raccoon

General

Target

f22d4a1729b3e55190d224087c7569623012ca99978b01e3649714bf71b2ec04
Size

166KB
Sample

211008-17y8saehb9
MD5

255c697e144c7fe1471f1564da42c959
SHA1

1741b74c88aeb8bee82ff4c4ae227340aba33c80
SHA256

f22d4a1729b3e55190d224087c7569623012ca99978b01e3649714bf71b2ec04
SHA512

1fbb9e6425712df6c795d2bfdd934c221ef5e63da681d2032f423549c09895ccc0847b052c1f6c0756f2881069342965d738012aac3db188b3a8a201c0ad4cc7

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fazanaharahe10.top/

http://xandelissane20.top/

http://ustiassosale30.top/

http://cytheriata40.top/

http://ggiergionard50.top/

rc4.i32

Extracted

Family

raccoon

Version

1.8.2

Botnet

dfb936558dbffed9bca02e41d7a111295cf4a71e

Attributes

url4cnc
http://teletop.top/rocketmanthem2

http://teleta.top/rocketmanthem2

https://t.me/rocketmanthem2

rc4.plain

Extracted

Family

raccoon

Version

1.8.2

Botnet

8d179b9e611eee525425544ee8c6d77360ab7cd9

Attributes

url4cnc
http://teletop.top/agrybirdsgamerept

http://teleta.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

Targets

- Target
  
  f22d4a1729b3e55190d224087c7569623012ca99978b01e3649714bf71b2ec04
- Size
  
  166KB
- MD5
  
  255c697e144c7fe1471f1564da42c959
- SHA1
  
  1741b74c88aeb8bee82ff4c4ae227340aba33c80
- SHA256
  
  f22d4a1729b3e55190d224087c7569623012ca99978b01e3649714bf71b2ec04
- SHA512
  
  1fbb9e6425712df6c795d2bfdd934c221ef5e63da681d2032f423549c09895ccc0847b052c1f6c0756f2881069342965d738012aac3db188b3a8a201c0ad4cc7
Score

10^/10

raccoon servhelper smokeloader xmrig 8d179b9e611eee525425544ee8c6d77360ab7cd9 dfb936558dbffed9bca02e41d7a111295cf4a71e backdoor collection discovery evasion miner persistence spyware stealer themida trojan
- Modifies WinLogon for persistence
  persistence
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies RDP port number used by Windows
- Sets DLL path for service in the registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1