raccoon

General

Target

B54032FC01363B6A3DC2378196C4BC4C.exe
Size

4.8MB
Sample

210828-nk1mnazpea
MD5

b54032fc01363b6a3dc2378196c4bc4c
SHA1

c8d3b054ace51f4d59d5f774d690b92b672ac593
SHA256

79d64ca8a0ebef312050fb2a06a68d246aa0acacb30764da9af8fdbc5f821d0a
SHA512

b66b08e4323c430e7274c8dbb0ea75b1040d1b42191d92e7466c56900839e4f31301a058f0192ff7fc7287fd918e59c0b6d6ecdefb61d396c0c6176f91926571

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

40.1

Botnet

706

C2

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

pub1

C2

viacetequn.site:80

Extracted

Family

vidar

Version

40.1

Botnet

1002

C2

https://eduarroma.tumblr.com/

Attributes

profile_id
1002

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

0a7408c65c3ceba29fcaa1d6f9f7143fe4fab73a

Attributes

url4cnc
https://telete.in/secuhaski4

rc4.plain

Targets

- Target
  
  B54032FC01363B6A3DC2378196C4BC4C.exe
- Size
  
  4.8MB
- MD5
  
  b54032fc01363b6a3dc2378196c4bc4c
- SHA1
  
  c8d3b054ace51f4d59d5f774d690b92b672ac593
- SHA256
  
  79d64ca8a0ebef312050fb2a06a68d246aa0acacb30764da9af8fdbc5f821d0a
- SHA512
  
  b66b08e4323c430e7274c8dbb0ea75b1040d1b42191d92e7466c56900839e4f31301a058f0192ff7fc7287fd918e59c0b6d6ecdefb61d396c0c6176f91926571
Score

10^/10

redline vidar 1002 706 pub1 aspackv2 infostealer persistence stealer suricata raccoon smokeloader 0a7408c65c3ceba29fcaa1d6f9f7143fe4fab73a backdoor themida trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2