raccoon | 7984865f4df4f3569df5096b7a2b6bf03f070a9ef5fb6e46d3365e40e2f92a01

General

Target

e092c290ecbe05b96a01a8557d202191.exe
Size

180KB
MD5

e092c290ecbe05b96a01a8557d202191
SHA1

81ce24f7af893885025cb184de98da3bee563169
SHA256

7984865f4df4f3569df5096b7a2b6bf03f070a9ef5fb6e46d3365e40e2f92a01
SHA512

8dc9553013af612b8b5099bdeff2eaf021a2369298428460e4a349220c8db912e3a34f45eba9fbd89e9ea96f5d672d0eb9a9373b497130206bc5e3b4de963799

Score

10^/10

raccoon smokeloader cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2624-122-0x0000000004900000-0x0000000004991000-memory.dmp	family_raccoon
behavioral2/memory/2624-126-0x0000000000400000-0x0000000002CA9000-memory.dmp	family_raccoon

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 852 created 2624 852 WerFault.exe 2403.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

2403.exe

pid process

2624 2403.exe
Deletes itself 1 IoCs

Processes:

pid process

3016
Suspicious use of SetThreadContext 1 IoCs

Processes:

e092c290ecbe05b96a01a8557d202191.exe

description pid process target process

PID 3128 set thread context of 1396 3128 e092c290ecbe05b96a01a8557d202191.exe e092c290ecbe05b96a01a8557d202191.exe

description	pid	process	target process
PID 852 created 2624	852	WerFault.exe	2403.exe

pid	process
2624	2403.exe

pid	process
3016

description	pid	process	target process
PID 3128 set thread context of 1396	3128	e092c290ecbe05b96a01a8557d202191.exe	e092c290ecbe05b96a01a8557d202191.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1308	2624	WerFault.exe	2403.exe
2100	2624	WerFault.exe	2403.exe
4016	2624	WerFault.exe	2403.exe
3832	2624	WerFault.exe	2403.exe
852	2624	WerFault.exe	2403.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e092c290ecbe05b96a01a8557d202191.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e092c290ecbe05b96a01a8557d202191.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e092c290ecbe05b96a01a8557d202191.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e092c290ecbe05b96a01a8557d202191.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e092c290ecbe05b96a01a8557d202191.exe

pid	process
1396	e092c290ecbe05b96a01a8557d202191.exe
1396	e092c290ecbe05b96a01a8557d202191.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3016
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

e092c290ecbe05b96a01a8557d202191.exe

pid process

1396 e092c290ecbe05b96a01a8557d202191.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

pid	process
3016

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	1308	WerFault.exe
Token: SeBackupPrivilege	1308	WerFault.exe
Token: SeDebugPrivilege	1308	WerFault.exe
Token: SeDebugPrivilege	2100	WerFault.exe
Token: SeDebugPrivilege	4016	WerFault.exe
Token: SeDebugPrivilege	3832	WerFault.exe
Token: SeDebugPrivilege	852	WerFault.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3016
3016
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3016
3016
3016
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3016

pid	process
3016
3016

pid	process
3016
3016
3016

pid	process
3016

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

e092c290ecbe05b96a01a8557d202191.exe

description	pid	process	target process
PID 3128 wrote to memory of 1396	3128	e092c290ecbe05b96a01a8557d202191.exe	e092c290ecbe05b96a01a8557d202191.exe
PID 3128 wrote to memory of 1396	3128	e092c290ecbe05b96a01a8557d202191.exe	e092c290ecbe05b96a01a8557d202191.exe
PID 3128 wrote to memory of 1396	3128	e092c290ecbe05b96a01a8557d202191.exe	e092c290ecbe05b96a01a8557d202191.exe
PID 3128 wrote to memory of 1396	3128	e092c290ecbe05b96a01a8557d202191.exe	e092c290ecbe05b96a01a8557d202191.exe
PID 3128 wrote to memory of 1396	3128	e092c290ecbe05b96a01a8557d202191.exe	e092c290ecbe05b96a01a8557d202191.exe
PID 3128 wrote to memory of 1396	3128	e092c290ecbe05b96a01a8557d202191.exe	e092c290ecbe05b96a01a8557d202191.exe
PID 3016 wrote to memory of 2624	3016		2403.exe
PID 3016 wrote to memory of 2624	3016		2403.exe
PID 3016 wrote to memory of 2624	3016		2403.exe
PID 3016 wrote to memory of 3064	3016		explorer.exe
PID 3016 wrote to memory of 3064	3016		explorer.exe
PID 3016 wrote to memory of 3064	3016		explorer.exe
PID 3016 wrote to memory of 3064	3016		explorer.exe
PID 3016 wrote to memory of 496	3016		explorer.exe
PID 3016 wrote to memory of 496	3016		explorer.exe
PID 3016 wrote to memory of 496	3016		explorer.exe
PID 3016 wrote to memory of 2268	3016		explorer.exe
PID 3016 wrote to memory of 2268	3016		explorer.exe
PID 3016 wrote to memory of 2268	3016		explorer.exe
PID 3016 wrote to memory of 2268	3016		explorer.exe
PID 3016 wrote to memory of 2072	3016		explorer.exe
PID 3016 wrote to memory of 2072	3016		explorer.exe
PID 3016 wrote to memory of 2072	3016		explorer.exe
PID 3016 wrote to memory of 3916	3016		explorer.exe
PID 3016 wrote to memory of 3916	3016		explorer.exe
PID 3016 wrote to memory of 3916	3016		explorer.exe
PID 3016 wrote to memory of 3916	3016		explorer.exe
PID 3016 wrote to memory of 412	3016		explorer.exe
PID 3016 wrote to memory of 412	3016		explorer.exe
PID 3016 wrote to memory of 412	3016		explorer.exe
PID 3016 wrote to memory of 1544	3016		explorer.exe
PID 3016 wrote to memory of 1544	3016		explorer.exe
PID 3016 wrote to memory of 1544	3016		explorer.exe
PID 3016 wrote to memory of 1544	3016		explorer.exe
PID 3016 wrote to memory of 1548	3016		explorer.exe
PID 3016 wrote to memory of 1548	3016		explorer.exe
PID 3016 wrote to memory of 1548	3016		explorer.exe
PID 3016 wrote to memory of 2192	3016		explorer.exe
PID 3016 wrote to memory of 2192	3016		explorer.exe
PID 3016 wrote to memory of 2192	3016		explorer.exe
PID 3016 wrote to memory of 2192	3016		explorer.exe

C:\Users\Admin\AppData\Local\Temp\e092c290ecbe05b96a01a8557d202191.exe
"C:\Users\Admin\AppData\Local\Temp\e092c290ecbe05b96a01a8557d202191.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\e092c290ecbe05b96a01a8557d202191.exe
"C:\Users\Admin\AppData\Local\Temp\e092c290ecbe05b96a01a8557d202191.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1396

C:\Users\Admin\AppData\Local\Temp\2403.exe
C:\Users\Admin\AppData\Local\Temp\2403.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 732
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 744
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 748
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 880
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 736
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3064

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:496

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2268

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2072

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3916

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:412

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1544

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1548

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2403.exe
MD5
bcb7a8c35da728b75d377c38a80d503c

SHA1
c21b88f09971bd30ac49daab64e0f669409af60a

SHA256
e95de24b1497e98be071715371def2978162ebb70ae999ad824ca48800271fc8

SHA512
501d7ba9560eb731bf429f02f9ebe545db1b619939a92300388319f8760e7f80e53cf6965ed2e7391e894b4fc6ec338804210f827d411a45dc7b984d79bd2257

Download Submit
C:\Users\Admin\AppData\Local\Temp\2403.exe
MD5
bcb7a8c35da728b75d377c38a80d503c

SHA1
c21b88f09971bd30ac49daab64e0f669409af60a

SHA256
e95de24b1497e98be071715371def2978162ebb70ae999ad824ca48800271fc8

SHA512
501d7ba9560eb731bf429f02f9ebe545db1b619939a92300388319f8760e7f80e53cf6965ed2e7391e894b4fc6ec338804210f827d411a45dc7b984d79bd2257

Download Submit
memory/412-138-0x0000000000000000-mapping.dmp

Download
memory/412-139-0x0000000000EF0000-0x0000000000EF6000-memory.dmp

Filesize
24KB

Download
memory/412-140-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

Filesize
48KB

Download
memory/496-124-0x0000000000000000-mapping.dmp

Download
memory/496-128-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/496-127-0x00000000009C0000-0x00000000009C7000-memory.dmp

Filesize
28KB

Download
memory/1396-115-0x0000000000402E1A-mapping.dmp

Download
memory/1396-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1544-143-0x0000000000870000-0x0000000000879000-memory.dmp

Filesize
36KB

Download
memory/1544-141-0x0000000000000000-mapping.dmp

Download
memory/1544-142-0x0000000000880000-0x0000000000884000-memory.dmp

Filesize
16KB

Download
memory/1548-144-0x0000000000000000-mapping.dmp

Download
memory/1548-146-0x0000000000C10000-0x0000000000C19000-memory.dmp

Filesize
36KB

Download
memory/1548-145-0x0000000000C20000-0x0000000000C25000-memory.dmp

Filesize
20KB

Download
memory/2072-132-0x0000000000000000-mapping.dmp

Download
memory/2072-133-0x0000000000DE0000-0x0000000000DE9000-memory.dmp

Filesize
36KB

Download
memory/2072-134-0x0000000000DD0000-0x0000000000DDF000-memory.dmp

Filesize
60KB

Download
memory/2192-149-0x0000000000620000-0x0000000000629000-memory.dmp

Filesize
36KB

Download
memory/2192-148-0x0000000000630000-0x0000000000635000-memory.dmp

Filesize
20KB

Download
memory/2192-147-0x0000000000000000-mapping.dmp

Download
memory/2268-130-0x0000000000780000-0x0000000000787000-memory.dmp

Filesize
28KB

Download
memory/2268-131-0x0000000000770000-0x000000000077B000-memory.dmp

Filesize
44KB

Download
memory/2268-129-0x0000000000000000-mapping.dmp

Download
memory/2624-126-0x0000000000400000-0x0000000002CA9000-memory.dmp

Filesize
40.7MB

Download
memory/2624-118-0x0000000000000000-mapping.dmp

Download
memory/2624-122-0x0000000004900000-0x0000000004991000-memory.dmp

Filesize
580KB

Download
memory/3016-117-0x00000000012D0000-0x00000000012E6000-memory.dmp

Filesize
88KB

Download
memory/3064-121-0x0000000000000000-mapping.dmp

Download
memory/3064-123-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3064-125-0x0000000000190000-0x00000000001FB000-memory.dmp

Filesize
428KB

Download
memory/3128-116-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/3916-137-0x0000000000380000-0x0000000000389000-memory.dmp

Filesize
36KB

Download
memory/3916-136-0x0000000000390000-0x0000000000395000-memory.dmp

Filesize
20KB

Download
memory/3916-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads