raccoon

Sharing

General

Target

a68a2cc4a8b2ad718667b119888e1ce6.exe
Size

5.3MB
Sample

210904-2w85aaeee5
MD5

a68a2cc4a8b2ad718667b119888e1ce6
SHA1

716bc67bc233a15b9e49d609df38f446e1c12edb
SHA256

6287d0a9d9987e47175885ee55b3fdc4bbdd7fd67204b715ccff57803dd2e316
SHA512

5610516de815ed667839738c1a9ba00a44c2fcc5eff9eaf64174edb253ffb0ad02ce464ed8831e65e1e396388614786961b9bd99ff19a87ada7f03b370b3e8d3

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

40.1

Botnet

706

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

pub1

viacetequn.site:80

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

NORMAN3

45.14.49.184:28743

Extracted

Family

vidar

Version

40.4

Botnet

937

https://romkaxarit.tumblr.com/

Attributes

profile_id
937

Extracted

Family

raccoon

Botnet

b8ef25fa9e346b7a31e4b6ff160623dd5fed2474

Attributes

url4cnc
https://telete.in/iphbarberleo

rc4.plain

Targets

- Target
  
  a68a2cc4a8b2ad718667b119888e1ce6.exe
- Size
  
  5.3MB
- MD5
  
  a68a2cc4a8b2ad718667b119888e1ce6
- SHA1
  
  716bc67bc233a15b9e49d609df38f446e1c12edb
- SHA256
  
  6287d0a9d9987e47175885ee55b3fdc4bbdd7fd67204b715ccff57803dd2e316
- SHA512
  
  5610516de815ed667839738c1a9ba00a44c2fcc5eff9eaf64174edb253ffb0ad02ce464ed8831e65e1e396388614786961b9bd99ff19a87ada7f03b370b3e8d3
Score

10^/10

redline smokeloader vidar 706 norman3 pub1 aspackv2 backdoor infostealer persistence stealer themida trojan raccoon vkeylogger 937 b8ef25fa9e346b7a31e4b6ff160623dd5fed2474 keylogger
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- VKeylogger
  A keylogger first seen in Nov 2020.
  stealer keylogger vkeylogger
- VKeylogger Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

VKeylogger

VKeylogger Payload

Vidar

Vidar Stealer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Themida packer

Adds Run key to start application

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2