raccoon | efe21ec3a8118e21388c0dde6a40257e44ed807b020f1d6921d83a41cfede454

General

Target

290ea897cfab6a4e8b1837f227d6a467.exe
Size

180KB
MD5

290ea897cfab6a4e8b1837f227d6a467
SHA1

55235125920c509996b5ca91d0f9f805b0563fa0
SHA256

efe21ec3a8118e21388c0dde6a40257e44ed807b020f1d6921d83a41cfede454
SHA512

1d245497df9d68a7650bc0b39e16717710badbd8bfa435e7d45a9549375f02786bc2ab302db0770b29121943f3f5e5641f51388ed5add610d14072331ad44504

Score

10^/10

raccoon smokeloader cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3180-123-0x00000000048A0000-0x0000000004931000-memory.dmp	family_raccoon
behavioral2/memory/3180-126-0x0000000000400000-0x0000000002CA9000-memory.dmp	family_raccoon

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3420 created 3180 3420 WerFault.exe BF7D.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

BF7D.exe

pid process

3180 BF7D.exe
Deletes itself 1 IoCs

Processes:

pid process

2724
Suspicious use of SetThreadContext 1 IoCs

Processes:

290ea897cfab6a4e8b1837f227d6a467.exe

description pid process target process

PID 652 set thread context of 4060 652 290ea897cfab6a4e8b1837f227d6a467.exe 290ea897cfab6a4e8b1837f227d6a467.exe

description	pid	process	target process
PID 3420 created 3180	3420	WerFault.exe	BF7D.exe

pid	process
3180	BF7D.exe

pid	process
2724

description	pid	process	target process
PID 652 set thread context of 4060	652	290ea897cfab6a4e8b1837f227d6a467.exe	290ea897cfab6a4e8b1837f227d6a467.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2124	3180	WerFault.exe	BF7D.exe
2340	3180	WerFault.exe	BF7D.exe
3704	3180	WerFault.exe	BF7D.exe
672	3180	WerFault.exe	BF7D.exe
3420	3180	WerFault.exe	BF7D.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

290ea897cfab6a4e8b1837f227d6a467.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	290ea897cfab6a4e8b1837f227d6a467.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	290ea897cfab6a4e8b1837f227d6a467.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	290ea897cfab6a4e8b1837f227d6a467.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

290ea897cfab6a4e8b1837f227d6a467.exe

pid	process
4060	290ea897cfab6a4e8b1837f227d6a467.exe
4060	290ea897cfab6a4e8b1837f227d6a467.exe
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2724
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

290ea897cfab6a4e8b1837f227d6a467.exe

pid process

4060 290ea897cfab6a4e8b1837f227d6a467.exe
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724

pid	process
2724

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	2124	WerFault.exe
Token: SeBackupPrivilege	2124	WerFault.exe
Token: SeDebugPrivilege	2124	WerFault.exe
Token: SeDebugPrivilege	2340	WerFault.exe
Token: SeDebugPrivilege	3704	WerFault.exe
Token: SeDebugPrivilege	672	WerFault.exe
Token: SeDebugPrivilege	3420	WerFault.exe
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2724

pid	process
2724

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

290ea897cfab6a4e8b1837f227d6a467.exe

description	pid	process	target process
PID 652 wrote to memory of 4060	652	290ea897cfab6a4e8b1837f227d6a467.exe	290ea897cfab6a4e8b1837f227d6a467.exe
PID 652 wrote to memory of 4060	652	290ea897cfab6a4e8b1837f227d6a467.exe	290ea897cfab6a4e8b1837f227d6a467.exe
PID 652 wrote to memory of 4060	652	290ea897cfab6a4e8b1837f227d6a467.exe	290ea897cfab6a4e8b1837f227d6a467.exe
PID 652 wrote to memory of 4060	652	290ea897cfab6a4e8b1837f227d6a467.exe	290ea897cfab6a4e8b1837f227d6a467.exe
PID 652 wrote to memory of 4060	652	290ea897cfab6a4e8b1837f227d6a467.exe	290ea897cfab6a4e8b1837f227d6a467.exe
PID 652 wrote to memory of 4060	652	290ea897cfab6a4e8b1837f227d6a467.exe	290ea897cfab6a4e8b1837f227d6a467.exe
PID 2724 wrote to memory of 3180	2724		BF7D.exe
PID 2724 wrote to memory of 3180	2724		BF7D.exe
PID 2724 wrote to memory of 3180	2724		BF7D.exe
PID 2724 wrote to memory of 3676	2724		explorer.exe
PID 2724 wrote to memory of 3676	2724		explorer.exe
PID 2724 wrote to memory of 3676	2724		explorer.exe
PID 2724 wrote to memory of 3676	2724		explorer.exe
PID 2724 wrote to memory of 1420	2724		explorer.exe
PID 2724 wrote to memory of 1420	2724		explorer.exe
PID 2724 wrote to memory of 1420	2724		explorer.exe
PID 2724 wrote to memory of 3848	2724		explorer.exe
PID 2724 wrote to memory of 3848	2724		explorer.exe
PID 2724 wrote to memory of 3848	2724		explorer.exe
PID 2724 wrote to memory of 3848	2724		explorer.exe
PID 2724 wrote to memory of 500	2724		explorer.exe
PID 2724 wrote to memory of 500	2724		explorer.exe
PID 2724 wrote to memory of 500	2724		explorer.exe
PID 2724 wrote to memory of 3732	2724		explorer.exe
PID 2724 wrote to memory of 3732	2724		explorer.exe
PID 2724 wrote to memory of 3732	2724		explorer.exe
PID 2724 wrote to memory of 3732	2724		explorer.exe
PID 2724 wrote to memory of 4004	2724		explorer.exe
PID 2724 wrote to memory of 4004	2724		explorer.exe
PID 2724 wrote to memory of 4004	2724		explorer.exe
PID 2724 wrote to memory of 692	2724		explorer.exe
PID 2724 wrote to memory of 692	2724		explorer.exe
PID 2724 wrote to memory of 692	2724		explorer.exe
PID 2724 wrote to memory of 692	2724		explorer.exe
PID 2724 wrote to memory of 3144	2724		explorer.exe
PID 2724 wrote to memory of 3144	2724		explorer.exe
PID 2724 wrote to memory of 3144	2724		explorer.exe
PID 2724 wrote to memory of 1012	2724		explorer.exe
PID 2724 wrote to memory of 1012	2724		explorer.exe
PID 2724 wrote to memory of 1012	2724		explorer.exe
PID 2724 wrote to memory of 1012	2724		explorer.exe

C:\Users\Admin\AppData\Local\Temp\290ea897cfab6a4e8b1837f227d6a467.exe
"C:\Users\Admin\AppData\Local\Temp\290ea897cfab6a4e8b1837f227d6a467.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\290ea897cfab6a4e8b1837f227d6a467.exe
"C:\Users\Admin\AppData\Local\Temp\290ea897cfab6a4e8b1837f227d6a467.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4060

C:\Users\Admin\AppData\Local\Temp\BF7D.exe
C:\Users\Admin\AppData\Local\Temp\BF7D.exe
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 732
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 744
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 748
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 880
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 752
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3676

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1420

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3848

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:500

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3732

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4004

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:692

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3144

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BF7D.exe
MD5
6f1c3dfab2badbfccc465998474fd3e6

SHA1
a3bb8acc48e1d5e0f89e1f1d542db35252a26176

SHA256
3a3058d09218b1f26971c761309cbd818e5acccb7dfaa713674a846e1cbdfd33

SHA512
4d167c024540bc6c818351258c1bbd7af17f2b77cba3573dd9393a691fb3d3ff9697463d6fd25f5373c1e7607d3058765665be9878614bbec870a6b17d5bd4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF7D.exe
MD5
6f1c3dfab2badbfccc465998474fd3e6

SHA1
a3bb8acc48e1d5e0f89e1f1d542db35252a26176

SHA256
3a3058d09218b1f26971c761309cbd818e5acccb7dfaa713674a846e1cbdfd33

SHA512
4d167c024540bc6c818351258c1bbd7af17f2b77cba3573dd9393a691fb3d3ff9697463d6fd25f5373c1e7607d3058765665be9878614bbec870a6b17d5bd4c9

Download Submit
memory/500-134-0x00000000005C0000-0x00000000005CF000-memory.dmp

Filesize
60KB

Download
memory/500-133-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/500-132-0x0000000000000000-mapping.dmp

Download
memory/652-114-0x0000000002D60000-0x0000000002EAA000-memory.dmp

Filesize
1.3MB

Download
memory/692-141-0x0000000000000000-mapping.dmp

Download
memory/692-143-0x0000000000850000-0x0000000000859000-memory.dmp

Filesize
36KB

Download
memory/692-142-0x0000000000860000-0x0000000000864000-memory.dmp

Filesize
16KB

Download
memory/1012-148-0x0000000000E20000-0x0000000000E25000-memory.dmp

Filesize
20KB

Download
memory/1012-149-0x0000000000E10000-0x0000000000E19000-memory.dmp

Filesize
36KB

Download
memory/1012-147-0x0000000000000000-mapping.dmp

Download
memory/1420-128-0x0000000001000000-0x000000000100C000-memory.dmp

Filesize
48KB

Download
memory/1420-122-0x0000000000000000-mapping.dmp

Download
memory/1420-127-0x0000000001010000-0x0000000001017000-memory.dmp

Filesize
28KB

Download
memory/2724-117-0x0000000000D50000-0x0000000000D66000-memory.dmp

Filesize
88KB

Download
memory/3144-146-0x0000000000330000-0x0000000000339000-memory.dmp

Filesize
36KB

Download
memory/3144-145-0x0000000000340000-0x0000000000345000-memory.dmp

Filesize
20KB

Download
memory/3144-144-0x0000000000000000-mapping.dmp

Download
memory/3180-126-0x0000000000400000-0x0000000002CA9000-memory.dmp

Filesize
40.7MB

Download
memory/3180-118-0x0000000000000000-mapping.dmp

Download
memory/3180-123-0x00000000048A0000-0x0000000004931000-memory.dmp

Filesize
580KB

Download
memory/3676-121-0x0000000000000000-mapping.dmp

Download
memory/3676-124-0x0000000000C70000-0x0000000000CE4000-memory.dmp

Filesize
464KB

Download
memory/3676-125-0x0000000000C00000-0x0000000000C6B000-memory.dmp

Filesize
428KB

Download
memory/3732-135-0x0000000000000000-mapping.dmp

Download
memory/3732-136-0x0000000000960000-0x0000000000965000-memory.dmp

Filesize
20KB

Download
memory/3732-137-0x0000000000950000-0x0000000000959000-memory.dmp

Filesize
36KB

Download
memory/3848-129-0x0000000000000000-mapping.dmp

Download
memory/3848-131-0x00000000006C0000-0x00000000006CB000-memory.dmp

Filesize
44KB

Download
memory/3848-130-0x00000000006D0000-0x00000000006D7000-memory.dmp

Filesize
28KB

Download
memory/4004-139-0x0000000000760000-0x0000000000766000-memory.dmp

Filesize
24KB

Download
memory/4004-140-0x0000000000750000-0x000000000075C000-memory.dmp

Filesize
48KB

Download
memory/4004-138-0x0000000000000000-mapping.dmp

Download
memory/4060-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4060-116-0x0000000000402E1A-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads