raccoon

General

Target

03a4932af6d40c11c035ef925dc60146e91ece85.exe
Size

4.8MB
Sample

210927-xqt1yshgg5
MD5

02892518516aed817405e4e67aef72b2
SHA1

03a4932af6d40c11c035ef925dc60146e91ece85
SHA256

f1bf61e5d7a48ad3925a1ec20249e756d65b34a2e69170812911009c6b4e28ab
SHA512

ca87bf8c42a0c3ff24f8c32a652b7531a3ba71b127447d6d344d9b6442bbf130b799f078c26cc63d515841471d1e063470aa8c7715b75d5594f9afdbda3acc26

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

UTS

C2

45.9.20.20:13441

Extracted

Family

redline

Botnet

oliver2109

C2

213.166.69.181:64650

Extracted

Family

raccoon

Botnet

513afceb3ed9a86ffb793952fba858cf607694c5

Attributes

url4cnc
https://t.me/hellobyegain

rc4.plain

Extracted

Family

redline

Botnet

mix27.09

C2

185.215.113.15:6043

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://shellloader.top/welcome

Targets

- Target
  
  03a4932af6d40c11c035ef925dc60146e91ece85.exe
- Size
  
  4.8MB
- MD5
  
  02892518516aed817405e4e67aef72b2
- SHA1
  
  03a4932af6d40c11c035ef925dc60146e91ece85
- SHA256
  
  f1bf61e5d7a48ad3925a1ec20249e756d65b34a2e69170812911009c6b4e28ab
- SHA512
  
  ca87bf8c42a0c3ff24f8c32a652b7531a3ba71b127447d6d344d9b6442bbf130b799f078c26cc63d515841471d1e063470aa8c7715b75d5594f9afdbda3acc26
Score

10^/10

raccoon redline vidar xmrig 513afceb3ed9a86ffb793952fba858cf607694c5 mix27.09 oliver2109 uts discovery evasion infostealer miner spyware stealer themida trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- XMRig Miner Payload
  miner
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2