raccoon | a6e58febc0ae0db669343c61e926780b5c6c121aff886c8d5401ac5740025c45

General

Target

fe19ca0e7a58af76deaf8136a332980d.exe
Size

260KB
MD5

fe19ca0e7a58af76deaf8136a332980d
SHA1

eb2db73c1d1a491c40b117c2cebda8487459d069
SHA256

a6e58febc0ae0db669343c61e926780b5c6c121aff886c8d5401ac5740025c45
SHA512

5450eebfa571e2b32b7a9f587cc2fbec9fdb9f0bd71591d34126e3e09015180afb4789d830fd2359a252578ef5963ae15e673e28905cb2bd0acb02b334726696

Score

10^/10

raccoon redline smokeloader 5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 @big_tastyyy huntington bank backdoor discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fiskahlilian16.top/

http://paishancho17.top/

http://ydiannetter18.top/

http://azarehanelle19.top/

http://quericeriant20.top/

rc4.i32

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes

url4cnc
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

Huntington Bank

C2

34.94.44.44:45181

Extracted

Family

redline

Botnet

@big_tastyyy

C2

87.251.71.44:80

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2DF4.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\2DF4.exe	family_redline
behavioral1/memory/1228-78-0x00000000020D0000-0x000000000210C000-memory.dmp	family_redline
behavioral1/memory/1228-79-0x0000000002220000-0x000000000225A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

2193.exe25B9.exe2DF4.exe3130.exe

pid process

544 2193.exe
1920 25B9.exe
708 2DF4.exe
1228 3130.exe
Deletes itself 1 IoCs

Processes:

pid process

1388
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

fe19ca0e7a58af76deaf8136a332980d.exe

description pid process target process

PID 2040 set thread context of 1456 2040 fe19ca0e7a58af76deaf8136a332980d.exe fe19ca0e7a58af76deaf8136a332980d.exe

pid	process
544	2193.exe
1920	25B9.exe
708	2DF4.exe
1228	3130.exe

pid	process
1388

description	pid	process	target process
PID 2040 set thread context of 1456	2040	fe19ca0e7a58af76deaf8136a332980d.exe	fe19ca0e7a58af76deaf8136a332980d.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fe19ca0e7a58af76deaf8136a332980d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fe19ca0e7a58af76deaf8136a332980d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fe19ca0e7a58af76deaf8136a332980d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fe19ca0e7a58af76deaf8136a332980d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fe19ca0e7a58af76deaf8136a332980d.exe

pid	process
1456	fe19ca0e7a58af76deaf8136a332980d.exe
1456	fe19ca0e7a58af76deaf8136a332980d.exe
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1388
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

fe19ca0e7a58af76deaf8136a332980d.exe

pid process

1456 fe19ca0e7a58af76deaf8136a332980d.exe

pid	process
1388

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

3130.exe25B9.exe

description	pid	process
Token: SeShutdownPrivilege	1388
Token: SeShutdownPrivilege	1388
Token: SeShutdownPrivilege	1388
Token: SeShutdownPrivilege	1388
Token: SeDebugPrivilege	1228	3130.exe
Token: SeShutdownPrivilege	1388
Token: SeDebugPrivilege	1920	25B9.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

pid process

1388
1388
1388
1388
1388
1388
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1388
1388
1388
1388
1388
1388

pid	process
1388
1388
1388
1388
1388
1388

pid	process
1388
1388
1388
1388
1388
1388

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

fe19ca0e7a58af76deaf8136a332980d.exe

description	pid	process	target process
PID 2040 wrote to memory of 1456	2040	fe19ca0e7a58af76deaf8136a332980d.exe	fe19ca0e7a58af76deaf8136a332980d.exe
PID 2040 wrote to memory of 1456	2040	fe19ca0e7a58af76deaf8136a332980d.exe	fe19ca0e7a58af76deaf8136a332980d.exe
PID 2040 wrote to memory of 1456	2040	fe19ca0e7a58af76deaf8136a332980d.exe	fe19ca0e7a58af76deaf8136a332980d.exe
PID 2040 wrote to memory of 1456	2040	fe19ca0e7a58af76deaf8136a332980d.exe	fe19ca0e7a58af76deaf8136a332980d.exe
PID 2040 wrote to memory of 1456	2040	fe19ca0e7a58af76deaf8136a332980d.exe	fe19ca0e7a58af76deaf8136a332980d.exe
PID 2040 wrote to memory of 1456	2040	fe19ca0e7a58af76deaf8136a332980d.exe	fe19ca0e7a58af76deaf8136a332980d.exe
PID 2040 wrote to memory of 1456	2040	fe19ca0e7a58af76deaf8136a332980d.exe	fe19ca0e7a58af76deaf8136a332980d.exe
PID 1388 wrote to memory of 544	1388		2193.exe
PID 1388 wrote to memory of 544	1388		2193.exe
PID 1388 wrote to memory of 544	1388		2193.exe
PID 1388 wrote to memory of 544	1388		2193.exe
PID 1388 wrote to memory of 1920	1388		25B9.exe
PID 1388 wrote to memory of 1920	1388		25B9.exe
PID 1388 wrote to memory of 1920	1388		25B9.exe
PID 1388 wrote to memory of 1920	1388		25B9.exe
PID 1388 wrote to memory of 1920	1388		25B9.exe
PID 1388 wrote to memory of 1920	1388		25B9.exe
PID 1388 wrote to memory of 1920	1388		25B9.exe
PID 1388 wrote to memory of 708	1388		2DF4.exe
PID 1388 wrote to memory of 708	1388		2DF4.exe
PID 1388 wrote to memory of 708	1388		2DF4.exe
PID 1388 wrote to memory of 708	1388		2DF4.exe
PID 1388 wrote to memory of 1228	1388		3130.exe
PID 1388 wrote to memory of 1228	1388		3130.exe
PID 1388 wrote to memory of 1228	1388		3130.exe
PID 1388 wrote to memory of 1228	1388		3130.exe

C:\Users\Admin\AppData\Local\Temp\fe19ca0e7a58af76deaf8136a332980d.exe
"C:\Users\Admin\AppData\Local\Temp\fe19ca0e7a58af76deaf8136a332980d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\fe19ca0e7a58af76deaf8136a332980d.exe
"C:\Users\Admin\AppData\Local\Temp\fe19ca0e7a58af76deaf8136a332980d.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1456

C:\Users\Admin\AppData\Local\Temp\2193.exe
C:\Users\Admin\AppData\Local\Temp\2193.exe
1⤵
- Executes dropped EXE
PID:544

C:\Users\Admin\AppData\Local\Temp\25B9.exe
C:\Users\Admin\AppData\Local\Temp\25B9.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Users\Admin\AppData\Local\Temp\2DF4.exe
C:\Users\Admin\AppData\Local\Temp\2DF4.exe
1⤵
- Executes dropped EXE
PID:708

C:\Users\Admin\AppData\Local\Temp\3130.exe
C:\Users\Admin\AppData\Local\Temp\3130.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2193.exe
MD5
c4c3ea5a3d2d9b3183dc1273e3fba3cd

SHA1
dc04262a72c72551ecd20c7e34835df1a7667eaf

SHA256
628d96ad8e61df81aea0f6931e7daaa39ee860051bb15e9721ded124e943dd26

SHA512
053265c978d7cb713680fc287d331f477cfd49797c3855df9dd588ffd88942c1556302fcce78857f1a101f94a2d5fd5dd14268672ec6db67a1ef86289bb74768

Download Submit
C:\Users\Admin\AppData\Local\Temp\25B9.exe
MD5
2a107ba697e9cd191d6c5eac0c08fcc4

SHA1
0f889386260b97c45dcf54ae26bcc825e372607a

SHA256
84c44ba7d14f690096b2b485e6670ec161343506a07200b5ce63843e325b6ef5

SHA512
0ade0c0120a1d7feb7cbddbf0c9a4796ba14bd9c3a7464c745b9361cbd1427d29b76610177428ce9ef9257275fbcbb514f6aaa1983a2a19c6aa29639bda9f98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\25B9.exe
MD5
2a107ba697e9cd191d6c5eac0c08fcc4

SHA1
0f889386260b97c45dcf54ae26bcc825e372607a

SHA256
84c44ba7d14f690096b2b485e6670ec161343506a07200b5ce63843e325b6ef5

SHA512
0ade0c0120a1d7feb7cbddbf0c9a4796ba14bd9c3a7464c745b9361cbd1427d29b76610177428ce9ef9257275fbcbb514f6aaa1983a2a19c6aa29639bda9f98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DF4.exe
MD5
6423bf887fb8fdbaa1906bba11683f08

SHA1
58af34f6f7404da5fe62f6773d604b7f4621ac44

SHA256
408a055e76c71a7d5ae8a26127dbaffc51e06962972e03b13d1edea139e941d5

SHA512
bfd90454348e5c62949e32e8a129307fe92f62d53814ae74efdb55ba9fd57e3c30d188386571fda403918077fec84d970cfacdff968d532c404bd39bbb2ffe76

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DF4.exe
MD5
6423bf887fb8fdbaa1906bba11683f08

SHA1
58af34f6f7404da5fe62f6773d604b7f4621ac44

SHA256
408a055e76c71a7d5ae8a26127dbaffc51e06962972e03b13d1edea139e941d5

SHA512
bfd90454348e5c62949e32e8a129307fe92f62d53814ae74efdb55ba9fd57e3c30d188386571fda403918077fec84d970cfacdff968d532c404bd39bbb2ffe76

Download Submit
C:\Users\Admin\AppData\Local\Temp\3130.exe
MD5
2037a37285ac47a43e410b1d5ef2c45e

SHA1
4634ff6f17e970fa7ba0ef362d0a741dc9dc0fa4

SHA256
8fa6934bf0adfebfde78f07fb9fe6de618f83be344f445cd10d4e8f14df10ccc

SHA512
fb9840f2478747e8e70b79de648d4b948c6e6d11eb69878b80e79982c648c998f1ab636c3368d75b087d206e54ee9980878e6cf2e19f2a4e74d8a7f026ce0df1

Download Submit
memory/544-68-0x0000000000520000-0x00000000005B0000-memory.dmp

Filesize
576KB

Download
memory/544-59-0x0000000000000000-mapping.dmp

Download
memory/544-69-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/708-77-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/708-73-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/708-70-0x0000000000000000-mapping.dmp

Download
memory/1228-80-0x0000000000220000-0x0000000000275000-memory.dmp

Filesize
340KB

Download
memory/1228-85-0x0000000004984000-0x0000000004986000-memory.dmp

Filesize
8KB

Download
memory/1228-82-0x0000000004981000-0x0000000004982000-memory.dmp

Filesize
4KB

Download
memory/1228-83-0x0000000004982000-0x0000000004983000-memory.dmp

Filesize
4KB

Download
memory/1228-84-0x0000000004983000-0x0000000004984000-memory.dmp

Filesize
4KB

Download
memory/1228-81-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1228-75-0x0000000000000000-mapping.dmp

Download
memory/1228-79-0x0000000002220000-0x000000000225A000-memory.dmp

Filesize
232KB

Download
memory/1228-78-0x00000000020D0000-0x000000000210C000-memory.dmp

Filesize
240KB

Download
memory/1388-58-0x00000000021C0000-0x00000000021D5000-memory.dmp

Filesize
84KB

Download
memory/1388-87-0x000007FEF5620000-0x000007FEF5763000-memory.dmp

Filesize
1.3MB

Download
memory/1388-88-0x000007FE988C0000-0x000007FE988CA000-memory.dmp

Filesize
40KB

Download
memory/1456-56-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1456-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1456-55-0x0000000000402F18-mapping.dmp

Download
memory/1920-61-0x0000000000000000-mapping.dmp

Download
memory/1920-66-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/1920-64-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/1920-86-0x0000000002470000-0x0000000002505000-memory.dmp

Filesize
596KB

Download
memory/2040-57-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads