raccoon | 3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334

General

Target

3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe
Size

296KB
MD5

029b23741524418d56963e68daa9e5fe
SHA1

8ce91f140bde7c7f7461d06794dacc8a58730866
SHA256

3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334
SHA512

49da781a7c38c6761f6ee64ccfe7beb21d172ce8037e9fb78b80ccf56c82c2445547dda4b21031776670549af912227ded57d1868aab3faa83f7175bff4a8ff6

Score

10^/10

raccoon redline smokeloader 7ebf9b416b72a203df65383eec899dc689d2c3d7 md backdoor discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://honawey7.top/

http://wijibui0.top/

http://hefahei6.top/

http://pipevai4.top/

http://nalirou7.top/

rc4.i32

Extracted

Family

raccoon

Botnet

7ebf9b416b72a203df65383eec899dc689d2c3d7

Attributes

url4cnc
http://telegatt.top/agrybirdsgamerept
http://telegka.top/agrybirdsgamerept
http://telegin.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

MD

C2

185.7.214.214:7778

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1836-139-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1836-140-0x000000000041B22A-mapping.dmp	family_redline
behavioral1/memory/1836-158-0x0000000005220000-0x0000000005826000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 508 created 4076 508 WerFault.exe FABD.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

F5AB.exeFABD.exeF5AB.exe

pid process

4492 F5AB.exe
4076 FABD.exe
1836 F5AB.exe
Deletes itself 1 IoCs

Processes:

pid process

2552
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	pid	process	target process
PID 508 created 4076	508	WerFault.exe	FABD.exe

pid	process
4492	F5AB.exe
4076	FABD.exe
1836	F5AB.exe

pid	process
2552

Suspicious use of SetThreadContext 2 IoCs

Processes:

3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exeF5AB.exe

description	pid	process	target process
PID 1572 set thread context of 3520	1572	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe
PID 4492 set thread context of 1836	4492	F5AB.exe	F5AB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

508 4076 WerFault.exe FABD.exe

pid	pid_target	process	target process
508	4076	WerFault.exe	FABD.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe

pid	process
3520	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe
3520	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552
2552

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2552
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe

pid process

3520 3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe

pid	process
2552

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

WerFault.exepowershell.exeF5AB.exe

description	pid	process
Token: SeRestorePrivilege	508	WerFault.exe
Token: SeBackupPrivilege	508	WerFault.exe
Token: SeDebugPrivilege	508	WerFault.exe
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeDebugPrivilege	1836	F5AB.exe
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552
Token: SeShutdownPrivilege	2552
Token: SeCreatePagefilePrivilege	2552

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exeF5AB.exe

description	pid	process	target process
PID 1572 wrote to memory of 3520	1572	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe
PID 1572 wrote to memory of 3520	1572	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe
PID 1572 wrote to memory of 3520	1572	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe
PID 1572 wrote to memory of 3520	1572	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe
PID 1572 wrote to memory of 3520	1572	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe
PID 1572 wrote to memory of 3520	1572	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe	3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe
PID 2552 wrote to memory of 4492	2552		F5AB.exe
PID 2552 wrote to memory of 4492	2552		F5AB.exe
PID 2552 wrote to memory of 4492	2552		F5AB.exe
PID 2552 wrote to memory of 4076	2552		FABD.exe
PID 2552 wrote to memory of 4076	2552		FABD.exe
PID 2552 wrote to memory of 4076	2552		FABD.exe
PID 4492 wrote to memory of 1640	4492	F5AB.exe	powershell.exe
PID 4492 wrote to memory of 1640	4492	F5AB.exe	powershell.exe
PID 4492 wrote to memory of 1640	4492	F5AB.exe	powershell.exe
PID 4492 wrote to memory of 1836	4492	F5AB.exe	F5AB.exe
PID 4492 wrote to memory of 1836	4492	F5AB.exe	F5AB.exe
PID 4492 wrote to memory of 1836	4492	F5AB.exe	F5AB.exe
PID 4492 wrote to memory of 1836	4492	F5AB.exe	F5AB.exe
PID 4492 wrote to memory of 1836	4492	F5AB.exe	F5AB.exe
PID 4492 wrote to memory of 1836	4492	F5AB.exe	F5AB.exe
PID 4492 wrote to memory of 1836	4492	F5AB.exe	F5AB.exe
PID 4492 wrote to memory of 1836	4492	F5AB.exe	F5AB.exe

C:\Users\Admin\AppData\Local\Temp\3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe
"C:\Users\Admin\AppData\Local\Temp\3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe
"C:\Users\Admin\AppData\Local\Temp\3751405dca827971272b7682e18edf9309453fcc58fabb259d72db8712573334.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3520

C:\Users\Admin\AppData\Local\Temp\F5AB.exe
C:\Users\Admin\AppData\Local\Temp\F5AB.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\F5AB.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Users\Admin\AppData\Local\Temp\F5AB.exe
"C:\Users\Admin\AppData\Local\Temp\F5AB.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Users\Admin\AppData\Local\Temp\FABD.exe
C:\Users\Admin\AppData\Local\Temp\FABD.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 916
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F5AB.exe.log
MD5
b4f7a6a57cb46d94b72410eb6a6d45a9

SHA1
69f3596ffa027202d391444b769ceea0ae14c5f7

SHA256
23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b

SHA512
be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5AB.exe
MD5
0d64218b3e9ff3b7210e90687c9d2335

SHA1
a0270074d7d771423d752e24abb7c47d38d5fb1c

SHA256
c8f5bb3fd9b9d1a337dfafac993481c8bdbddf3e03f9719a703ebcf528eff298

SHA512
029aa2cfe4d76504fdcdacaedbf0f49c32ebb5f999db4483949b3e08052e4bece1725dcbbfa924c16c560fb2e6033229d9fed30329d8a94bfac2b39d03639a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5AB.exe
MD5
0d64218b3e9ff3b7210e90687c9d2335

SHA1
a0270074d7d771423d752e24abb7c47d38d5fb1c

SHA256
c8f5bb3fd9b9d1a337dfafac993481c8bdbddf3e03f9719a703ebcf528eff298

SHA512
029aa2cfe4d76504fdcdacaedbf0f49c32ebb5f999db4483949b3e08052e4bece1725dcbbfa924c16c560fb2e6033229d9fed30329d8a94bfac2b39d03639a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5AB.exe
MD5
0d64218b3e9ff3b7210e90687c9d2335

SHA1
a0270074d7d771423d752e24abb7c47d38d5fb1c

SHA256
c8f5bb3fd9b9d1a337dfafac993481c8bdbddf3e03f9719a703ebcf528eff298

SHA512
029aa2cfe4d76504fdcdacaedbf0f49c32ebb5f999db4483949b3e08052e4bece1725dcbbfa924c16c560fb2e6033229d9fed30329d8a94bfac2b39d03639a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\FABD.exe
MD5
3091087cfa019ac0c6ed7f58a93c270c

SHA1
782ab63778c0ec7ee3f0869d46a893f4381b6d71

SHA256
52a1f5d269ccfed83916860a38927557b6bc0b050877d34224ae2abe00708cab

SHA512
e62b1bde620736a19b9b3ca4e4c167aa53cc098d2f5a99749de995fdbfe445b74faf276419a379c7d91a9406d6a015f035d8983fde7305bd1f1a010beaa23b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\FABD.exe
MD5
3091087cfa019ac0c6ed7f58a93c270c

SHA1
782ab63778c0ec7ee3f0869d46a893f4381b6d71

SHA256
52a1f5d269ccfed83916860a38927557b6bc0b050877d34224ae2abe00708cab

SHA512
e62b1bde620736a19b9b3ca4e4c167aa53cc098d2f5a99749de995fdbfe445b74faf276419a379c7d91a9406d6a015f035d8983fde7305bd1f1a010beaa23b77

Download Submit
memory/1572-118-0x00000000018A0000-0x00000000018A9000-memory.dmp

Filesize
36KB

Download
memory/1572-115-0x00000000019F9000-0x0000000001A09000-memory.dmp

Filesize
64KB

Download
memory/1640-154-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/1640-157-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download
memory/1640-164-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1640-163-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/1640-161-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/1640-160-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/1640-147-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1640-178-0x0000000009110000-0x0000000009111000-memory.dmp

Filesize
4KB

Download
memory/1640-183-0x0000000009310000-0x0000000009311000-memory.dmp

Filesize
4KB

Download
memory/1640-171-0x0000000009130000-0x0000000009163000-memory.dmp

Filesize
204KB

Download
memory/1640-184-0x0000000009660000-0x0000000009661000-memory.dmp

Filesize
4KB

Download
memory/1640-156-0x0000000006DF2000-0x0000000006DF3000-memory.dmp

Filesize
4KB

Download
memory/1640-155-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/1640-152-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/1640-138-0x0000000000000000-mapping.dmp

Download
memory/1640-150-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/1640-149-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/1640-185-0x000000007F140000-0x000000007F141000-memory.dmp

Filesize
4KB

Download
memory/1640-186-0x0000000006DF3000-0x0000000006DF4000-memory.dmp

Filesize
4KB

Download
memory/1640-145-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1836-159-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1836-146-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/1836-148-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/1836-140-0x000000000041B22A-mapping.dmp

Download
memory/1836-151-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/1836-139-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1836-153-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/1836-158-0x0000000005220000-0x0000000005826000-memory.dmp

Filesize
6.0MB

Download
memory/2552-119-0x0000000000EC0000-0x0000000000ED6000-memory.dmp

Filesize
88KB

Download
memory/3520-117-0x0000000000402E86-mapping.dmp

Download
memory/3520-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4076-133-0x0000000001A88000-0x0000000001AD7000-memory.dmp

Filesize
316KB

Download
memory/4076-134-0x0000000003310000-0x000000000339E000-memory.dmp

Filesize
568KB

Download
memory/4076-129-0x0000000000000000-mapping.dmp

Download
memory/4076-135-0x0000000000400000-0x00000000016FB000-memory.dmp

Filesize
19.0MB

Download
memory/4492-132-0x0000000004D00000-0x0000000004D05000-memory.dmp

Filesize
20KB

Download
memory/4492-128-0x0000000004AA0000-0x0000000004F9E000-memory.dmp

Filesize
5.0MB

Download
memory/4492-127-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/4492-126-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/4492-125-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/4492-123-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/4492-120-0x0000000000000000-mapping.dmp

Download
memory/4492-136-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/4492-137-0x0000000006770000-0x00000000067AE000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads