raccoon | f3ffa11b2e253229250bd92dfec5596bbe1e9da52a6fe714b6bf7beec3f342d4 | Triage

Sharing

General

Target

f3ffa11b2e253229250bd92dfec5596bbe1e9da52a6fe714b6bf7beec3f342d4
Size

145KB
Sample

210926-e8b9raeda9
MD5

05350a2957b6b3f28bd01cb318ed6bfe
SHA1

6f20e594d0c3ad1d1cc78e3fcf85c48148c0b0ff
SHA256

f3ffa11b2e253229250bd92dfec5596bbe1e9da52a6fe714b6bf7beec3f342d4
SHA512

91d5b21e664c49ee6d76cde359d6a37bff22a358fe5232a433736463583b21a06cd572df2fb35da78116dd8ded7619beba94b1ac600e7701628fd74123a20220

Score

10^/10

raccoon smokeloader 5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 f6d7183c9e82d2a9b81e6c0608450aa66cefb51f backdoor discovery spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32

rc4.i32

Extracted

Family

raccoon

Botnet

f6d7183c9e82d2a9b81e6c0608450aa66cefb51f

Attributes

url4cnc
https://t.me/justoprostohello

rc4.plain

rc4.plain

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes

url4cnc
https://t.me/agrybirdsgamerept

rc4.plain

rc4.plain

Targets

- Target
  
  f3ffa11b2e253229250bd92dfec5596bbe1e9da52a6fe714b6bf7beec3f342d4
- Size
  
  145KB
- MD5
  
  05350a2957b6b3f28bd01cb318ed6bfe
- SHA1
  
  6f20e594d0c3ad1d1cc78e3fcf85c48148c0b0ff
- SHA256
  
  f3ffa11b2e253229250bd92dfec5596bbe1e9da52a6fe714b6bf7beec3f342d4
- SHA512
  
  91d5b21e664c49ee6d76cde359d6a37bff22a358fe5232a433736463583b21a06cd572df2fb35da78116dd8ded7619beba94b1ac600e7701628fd74123a20220
Score

10^/10

raccoon smokeloader 5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 f6d7183c9e82d2a9b81e6c0608450aa66cefb51f backdoor discovery spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

raccoonsmokeloader5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4f6d7183c9e82d2a9b81e6c0608450aa66cefb51fbackdoordiscoveryspywarestealertrojan