raccoon

Sharing

General

Target

f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e
Size

175KB
Sample

211012-wca59achb2
MD5

741f960ae2f91ba7b632f472e1995d63
SHA1

afbd300aa5566ca3fa5ea56a5a236f5ec91cd5c3
SHA256

f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e
SHA512

2da69da4ee0f1627705b272dbe6d2599afa52ad0d87e0172cf832625a77ee9d7a899addab3925645b92cfd642d9a9d5dac8a69a200ebe0b2380cd7cb75cf90f7

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/

rc4.i32

Extracted

Family

raccoon

Version

1.8.2

Botnet

676b1a32c7d2ce2aba84e8823871900d67e00049

Attributes

url4cnc
http://telemirror.top/kaba4ello

http://tgmirror.top/kaba4ello

http://telegatt.top/kaba4ello

http://telegka.top/kaba4ello

http://telegin.top/kaba4ello

https://t.me/kaba4ello

rc4.plain

Extracted

Family

redline

Botnet

109.234.34.165:12323

Extracted

Family

raccoon

Version

1.8.2

Botnet

8d179b9e611eee525425544ee8c6d77360ab7cd9

Attributes

url4cnc
http://teletop.top/agrybirdsgamerept

http://teleta.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

MegaProliv

93.115.20.139:28978

Extracted

Family

redline

Botnet

Newpro

139.99.118.252:12517

Targets

- Target
  
  f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e
- Size
  
  175KB
- MD5
  
  741f960ae2f91ba7b632f472e1995d63
- SHA1
  
  afbd300aa5566ca3fa5ea56a5a236f5ec91cd5c3
- SHA256
  
  f901f95b307d303778cafcb4b3158b8e4afd6b001c55461165fb55bd0c1fc29e
- SHA512
  
  2da69da4ee0f1627705b272dbe6d2599afa52ad0d87e0172cf832625a77ee9d7a899addab3925645b92cfd642d9a9d5dac8a69a200ebe0b2380cd7cb75cf90f7
Score

10^/10

raccoon redline servhelper smokeloader xmrig 676b1a32c7d2ce2aba84e8823871900d67e00049 8d179b9e611eee525425544ee8c6d77360ab7cd9 megaproliv newpro w1 backdoor collection discovery infostealer miner persistence spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies RDP port number used by Windows
- Sets DLL path for service in the registry
  persistence
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1