raccoon

Resubmissions

09-10-2021 06:02

211009-grepnafad7 10

08-10-2021 19:47

211008-yhw11segg5 10

08-10-2021 19:00

211008-xnq7aaegf2 10

Sharing

Copy URL

Twitter E-mail

General

Target

211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3
Size

166KB
Sample

211008-yhw11segg5
MD5

38662eca83bf7fff531b9bdc43f8ed52
SHA1

1426c264bd6067cc8f5a76ac10182c380a18eb5b
SHA256

211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3
SHA512

4cdf5822e696a511bb689bfedad92ad10f3b148045eacd22977daa5b3397ee5e449db4fc31d97b3ac7e459ea3905eadf71ab6bfb91b9ff8d5219edec8278644e

Malware Config

Extracted

Family

smokeloader

Version

2020

http://fazanaharahe10.top/

http://xandelissane20.top/

http://ustiassosale30.top/

http://cytheriata40.top/

http://ggiergionard50.top/

rc4.i32

Extracted

Family

redline

Botnet

777

93.115.20.139:28978

Extracted

Family

tofsee

defeatwax.ru

refabyd.info

Extracted

Family

vidar

Version

41.2

Botnet

1033

https://mas.to/@serg4325

Attributes

profile_id
1033

Extracted

Family

raccoon

Version

1.8.2

Botnet

2ea41939378a473cbe7002fd507389778c0f10e7

Attributes

url4cnc
http://teletop.top/stevuitreen

http://teleta.top/stevuitreen

https://t.me/stevuitreen

rc4.plain

Extracted

Family

raccoon

Version

1.8.2

Botnet

8d179b9e611eee525425544ee8c6d77360ab7cd9

Attributes

url4cnc
http://teletop.top/agrybirdsgamerept

http://teleta.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

MIX7

185.237.165.181:58506

Extracted

Family

raccoon

Version

1.8.2

Botnet

c95bfeb977df680e3fb35c1ce322d091ffdbaf92

Attributes

url4cnc
http://teletop.top/vvhotsummer

http://teleta.top/vvhotsummer

https://t.me/vvhotsummer

rc4.plain

Extracted

Family

redline

Botnet

boca

144.217.17.184:14487

Extracted

Family

raccoon

Version

1.8.2

Botnet

abfad7c62cd5a3265b1fe027d0e343e1003b8e8c

Attributes

url4cnc
http://teletop.top/dodgeneontwinturbo

http://teleta.top/dodgeneontwinturbo

https://t.me/dodgeneontwinturbo

rc4.plain

Targets

- Target
  
  211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3
- Size
  
  166KB
- MD5
  
  38662eca83bf7fff531b9bdc43f8ed52
- SHA1
  
  1426c264bd6067cc8f5a76ac10182c380a18eb5b
- SHA256
  
  211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3
- SHA512
  
  4cdf5822e696a511bb689bfedad92ad10f3b148045eacd22977daa5b3397ee5e449db4fc31d97b3ac7e459ea3905eadf71ab6bfb91b9ff8d5219edec8278644e
Score

10^/10

raccoon redline smokeloader tofsee vidar xmrig 1033 2ea41939378a473cbe7002fd507389778c0f10e7 777 8d179b9e611eee525425544ee8c6d77360ab7cd9 mix7 backdoor discovery evasion infostealer miner persistence spyware stealer themida trojan vmprotect boca c95bfeb977df680e3fb35c1ce322d091ffdbaf92 abfad7c62cd5a3265b1fe027d0e343e1003b8e8c collection
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Registers COM server for autorun
  persistence
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- XMRig Miner Payload
  miner
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7 behavioral8

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

RedLine

RedLine Payload

Registers COM server for autorun

SmokeLoader

Suspicious use of NtCreateProcessExOtherParentProcess

Tofsee

Vidar

Windows security bypass

xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

XMRig Miner Payload

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

VMProtect packed file

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Themida packer

Accesses 2FA software files, possible credential harvesting

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8