raccoon | 7984865f4df4f3569df5096b7a2b6bf03f070a9ef5fb6e46d3365e40e2f92a01

General

Target

e092c290ecbe05b96a01a8557d202191.exe
Size

180KB
MD5

e092c290ecbe05b96a01a8557d202191
SHA1

81ce24f7af893885025cb184de98da3bee563169
SHA256

7984865f4df4f3569df5096b7a2b6bf03f070a9ef5fb6e46d3365e40e2f92a01
SHA512

8dc9553013af612b8b5099bdeff2eaf021a2369298428460e4a349220c8db912e3a34f45eba9fbd89e9ea96f5d672d0eb9a9373b497130206bc5e3b4de963799

Score

10^/10

raccoon smokeloader cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2664-126-0x0000000000400000-0x0000000002CA9000-memory.dmp	family_raccoon
behavioral2/memory/2664-125-0x00000000048B0000-0x0000000004941000-memory.dmp	family_raccoon

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2016 created 2664 2016 WerFault.exe C1DE.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

C1DE.exe

pid process

2664 C1DE.exe
Deletes itself 1 IoCs

Processes:

pid process

3036
Suspicious use of SetThreadContext 1 IoCs

Processes:

e092c290ecbe05b96a01a8557d202191.exe

description pid process target process

PID 2016 set thread context of 2464 2016 e092c290ecbe05b96a01a8557d202191.exe e092c290ecbe05b96a01a8557d202191.exe

description	pid	process	target process
PID 2016 created 2664	2016	WerFault.exe	C1DE.exe

pid	process
2664	C1DE.exe

pid	process
3036

description	pid	process	target process
PID 2016 set thread context of 2464	2016	e092c290ecbe05b96a01a8557d202191.exe	e092c290ecbe05b96a01a8557d202191.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3492	2664	WerFault.exe	C1DE.exe
3908	2664	WerFault.exe	C1DE.exe
2328	2664	WerFault.exe	C1DE.exe
3848	2664	WerFault.exe	C1DE.exe
2016	2664	WerFault.exe	C1DE.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e092c290ecbe05b96a01a8557d202191.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e092c290ecbe05b96a01a8557d202191.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e092c290ecbe05b96a01a8557d202191.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e092c290ecbe05b96a01a8557d202191.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e092c290ecbe05b96a01a8557d202191.exe

pid	process
2464	e092c290ecbe05b96a01a8557d202191.exe
2464	e092c290ecbe05b96a01a8557d202191.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

e092c290ecbe05b96a01a8557d202191.exe

pid process

2464 e092c290ecbe05b96a01a8557d202191.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

pid	process
3036

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3492	WerFault.exe
Token: SeBackupPrivilege	3492	WerFault.exe
Token: SeDebugPrivilege	3492	WerFault.exe
Token: SeDebugPrivilege	3908	WerFault.exe
Token: SeDebugPrivilege	2328	WerFault.exe
Token: SeDebugPrivilege	3848	WerFault.exe
Token: SeDebugPrivilege	2016	WerFault.exe
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3036

pid	process
3036

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

e092c290ecbe05b96a01a8557d202191.exe

description	pid	process	target process
PID 2016 wrote to memory of 2464	2016	e092c290ecbe05b96a01a8557d202191.exe	e092c290ecbe05b96a01a8557d202191.exe
PID 2016 wrote to memory of 2464	2016	e092c290ecbe05b96a01a8557d202191.exe	e092c290ecbe05b96a01a8557d202191.exe
PID 2016 wrote to memory of 2464	2016	e092c290ecbe05b96a01a8557d202191.exe	e092c290ecbe05b96a01a8557d202191.exe
PID 2016 wrote to memory of 2464	2016	e092c290ecbe05b96a01a8557d202191.exe	e092c290ecbe05b96a01a8557d202191.exe
PID 2016 wrote to memory of 2464	2016	e092c290ecbe05b96a01a8557d202191.exe	e092c290ecbe05b96a01a8557d202191.exe
PID 2016 wrote to memory of 2464	2016	e092c290ecbe05b96a01a8557d202191.exe	e092c290ecbe05b96a01a8557d202191.exe
PID 3036 wrote to memory of 2664	3036		C1DE.exe
PID 3036 wrote to memory of 2664	3036		C1DE.exe
PID 3036 wrote to memory of 2664	3036		C1DE.exe
PID 3036 wrote to memory of 4092	3036		explorer.exe
PID 3036 wrote to memory of 4092	3036		explorer.exe
PID 3036 wrote to memory of 4092	3036		explorer.exe
PID 3036 wrote to memory of 4092	3036		explorer.exe
PID 3036 wrote to memory of 2160	3036		explorer.exe
PID 3036 wrote to memory of 2160	3036		explorer.exe
PID 3036 wrote to memory of 2160	3036		explorer.exe
PID 3036 wrote to memory of 2132	3036		explorer.exe
PID 3036 wrote to memory of 2132	3036		explorer.exe
PID 3036 wrote to memory of 2132	3036		explorer.exe
PID 3036 wrote to memory of 2132	3036		explorer.exe
PID 3036 wrote to memory of 3932	3036		explorer.exe
PID 3036 wrote to memory of 3932	3036		explorer.exe
PID 3036 wrote to memory of 3932	3036		explorer.exe
PID 3036 wrote to memory of 3180	3036		explorer.exe
PID 3036 wrote to memory of 3180	3036		explorer.exe
PID 3036 wrote to memory of 3180	3036		explorer.exe
PID 3036 wrote to memory of 3180	3036		explorer.exe
PID 3036 wrote to memory of 2980	3036		explorer.exe
PID 3036 wrote to memory of 2980	3036		explorer.exe
PID 3036 wrote to memory of 2980	3036		explorer.exe
PID 3036 wrote to memory of 2188	3036		explorer.exe
PID 3036 wrote to memory of 2188	3036		explorer.exe
PID 3036 wrote to memory of 2188	3036		explorer.exe
PID 3036 wrote to memory of 2188	3036		explorer.exe
PID 3036 wrote to memory of 2748	3036		explorer.exe
PID 3036 wrote to memory of 2748	3036		explorer.exe
PID 3036 wrote to memory of 2748	3036		explorer.exe
PID 3036 wrote to memory of 2096	3036		explorer.exe
PID 3036 wrote to memory of 2096	3036		explorer.exe
PID 3036 wrote to memory of 2096	3036		explorer.exe
PID 3036 wrote to memory of 2096	3036		explorer.exe

C:\Users\Admin\AppData\Local\Temp\e092c290ecbe05b96a01a8557d202191.exe
"C:\Users\Admin\AppData\Local\Temp\e092c290ecbe05b96a01a8557d202191.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\e092c290ecbe05b96a01a8557d202191.exe
"C:\Users\Admin\AppData\Local\Temp\e092c290ecbe05b96a01a8557d202191.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2464

C:\Users\Admin\AppData\Local\Temp\C1DE.exe
C:\Users\Admin\AppData\Local\Temp\C1DE.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 736
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 748
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 752
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 884
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 872
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4092

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2160

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2132

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3932

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3180

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2980

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2188

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2748

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C1DE.exe
MD5
c25b6682d6bd2dd6086223d4f7c9a322

SHA1
0df9d75090cb72412c7b9116a2cdfe7786605b7a

SHA256
253da36045abbbf91fa0afb5c336cef0a15950052d73adffcc0d3a015eee9db3

SHA512
b38608be0d545fc9fb6917c7bbbe645c86e382ea04532a00cf492cf65f2fb0156791be88f1afdfb6b80bdad4d47c76e5ef2b2bcfcf66ddaaaf79d00bd577fcf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1DE.exe
MD5
c25b6682d6bd2dd6086223d4f7c9a322

SHA1
0df9d75090cb72412c7b9116a2cdfe7786605b7a

SHA256
253da36045abbbf91fa0afb5c336cef0a15950052d73adffcc0d3a015eee9db3

SHA512
b38608be0d545fc9fb6917c7bbbe645c86e382ea04532a00cf492cf65f2fb0156791be88f1afdfb6b80bdad4d47c76e5ef2b2bcfcf66ddaaaf79d00bd577fcf6

Download Submit
memory/2016-116-0x0000000002D90000-0x0000000002D9A000-memory.dmp

Filesize
40KB

Download
memory/2096-148-0x00000000006C0000-0x00000000006C5000-memory.dmp

Filesize
20KB

Download
memory/2096-149-0x00000000006B0000-0x00000000006B9000-memory.dmp

Filesize
36KB

Download
memory/2096-147-0x0000000000000000-mapping.dmp

Download
memory/2132-131-0x0000000000580000-0x000000000058B000-memory.dmp

Filesize
44KB

Download
memory/2132-130-0x0000000000590000-0x0000000000597000-memory.dmp

Filesize
28KB

Download
memory/2132-129-0x0000000000000000-mapping.dmp

Download
memory/2160-128-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/2160-122-0x0000000000000000-mapping.dmp

Download
memory/2160-127-0x0000000000C80000-0x0000000000C87000-memory.dmp

Filesize
28KB

Download
memory/2188-142-0x00000000009A0000-0x00000000009A4000-memory.dmp

Filesize
16KB

Download
memory/2188-143-0x0000000000990000-0x0000000000999000-memory.dmp

Filesize
36KB

Download
memory/2188-141-0x0000000000000000-mapping.dmp

Download
memory/2464-115-0x0000000000402E1A-mapping.dmp

Download
memory/2464-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2664-126-0x0000000000400000-0x0000000002CA9000-memory.dmp

Filesize
40.7MB

Download
memory/2664-125-0x00000000048B0000-0x0000000004941000-memory.dmp

Filesize
580KB

Download
memory/2664-118-0x0000000000000000-mapping.dmp

Download
memory/2748-145-0x0000000000E40000-0x0000000000E45000-memory.dmp

Filesize
20KB

Download
memory/2748-146-0x0000000000E30000-0x0000000000E39000-memory.dmp

Filesize
36KB

Download
memory/2748-144-0x0000000000000000-mapping.dmp

Download
memory/2980-138-0x0000000000000000-mapping.dmp

Download
memory/2980-139-0x0000000001100000-0x0000000001106000-memory.dmp

Filesize
24KB

Download
memory/2980-140-0x00000000010F0000-0x00000000010FC000-memory.dmp

Filesize
48KB

Download
memory/3036-117-0x0000000000690000-0x00000000006A6000-memory.dmp

Filesize
88KB

Download
memory/3180-135-0x0000000000000000-mapping.dmp

Download
memory/3180-136-0x0000000000CC0000-0x0000000000CC5000-memory.dmp

Filesize
20KB

Download
memory/3180-137-0x0000000000CB0000-0x0000000000CB9000-memory.dmp

Filesize
36KB

Download
memory/3932-132-0x0000000000000000-mapping.dmp

Download
memory/3932-134-0x0000000000EF0000-0x0000000000EFF000-memory.dmp

Filesize
60KB

Download
memory/3932-133-0x0000000000F00000-0x0000000000F09000-memory.dmp

Filesize
36KB

Download
memory/4092-124-0x00000000008B0000-0x000000000091B000-memory.dmp

Filesize
428KB

Download
memory/4092-123-0x0000000000920000-0x0000000000994000-memory.dmp

Filesize
464KB

Download
memory/4092-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads