raccoon

General

Target

22c4ade2ee72ea363563416dbb0b28f0.exe
Size

259KB
Sample

211019-sy8f4ahael
MD5

22c4ade2ee72ea363563416dbb0b28f0
SHA1

b390af965c6917e886d62b882d1725d3a4ff39af
SHA256

22b13294437f3dc3266f4517bf126e7f3b84d96c05f299f41a59887f7710338c
SHA512

a7b2f134dad8cfe355c65bef6c9c22bab6d989f1eef1637ec6be71b51df705ee445139503cdf97f0b50076550e90336620a031c2925a11c642a18c34fd87d4f1

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

C2

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

41060006b048ab05e30c36a645c3317ac285b336

Attributes

url4cnc
http://telegatt.top/agre4fanfinal

http://telegka.top/agre4fanfinal

http://telegin.top/agre4fanfinal

https://t.me/agre4fanfinal

rc4.plain

Extracted

Family

redline

Botnet

znigalsz

C2

176.9.244.86:23637

Targets

- Target
  
  22c4ade2ee72ea363563416dbb0b28f0.exe
- Size
  
  259KB
- MD5
  
  22c4ade2ee72ea363563416dbb0b28f0
- SHA1
  
  b390af965c6917e886d62b882d1725d3a4ff39af
- SHA256
  
  22b13294437f3dc3266f4517bf126e7f3b84d96c05f299f41a59887f7710338c
- SHA512
  
  a7b2f134dad8cfe355c65bef6c9c22bab6d989f1eef1637ec6be71b51df705ee445139503cdf97f0b50076550e90336620a031c2925a11c642a18c34fd87d4f1
Score

10^/10

raccoon redline servhelper smokeloader 41060006b048ab05e30c36a645c3317ac285b336 znigalsz backdoor discovery exploit infostealer persistence spyware stealer suricata trojan upx
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- suricata: ET MALWARE ServHelper CnC Inital Checkin
  suricata: ET MALWARE ServHelper CnC Inital Checkin
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2