raccoon

General

Target

52B69CCF22EC2B5084FEE8F4EC9188ED.exe
Size

4.7MB
Sample

210905-pxdcsahfb6
MD5

52b69ccf22ec2b5084fee8f4ec9188ed
SHA1

a5dc3c46688bac249e0da29b1b2da8640039d108
SHA256

3542020f73e24ff693b50a375bbd366e6b6ca4cd4fd93bd15403e4cc70d91756
SHA512

1732ea60b4729e1440c585d7b7156db6c49f0c88e0c3de6257e21550a3abb9ea5b5744886ec60ba9fe7b25f395d67867e68b730bf8ffee4e859eb61211788d65

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

pab777

C2

185.215.113.15:6043

Extracted

Family

vidar

Version

40.3

Botnet

706

C2

https://lenko349.tumblr.com/

Attributes

profile_id
706

Extracted

Family

vidar

Version

40.4

Botnet

937

C2

https://romkaxarit.tumblr.com/

Attributes

profile_id
937

Extracted

Family

raccoon

Botnet

b8ef25fa9e346b7a31e4b6ff160623dd5fed2474

Attributes

url4cnc
https://telete.in/iphbarberleo

rc4.plain

Targets

- Target
  
  52B69CCF22EC2B5084FEE8F4EC9188ED.exe
- Size
  
  4.7MB
- MD5
  
  52b69ccf22ec2b5084fee8f4ec9188ed
- SHA1
  
  a5dc3c46688bac249e0da29b1b2da8640039d108
- SHA256
  
  3542020f73e24ff693b50a375bbd366e6b6ca4cd4fd93bd15403e4cc70d91756
- SHA512
  
  1732ea60b4729e1440c585d7b7156db6c49f0c88e0c3de6257e21550a3abb9ea5b5744886ec60ba9fe7b25f395d67867e68b730bf8ffee4e859eb61211788d65
Score

10^/10

redline pab777 aspackv2 evasion infostealer trojan raccoon vidar vkeylogger 706 937 b8ef25fa9e346b7a31e4b6ff160623dd5fed2474 keylogger stealer themida
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- VKeylogger
  A keylogger first seen in Nov 2020.
  stealer keylogger vkeylogger
- VKeylogger Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Disabling Security Tools

1

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

RedLine

RedLine Payload

VKeylogger

VKeylogger Payload

Vidar

Vidar Stealer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Themida packer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2