raccoon

Sharing

Copy URL

Twitter E-mail

General

Target

66bdc8f55993937a58a2e14c593f803029910ac8533e994bdcd766f095d2fc17
Size

175KB
Sample

211012-pkgvfaccdl
MD5

b6ccbe38498d3243118d076fe793989e
SHA1

d52cccb6054172e93c752de847eb15ca30545068
SHA256

66bdc8f55993937a58a2e14c593f803029910ac8533e994bdcd766f095d2fc17
SHA512

6b6f89a2245e64385ca5612f592460c1e66b03a708d98f8dc08f7034167e1141c29d4b843e5fbfbc5e437b112d1e30797dfe8c504fc5ef8fafe71cb6f5a01139

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/

rc4.i32

Extracted

Family

raccoon

Version

1.8.2

Botnet

8d179b9e611eee525425544ee8c6d77360ab7cd9

Attributes

url4cnc
http://teletop.top/agrybirdsgamerept

http://teleta.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

159

190.2.136.29:3279

Extracted

Family

raccoon

Version

1.8.2

Botnet

27d80aa27e80cd2ef63c638e2752e24242d1b37c

Attributes

url4cnc
http://telemirror.top/ararius809b

http://tgmirror.top/ararius809b

http://telegatt.top/ararius809b

http://telegka.top/ararius809b

http://telegin.top/ararius809b

https://t.me/ararius809b

rc4.plain

Extracted

Family

redline

Botnet

109.234.34.165:12323

Targets

- Target
  
  66bdc8f55993937a58a2e14c593f803029910ac8533e994bdcd766f095d2fc17
- Size
  
  175KB
- MD5
  
  b6ccbe38498d3243118d076fe793989e
- SHA1
  
  d52cccb6054172e93c752de847eb15ca30545068
- SHA256
  
  66bdc8f55993937a58a2e14c593f803029910ac8533e994bdcd766f095d2fc17
- SHA512
  
  6b6f89a2245e64385ca5612f592460c1e66b03a708d98f8dc08f7034167e1141c29d4b843e5fbfbc5e437b112d1e30797dfe8c504fc5ef8fafe71cb6f5a01139
Score

10^/10

raccoon redline servhelper smokeloader xmrig 159 27d80aa27e80cd2ef63c638e2752e24242d1b37c 8d179b9e611eee525425544ee8c6d77360ab7cd9 w1 backdoor discovery infostealer miner persistence spyware stealer suricata trojan upx vmprotect
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- suricata: ET MALWARE ServHelper CnC Inital Checkin
  suricata: ET MALWARE ServHelper CnC Inital Checkin
  suricata
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies RDP port number used by Windows
- Sets DLL path for service in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1