raccoon

General

Target

fe19ca0e7a58af76deaf8136a332980d.exe
Size

260KB
Sample

211004-tfnjmsgfa4
MD5

fe19ca0e7a58af76deaf8136a332980d
SHA1

eb2db73c1d1a491c40b117c2cebda8487459d069
SHA256

a6e58febc0ae0db669343c61e926780b5c6c121aff886c8d5401ac5740025c45
SHA512

5450eebfa571e2b32b7a9f587cc2fbec9fdb9f0bd71591d34126e3e09015180afb4789d830fd2359a252578ef5963ae15e673e28905cb2bd0acb02b334726696

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fiskahlilian16.top/

http://paishancho17.top/

http://ydiannetter18.top/

http://azarehanelle19.top/

http://quericeriant20.top/

rc4.i32

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes

url4cnc
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

Huntington Bank

C2

34.94.44.44:45181

Extracted

Family

redline

Botnet

@big_tastyyy

C2

87.251.71.44:80

Extracted

Family

raccoon

Botnet

61491ed5436f034714f70beac9b11914bfa969d2

Attributes

url4cnc
https://t.me/hdmiprapor

rc4.plain

Targets

- Target
  
  fe19ca0e7a58af76deaf8136a332980d.exe
- Size
  
  260KB
- MD5
  
  fe19ca0e7a58af76deaf8136a332980d
- SHA1
  
  eb2db73c1d1a491c40b117c2cebda8487459d069
- SHA256
  
  a6e58febc0ae0db669343c61e926780b5c6c121aff886c8d5401ac5740025c45
- SHA512
  
  5450eebfa571e2b32b7a9f587cc2fbec9fdb9f0bd71591d34126e3e09015180afb4789d830fd2359a252578ef5963ae15e673e28905cb2bd0acb02b334726696
Score

10^/10

raccoon redline smokeloader 5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 @big_tastyyy huntington bank backdoor discovery infostealer spyware stealer trojan 61491ed5436f034714f70beac9b11914bfa969d2
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

RedLine

RedLine Payload

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2