Fallout Exploit Kit delivers Raccoon Stealer

I have added a zipped pcap file for your analysis. The password for the zipped pcap is “infected” all lowercase.

PCAP file of the infection traffic:


ASSOCIATED DOMAINS: – birosthalittc.in – REDIRECT TO FALLOUT EK – grill4u3.com/Loricoid/07_12_1920/QW6.aspx?chrysopid=4320-stogeies-11063 – FALLOUT EK – POST /gate/log.php – RACCOON STEALER – GET /gate/sqlite3.dll – RACCOON STEALER – GET /gate/libs.zip – RACCOON STEALER – POST /file_handler/file.php – RACCOON STEALER


Shown above: Network traffic associated with the Fallout Exploit Kit and Raccoon Stealer infection


Raccoon Stealer Original Payload:
Filename: \AppData\LocalLow\cFOkVQWp.tmp
SHA256: 6452BCE880E9B68C2F3FADBE82DBD1B6C4A62A77D58C6731F1987CCF56FEC2BC