raccoon

General

Target

9ca449b299e7c6d0729a3833d06194ca7ffd3298a41d4d9743f68fee18101b8d
Size

182KB
Sample

210912-3gkc2scfd6
MD5

9ab045a10142aa46a2c6e3aa01f7b31b
SHA1

75427039d24944103a40b299b73d6ba60805b3d6
SHA256

9ca449b299e7c6d0729a3833d06194ca7ffd3298a41d4d9743f68fee18101b8d
SHA512

25ab3379b6e6c3d730a4b638f89a477c383e6a0a3f72e4be60888f2b3534842dabfc80146748c77d6dbf06cdb7cf3affa7c4a0e01fb078bd1c7305eaff9339fc

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fazanaharahe1.xyz/

http://xandelissane2.xyz/

http://ustiassosale3.xyz/

http://cytheriata4.xyz/

http://ggiergionard5.xyz/

http://rrelleynaniy6.store/

http://danniemusoa7.store/

http://nastanizab8.store/

http://onyokandis9.store/

http://dmunaavank10.store/

http://gilmandros11.site/

http://cusanthana12.site/

http://willietjeana13.site/

http://ximusokall14.site/

http://blodinetisha15.site/

http://urydiahadyss16.club/

http://glasamaddama17.club/

http://marlingarly18.club/

http://alluvianna19.club/

http://xandirkaniel20.club/

rc4.i32

Extracted

Family

redline

Botnet

pro2

C2

95.217.117.91:21361

Extracted

Family

redline

Botnet

build3

C2

92.119.113.20:20871

Extracted

Family

redline

Botnet

proliv13.09

C2

45.14.49.167:5096

Targets

- Target
  
  9ca449b299e7c6d0729a3833d06194ca7ffd3298a41d4d9743f68fee18101b8d
- Size
  
  182KB
- MD5
  
  9ab045a10142aa46a2c6e3aa01f7b31b
- SHA1
  
  75427039d24944103a40b299b73d6ba60805b3d6
- SHA256
  
  9ca449b299e7c6d0729a3833d06194ca7ffd3298a41d4d9743f68fee18101b8d
- SHA512
  
  25ab3379b6e6c3d730a4b638f89a477c383e6a0a3f72e4be60888f2b3534842dabfc80146748c77d6dbf06cdb7cf3affa7c4a0e01fb078bd1c7305eaff9339fc
Score

10^/10

raccoon redline smokeloader build3 pro2 proliv13.09 backdoor discovery evasion infostealer persistence spyware stealer themida trojan vmprotect
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1