raccoon

General

Target

4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a
Size

335KB
Sample

211024-mz5hyadgc9
MD5

1d747430b83501fef39cae62935452cb
SHA1

3f39d8c08b5d559eacdaea84ae67bea27a5692bb
SHA256

4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a
SHA512

56b75a6596c3e140d8923a014479ab8631852b6c8164f1d86857a40a9d424babf3a584bd2a6573aba6a0ae5e102fbd4d371938263a152d56c83c69841be81ab2

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://xacokuo8.top/

http://hajezey1.top/

rc4.i32

Extracted

Family

raccoon

Botnet

7ebf9b416b72a203df65383eec899dc689d2c3d7

Attributes

url4cnc
http://telegatt.top/agrybirdsgamerept

http://telegka.top/agrybirdsgamerept

http://telegin.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

Targets

- Target
  
  4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a
- Size
  
  335KB
- MD5
  
  1d747430b83501fef39cae62935452cb
- SHA1
  
  3f39d8c08b5d559eacdaea84ae67bea27a5692bb
- SHA256
  
  4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a
- SHA512
  
  56b75a6596c3e140d8923a014479ab8631852b6c8164f1d86857a40a9d424babf3a584bd2a6573aba6a0ae5e102fbd4d371938263a152d56c83c69841be81ab2
Score

10^/10

raccoon redline smokeloader 7ebf9b416b72a203df65383eec899dc689d2c3d7 backdoor discovery evasion infostealer persistence spyware stealer trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1