raccoon

General

Target

44AC6FC2F8D02857F9D7A7BFDE1E2376.exe
Size

3.9MB
Sample

210813-anecvd9pta
MD5

44ac6fc2f8d02857f9d7a7bfde1e2376
SHA1

0e3c85f03fd36cc4001fb68996b53ff8afb17f7e
SHA256

bae14391cbc9ddb999947b70f3975a7309f73d422a02aaa13ae9100baaa0652c
SHA512

585a915f8669d2303eca95729ec062dbe08907c33e5685f68a0fa563d3ba03f0754b82982c28e74a1f586d5c96872cb1a0c11fb30eec95c3263fcf058ec2cca8

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

rc4.i32

Extracted

Family

vidar

Version

40

Botnet

937

C2

https://lenak513.tumblr.com/

Attributes

profile_id
937

Extracted

Family

raccoon

Botnet

93d3ccba4a3cbd5e268873fc1760b2335272e198

Attributes

url4cnc
https://telete.in/opa4kiprivatem

rc4.plain

Extracted

Family

vidar

Version

40

Botnet

916

C2

https://lenak513.tumblr.com/

Attributes

profile_id
916

Extracted

Family

vidar

Version

39.9

Botnet

706

C2

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Targets

- Target
  
  44AC6FC2F8D02857F9D7A7BFDE1E2376.exe
- Size
  
  3.9MB
- MD5
  
  44ac6fc2f8d02857f9d7a7bfde1e2376
- SHA1
  
  0e3c85f03fd36cc4001fb68996b53ff8afb17f7e
- SHA256
  
  bae14391cbc9ddb999947b70f3975a7309f73d422a02aaa13ae9100baaa0652c
- SHA512
  
  585a915f8669d2303eca95729ec062dbe08907c33e5685f68a0fa563d3ba03f0754b82982c28e74a1f586d5c96872cb1a0c11fb30eec95c3263fcf058ec2cca8
Score

10^/10

raccoon redline smokeloader vidar 706 916 937 93d3ccba4a3cbd5e268873fc1760b2335272e198 aspackv2 backdoor infostealer persistence stealer suricata trojan vmprotect
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE GCleaner Downloader Activity M1
  suricata: ET MALWARE GCleaner Downloader Activity M1
  suricata
- suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
  suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
  suricata
- suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2