onion:14099/

https://uup6i2g2uhsmsts6t4h5s652hficknfnpzs662x2q3iym5ddninyemad.onion:38869/

https://twlittqpz6hslkwrwaczn6b55jb4iz46erykvrnzhlyfssnk5uwwlmyd.onion:44045/

https://tnpiydtimuugdaixsyuew4nofzggjdsyyo3ctw2uzi4drll4axm3diyd.onion:38584/

https://srssvp2lk3vnwttncfxogitwrdo5y7nljcj6razz3ghjqdpxp4x2m2yd.onion:16259/

https://sj5ud3jiqkp47zza57xvrpno5tw6nrvxbxzvgn4k2fmyzzprhf6jxxid.onion:46597/

https://sj3jle6rfggaumbex4fqhb63vj7so5sy6e7wlgrlmayk3pmhtmgtwfid.onion:48986/

https://s626jyykfd2vpeel7rswnlmwsjcumjgwsw2hdo3shphtih64ayu7n6yd.onion:57739/

https://s26a7zwwxapsmm3hi3awsz7cd5mjwxhl3gd6bplhiwvekm4hys2u32qd.onion:10429/

https://rucaoeomop3yeepq5iyawcxjjt6x3tah5flbai2fewotjwomf6xqvxqd.onion:8314/

https://rabwadnfs35sjfmrvka7vras7hj3s22aixx72da5x3zbsnk3cxxo77qd.onion:48151/

https://qryejmh3imdjrvns2rbncl3gfw5a2etzwktm2uplavp7jn4stw3lbwqd.onion:26196/

https://purcdflu3cqzjfc3rwzr2jxz2e6yiaiks4ej2sn4t4hux2lnksfe3dqd.onion:17141/

https://odvrlneiow77fspjz4lrj425jo7fmd5cv4q3iasjcqwe35ybei7wabyd.onion:43303/

https://nxwhpmhofmoglbaq66de3bl3hp5x5y6d7cnwhldjzdex4dokchzeqlad.onion:25785/

https://nuco75srh4vta5zglxcp4ziabljitvr5yfeqcnwzdauufkzo3hd2w3qd.onion:35495/

https://l234audkv4np4z7ifp2apoven7hzbyjrfvteoh6fvjarc6cd6vxfe4ad.onion:48212/

https://kvlrfiowwiwft7od7mlbdcxouuozm56dqv4uyhfcdbabqydv3htolvid.onion:26783/

https://kqt3ukq3rrodfxd7ce75rboussy6slxdprzcierd65oq26ddgpelyqid.onion:14927/

https://kohtbl3ucs6xvqosbxd7dnfh5y3ag6tjix3bdflz4p5dw4g3g62oygid.onion:55616/

https://knrkrkipiff7vxymch6t54b2n2wnizt6baqsbp24zyfmaggstjwpb6id.onion:11844/

https://j6ra6hqk7cssp5fazkwlltqdfbgl3azhktccc2hefoco46p4qhvgcgid.onion:35543/

https://j62wwivnsntjporvag3u3xc3rfrqio25a7lhxamgfnjd7kdnhpnu7eqd.onion:26622/

https://gqqw74q2ig2vfnrwhm6ulxe2ipzieckpiozjufvhhsxoidy5wjq2bmqd.onion:23899/

https://fthappkft575kd4snugjnqg7nbk5noxd7jnyvprulecbadzjkpszclyd.onion:52134/

https://fnnkuvyleutbgw65bedvueiflhytyds5fu6vxeg56ihr5qu6getug7ad.onion:18678/

https://exmd723nzabqwzd2iq3yjcqsavz6o65vxyl465vedfiiaefdjv3oiwyd.onion:44004/

https://e6f6ex6jdvwjv5453eeakpxa5l3fz255zmfpgtw7oxynepfm334725id.onion:15328/

https://dy4upangcmvzpx56we77keuhvtta2734w2upg3nuloqyxlhmipt63fid.onion:49716/

https://dqgpc53vh2rzagqolhyesfwhtnivr7l7gl745vy3wzzdpzca4epoy6qd.onion:55452/

https://cr5rnanscwakq3amo5nvdl4kdkhgbxv37aaqbqmmtjt6ufkwtke7suid.onion:35724/

https://cpxqqmy3xerxafsupnj2ucccgxnbbjujf5rfrvxdlkqxczidfz5rloyd.onion:36428/

https://bcxed2rymdhu7s2tec2xjtscfaqdvdyqxtasif6ym5epuyxddcrjncid.onion:42332/

https://b5z6wlu5427v5dyw3ax3agclku7gmtmnwiepjif3w6styzifcnl6vfqd.onion:13811/

https://ayah2jmok6u7eo6rtksfaxo6zcz6cgjpwnxtdo66jolz26ymaq6ssfid.onion:44844/

https://aonw5ldru6t4xwwl4ifzonaggkm7gcpegiyaccryzh64yzks3fkabiyd.onion:47210/

https://7bbkpvrpatpzrreu36bzemj7fejgglqqzwdn4avgvpf67zwqpzc44vqd.onion:55965/

https://7oqgixcydaoxc3ayv6raiufxmwpd22oeo56rbitbyv7ndmjqhsl5m7qd.onion:22408/

https://6x6k5kgzgtajkimxkto4m6eqcxfhcxirlwwtfsjd3ilwqfp5ovnyu2id.onion:36112/

https://6uhcvcp6hm2rvajmsrqhi6q5kgel2vwencjvnxouwv7a7erbwydjx6id.onion:4615/

https://6s75xlg3auzdnccos4re4hrmcxyg6fivxsqm3cldv2gowl2engljtqyd.onion:58212/

https://6praos6qyi3b5kcurfqe4kyh5ihu4k3z6mjbggkixnfyhbpomy5szoad.onion:4123/

https://6kykjg6h7sjqru5puc57mb2nhd2bwhtewdswnsg4rlr3rw6t4iqrpgyd.onion:13392/

https://6agzykvu3rjnwpdnky777ffxb5dj4fiemftho4tsoeakp2xa542pj7id.onion:34024/

https://64iahnunyhf6ph6qvakjp22a3j6wlvl4sdmbh6elwri6up5gpnm7xkyd.onion:33960/

https://5bqxmurmtkqlzis65uu22aspcuhivb6vpzpcpma5wfl5ngz2ha6oxzqd.onion:18231/

https://4rnzfvzybry65auecpi3n67c6ynuunvs77qpk45svyhhsj6oisibk3qd.onion:39567/

https://4jtsmu3u4yrbehjf4rzfwsswhpc7ohs4nrfnlfu3xebteeaf4uv3okyd.onion:37151/

https://3zs4zdszo3lesutdbuenzvlspuh6wljj6eyntv73dxxig3bk2wcskrad.onion:15842/

https://3bh22ezbxub3dopbqja7jjymdussvwgl3eu4xzlsdyagtnhzxy3tr3id.onion:3367/

https://2pxsdtxngssu3vqqujdfgu4bsmlkp3d2ytctawznlhhez6tq57wzpzqd.onion:55314/

yebmhucezgghpzwvgqi5y2djfufgtrwcbbta547oaxw5kzi6sa2hopad.onion

xbeopilgchtzd5u7yu36jlsp5cfgaqeuxkaon7yjle7lrtb3abi476id.onion

wwbshp6hgnvtqwtbychvrchldbwifnf7djlpnuvf45dgn5up7w4xqqqd.onion

wdmr4ow76xfig5rgffnufdu7o4abkowc7keqeaiq7fkrxofwsue5wtyd.onion

vwmnexb2eiaencaw64hcrvv7tucksas6qbms5acpa222m2c5wigq3syd.onion

vt6r47ek7oi2svzj2s4pguogzwumlulju4zkdf6nh7xnkugylxuy7tad.onion

vor57f3yvqw3ddq4o3gkzkqdvczenmf5isiyb7vp7tc7xiokrjxxzcqd.onion

vkz4q4hufi2ekksnwo2op4e5dgj7vatip2nvwmo2vsodmuau46yxmyyd.onion

vf4ucetbu7qcy3p3d7ayntpzhjo3fzlaszu3y4wzhq642hdw2ptxn7yd.onion

vbtzr7t7y7pxduueznc4mntv2zgrt66m4zvore5jahma2s7do7kguead.onion

uup6i2g2uhsmsts6t4h5s652hficknfnpzs662x2q3iym5ddninyemad.onion

twlittqpz6hslkwrwaczn6b55jb4iz46erykvrnzhlyfssnk5uwwlmyd.onion

tnpiydtimuugdaixsyuew4nofzggjdsyyo3ctw2uzi4drll4axm3diyd.onion

srssvp2lk3vnwttncfxogitwrdo5y7nljcj6razz3ghjqdpxp4x2m2yd.onion

sj5ud3jiqkp47zza57xvrpno5tw6nrvxbxzvgn4k2fmyzzprhf6jxxid.onion

sj3jle6rfggaumbex4fqhb63vj7so5sy6e7wlgrlmayk3pmhtmgtwfid.onion

s626jyykfd2vpeel7rswnlmwsjcumjgwsw2hdo3shphtih64ayu7n6yd.onion

s26a7zwwxapsmm3hi3awsz7cd5mjwxhl3gd6bplhiwvekm4hys2u32qd.onion

rabwadnfs35sjfmrvka7vras7hj3s22aixx72da5x3zbsnk3cxxo77qd.onion

rucaoeomop3yeepq5iyawcxjjt6x3tah5flbai2fewotjwomf6xqvxqd.onion

qryejmh3imdjrvns2rbncl3gfw5a2etzwktm2uplavp7jn4stw3lbwqd.onion

purcdflu3cqzjfc3rwzr2jxz2e6yiaiks4ej2sn4t4hux2lnksfe3dqd.onion

odvrlneiow77fspjz4lrj425jo7fmd5cv4q3iasjcqwe35ybei7wabyd.onion

nxwhpmhofmoglbaq66de3bl3hp5x5y6d7cnwhldjzdex4dokchzeqlad.onion

nuco75srh4vta5zglxcp4ziabljitvr5yfeqcnwzdauufkzo3hd2w3qd.onion

l234audkv4np4z7ifp2apoven7hzbyjrfvteoh6fvjarc6cd6vxfe4ad.onion

kvlrfiowwiwft7od7mlbdcxouuozm56dqv4uyhfcdbabqydv3htolvid.onion

kqt3ukq3rrodfxd7ce75rboussy6slxdprzcierd65oq26ddgpelyqid.onion

kohtbl3ucs6xvqosbxd7dnfh5y3ag6tjix3bdflz4p5dw4g3g62oygid.onion

knrkrkipiff7vxymch6t54b2n2wnizt6baqsbp24zyfmaggstjwpb6id.onion

j6ra6hqk7cssp5fazkwlltqdfbgl3azhktccc2hefoco46p4qhvgcgid.onion

j62wwivnsntjporvag3u3xc3rfrqio25a7lhxamgfnjd7kdnhpnu7eqd.onion

gqqw74q2ig2vfnrwhm6ulxe2ipzieckpiozjufvhhsxoidy5wjq2bmqd.onion

fthappkft575kd4snugjnqg7nbk5noxd7jnyvprulecbadzjkpszclyd.onion

fnnkuvyleutbgw65bedvueiflhytyds5fu6vxeg56ihr5qu6getug7ad.onion

exmd723nzabqwzd2iq3yjcqsavz6o65vxyl465vedfiiaefdjv3oiwyd.onion

e6f6ex6jdvwjv5453eeakpxa5l3fz255zmfpgtw7oxynepfm334725id.onion

dy4upangcmvzpx56we77keuhvtta2734w2upg3nuloqyxlhmipt63fid.onion

dqgpc53vh2rzagqolhyesfwhtnivr7l7gl745vy3wzzdpzca4epoy6qd.onion

cr5rnanscwakq3amo5nvdl4kdkhgbxv37aaqbqmmtjt6ufkwtke7suid.onion

cpxqqmy3xerxafsupnj2ucccgxnbbjujf5rfrvxdlkqxczidfz5rloyd.onion

bcxed2rymdhu7s2tec2xjtscfaqdvdyqxtasif6ym5epuyxddcrjncid.onion

b5z6wlu5427v5dyw3ax3agclku7gmtmnwiepjif3w6styzifcnl6vfqd.onion

ayah2jmok6u7eo6rtksfaxo6zcz6cgjpwnxtdo66jolz26ymaq6ssfid.onion

aonw5ldru6t4xwwl4ifzonaggkm7gcpegiyaccryzh64yzks3fkabiyd.onion

7oqgixcydaoxc3ayv6raiufxmwpd22oeo56rbitbyv7ndmjqhsl5m7qd.onion

7bbkpvrpatpzrreu36bzemj7fejgglqqzwdn4avgvpf67zwqpzc44vqd.onion

6x6k5kgzgtajkimxkto4m6eqcxfhcxirlwwtfsjd3ilwqfp5ovnyu2id.onion

6uhcvcp6hm2rvajmsrqhi6q5kgel2vwencjvnxouwv7a7erbwydjx6id.onion

6s75xlg3auzdnccos4re4hrmcxyg6fivxsqm3cldv2gowl2engljtqyd.onion

6praos6qyi3b5kcurfqe4kyh5ihu4k3z6mjbggkixnfyhbpomy5szoad.onion

6kykjg6h7sjqru5puc57mb2nhd2bwhtewdswnsg4rlr3rw6t4iqrpgyd.onion

6agzykvu3rjnwpdnky777ffxb5dj4fiemftho4tsoeakp2xa542pj7id.onion

64iahnunyhf6ph6qvakjp22a3j6wlvl4sdmbh6elwri6up5gpnm7xkyd.onion

5bqxmurmtkqlzis65uu22aspcuhivb6vpzpcpma5wfl5ngz2ha6oxzqd.onion

4rnzfvzybry65auecpi3n67c6ynuunvs77qpk45svyhhsj6oisibk3qd.onion

4jtsmu3u4yrbehjf4rzfwsswhpc7ohs4nrfnlfu3xebteeaf4uv3okyd.onion

3zs4zdszo3lesutdbuenzvlspuh6wljj6eyntv73dxxig3bk2wcskrad.onion

3bh22ezbxub3dopbqja7jjymdussvwgl3eu4xzlsdyagtnhzxy3tr3id.onion

2pxsdtxngssu3vqqujdfgu4bsmlkp3d2ytctawznlhhez6tq57wzpzqd.onion

Download all indicators here!

Attack Patterns

Bumblebee - S1039

Raspberry Robin

T1134.005

T1027.003

T1027.001

T1078.001

T1497.003

T1548.002

T1497.002

T1055.012

T1027.002

T1055.002

T1497.001

T1548

T1027.005

T1497

T1218

T1055

T1134

T1140

T1027

T1078

CVE-2021-31969

CVE-2024-26229