raccoon

General

Target

SecuriteInfo.com.Trojan.Siggen12.58144.411.8319
Size

8KB
Sample

210327-t8l1g1fds6
MD5

5a240bb6dcd0af07ba295025c2624d1a
SHA1

3e0d3be59c87628cedb99efb43b0d85ab1451b83
SHA256

2d80eb1f45fbbfa834211cb26597c463d3033217afa53cd9727f4030cf25e122
SHA512

d838de728116c0feb5d6e6798264a023e63caba85dbbea376866ef7ac7031d3febd557bdd3fac5c7054e40cc78300d79e861158a360f184b71e32b497de3d32d

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Extracted

Family

smokeloader

Version

2020

C2

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

afefd33a49c7cbd55d417545269920f24c85aa37

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Targets

- Target
  
  SecuriteInfo.com.Trojan.Siggen12.58144.411.8319
- Size
  
  8KB
- MD5
  
  5a240bb6dcd0af07ba295025c2624d1a
- SHA1
  
  3e0d3be59c87628cedb99efb43b0d85ab1451b83
- SHA256
  
  2d80eb1f45fbbfa834211cb26597c463d3033217afa53cd9727f4030cf25e122
- SHA512
  
  d838de728116c0feb5d6e6798264a023e63caba85dbbea376866ef7ac7031d3febd557bdd3fac5c7054e40cc78300d79e861158a360f184b71e32b497de3d32d
Score

10^/10

smokeloader backdoor persistence trojan raccoon redline tofsee vidar afefd33a49c7cbd55d417545269920f24c85aa37 discovery evasion infostealer stealer
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2