raccoon

Target

toolspab.rar
Size

5.1MB
Sample

210708-3ypfnj5j7x
MD5

03bcf66328cf26085b60c21dd9e8bc82
SHA1

8b2cd596a60495ccc9767254b2eec9071350c5a4
SHA256

64dc2b5958fe37dd9733928c156e0c75ab544e2e0169f9f796c3f3db809bcbe5
SHA512

77740835104940fd5ddaf89b450aa6e93183cd223fbf6dad0e7ab524c2438c95637a474bec1f32e63d59daff98fe09ea9bf74bd9175f1ddd58622e57056c884d

Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Extracted

Family

redline

Botnet

45.32.235.238:45555

Extracted

Family

redline

45.93.4.12:80

Targets

- Target
  
  toolspab2 (1).exe
- Size
  
  315KB
- MD5
  
  585c257e0b345b762e7cdc407d8f9da2
- SHA1
  
  ffee403d97b76c3460fc166b9d5ce1205cd216a5
- SHA256
  
  4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
- SHA512
  
  14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8
Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  toolspab2 (10).exe
- Size
  
  315KB
- MD5
  
  1d20e1f65938e837ef1b88f10f1bd6c3
- SHA1
  
  703d7098dbfc476d2181b7fc041cc23e49c368f1
- SHA256
  
  05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
- SHA512
  
  f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  toolspab2 (11).exe
- Size
  
  315KB
- MD5
  
  1d20e1f65938e837ef1b88f10f1bd6c3
- SHA1
  
  703d7098dbfc476d2181b7fc041cc23e49c368f1
- SHA256
  
  05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
- SHA512
  
  f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  toolspab2 (12).exe
- Size
  
  315KB
- MD5
  
  1d20e1f65938e837ef1b88f10f1bd6c3
- SHA1
  
  703d7098dbfc476d2181b7fc041cc23e49c368f1
- SHA256
  
  05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
- SHA512
  
  f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  toolspab2 (13).exe
- Size
  
  315KB
- MD5
  
  1d20e1f65938e837ef1b88f10f1bd6c3
- SHA1
  
  703d7098dbfc476d2181b7fc041cc23e49c368f1
- SHA256
  
  05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
- SHA512
  
  f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral9 behavioral10
- Target
  
  toolspab2 (14).exe
- Size
  
  315KB
- MD5
  
  1d20e1f65938e837ef1b88f10f1bd6c3
- SHA1
  
  703d7098dbfc476d2181b7fc041cc23e49c368f1
- SHA256
  
  05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
- SHA512
  
  f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  toolspab2 (15).exe
- Size
  
  315KB
- MD5
  
  1d20e1f65938e837ef1b88f10f1bd6c3
- SHA1
  
  703d7098dbfc476d2181b7fc041cc23e49c368f1
- SHA256
  
  05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
- SHA512
  
  f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  toolspab2 (16).exe
- Size
  
  315KB
- MD5
  
  1d20e1f65938e837ef1b88f10f1bd6c3
- SHA1
  
  703d7098dbfc476d2181b7fc041cc23e49c368f1
- SHA256
  
  05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
- SHA512
  
  f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  toolspab2 (17).exe
- Size
  
  315KB
- MD5
  
  1d20e1f65938e837ef1b88f10f1bd6c3
- SHA1
  
  703d7098dbfc476d2181b7fc041cc23e49c368f1
- SHA256
  
  05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
- SHA512
  
  f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  toolspab2 (18).exe
- Size
  
  315KB
- MD5
  
  1d20e1f65938e837ef1b88f10f1bd6c3
- SHA1
  
  703d7098dbfc476d2181b7fc041cc23e49c368f1
- SHA256
  
  05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
- SHA512
  
  f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Score

10^/10

raccoon redline smokeloader backdoor discovery infostealer spyware stealer trojan 1 persistence
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  toolspab2 (19).exe
- Size
  
  315KB
- MD5
  
  1d20e1f65938e837ef1b88f10f1bd6c3
- SHA1
  
  703d7098dbfc476d2181b7fc041cc23e49c368f1
- SHA256
  
  05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
- SHA512
  
  f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  toolspab2 (2).exe
- Size
  
  315KB
- MD5
  
  585c257e0b345b762e7cdc407d8f9da2
- SHA1
  
  ffee403d97b76c3460fc166b9d5ce1205cd216a5
- SHA256
  
  4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
- SHA512
  
  14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8
Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  toolspab2 (20).exe
- Size
  
  315KB
- MD5
  
  585c257e0b345b762e7cdc407d8f9da2
- SHA1
  
  ffee403d97b76c3460fc166b9d5ce1205cd216a5
- SHA256
  
  4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
- SHA512
  
  14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8
Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral25 behavioral26
- Target
  
  toolspab2 (21).exe
- Size
  
  315KB
- MD5
  
  585c257e0b345b762e7cdc407d8f9da2
- SHA1
  
  ffee403d97b76c3460fc166b9d5ce1205cd216a5
- SHA256
  
  4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
- SHA512
  
  14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8
Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral27 behavioral28
- Target
  
  toolspab2 (22).exe
- Size
  
  315KB
- MD5
  
  585c257e0b345b762e7cdc407d8f9da2
- SHA1
  
  ffee403d97b76c3460fc166b9d5ce1205cd216a5
- SHA256
  
  4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
- SHA512
  
  14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8
Score

10^/10

raccoon redline smokeloader 1 backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  toolspab2 (23).exe
- Size
  
  315KB
- MD5
  
  585c257e0b345b762e7cdc407d8f9da2
- SHA1
  
  ffee403d97b76c3460fc166b9d5ce1205cd216a5
- SHA256
  
  4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
- SHA512
  
  14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8
Score

10^/10

raccoon redline smokeloader backdoor discovery infostealer spyware stealer trojan 1
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

RedLine

RedLine Payload

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Raccoon

RedLine

RedLine Payload

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Raccoon

RedLine

RedLine Payload

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Raccoon

RedLine

RedLine Payload

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Raccoon

RedLine

RedLine Payload

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Raccoon

RedLine

RedLine Payload

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Deletes itself