raccoon

General

Target

5e7f9ae99a7e6cc5a2f40a4a159bc3db.exe
Size

150KB
Sample

210824-lrmnax2mln
MD5

5e7f9ae99a7e6cc5a2f40a4a159bc3db
SHA1

7fe31637a9f6e2e6e463d2076702a00f92f06d76
SHA256

b302fcb42934760527ba26528d13aaa8e2cc3150b8055485e5c27f24edaf2892
SHA512

48e3d73da4d1584ca42fa07cca2f02796040b7b2b19c9889631868b3fcea727a4fc0a268a63133cc7c8a6350a4514b7891f611410c89440dcfa10fce19cef5d2

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

fe582536ec580228180f270f7cb80a867860e010

Attributes

url4cnc
https://telete.in/xylichanjk

rc4.plain

Extracted

Family

vidar

Version

40.1

Botnet

824

C2

https://eduarroma.tumblr.com/

Attributes

profile_id
824

Extracted

Family

raccoon

Botnet

b8ef25fa9e346b7a31e4b6ff160623dd5fed2474

Attributes

url4cnc
https://telete.in/iphbarberleo

rc4.plain

Targets

- Target
  
  5e7f9ae99a7e6cc5a2f40a4a159bc3db.exe
- Size
  
  150KB
- MD5
  
  5e7f9ae99a7e6cc5a2f40a4a159bc3db
- SHA1
  
  7fe31637a9f6e2e6e463d2076702a00f92f06d76
- SHA256
  
  b302fcb42934760527ba26528d13aaa8e2cc3150b8055485e5c27f24edaf2892
- SHA512
  
  48e3d73da4d1584ca42fa07cca2f02796040b7b2b19c9889631868b3fcea727a4fc0a268a63133cc7c8a6350a4514b7891f611410c89440dcfa10fce19cef5d2
Score

10^/10

raccoon redline smokeloader vidar 824 b8ef25fa9e346b7a31e4b6ff160623dd5fed2474 fe582536ec580228180f270f7cb80a867860e010 backdoor evasion infostealer persistence spyware stealer themida trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2