raccoon

General

Target

6a43d092b3a66148c04c16d13081e909.exe
Size

71KB
Sample

210327-x8j146yj16
MD5

6a43d092b3a66148c04c16d13081e909
SHA1

41e620bb055a61149f6940bed04a3ae5edd4bce5
SHA256

12bbe24de7cb5efda944526935ce54a013d93d99b366b9f74a19828ddc987ebc
SHA512

9d047dc2fa49503f52cde5d39e9d19b05168a1dcecbcce93c3c7d3dfefbaee9caf3d0f9237d8987b9ae73ac6d626b4353dfa66bf061c9fd1badf0072da79e453

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Extracted

Family

smokeloader

Version

2020

C2

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

dd478ff8ed48e4864892644c2a5502e502f6869c

Attributes

url4cnc
https://telete.in/iodmarius

rc4.plain

Extracted

Family

raccoon

Botnet

afefd33a49c7cbd55d417545269920f24c85aa37

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Targets

- Target
  
  6a43d092b3a66148c04c16d13081e909.exe
- Size
  
  71KB
- MD5
  
  6a43d092b3a66148c04c16d13081e909
- SHA1
  
  41e620bb055a61149f6940bed04a3ae5edd4bce5
- SHA256
  
  12bbe24de7cb5efda944526935ce54a013d93d99b366b9f74a19828ddc987ebc
- SHA512
  
  9d047dc2fa49503f52cde5d39e9d19b05168a1dcecbcce93c3c7d3dfefbaee9caf3d0f9237d8987b9ae73ac6d626b4353dfa66bf061c9fd1badf0072da79e453
Score

10^/10

smokeloader backdoor persistence trojan upx raccoon tofsee vidar afefd33a49c7cbd55d417545269920f24c85aa37 dd478ff8ed48e4864892644c2a5502e502f6869c evasion stealer
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2