raccoon | 05752b79392b345726047b4144ff962d8b8aecc637b00356af4a4125469245fa | Triage

Sharing

General

Target

05752b79392b345726047b4144ff962d8b8aecc637b00356af4a4125469245fa
Size

334KB
Sample

211024-ry6rtsecc4
MD5

a37afed14e9637ff86b25721762d7ad6
SHA1

9a453519a049b33df972197ac0962500092f5123
SHA256

05752b79392b345726047b4144ff962d8b8aecc637b00356af4a4125469245fa
SHA512

59f10993e3fc87c92ebc766f892bddc50c93ac8f3213e3541b8be1e57d0638d28f463c302407805e48c8212ef3559a6d39b88c04a10d567fd10c5d499db6bd3e

Score

10^/10

raccoon redline smokeloader 7ebf9b416b72a203df65383eec899dc689d2c3d7 a4b1cb9c5c4d693cc9860fbe648999419f9d3d4f backdoor discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://xacokuo8.top/

http://hajezey1.top/

rc4.i32

rc4.i32

Extracted

Family

raccoon

Botnet

7ebf9b416b72a203df65383eec899dc689d2c3d7

Attributes

url4cnc
http://telegatt.top/agrybirdsgamerept

http://telegka.top/agrybirdsgamerept

http://telegin.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

rc4.plain

Extracted

Family

raccoon

Botnet

a4b1cb9c5c4d693cc9860fbe648999419f9d3d4f

Attributes

url4cnc
http://telegin.top/kaba4ello

http://ttmirror.top/kaba4ello

http://teletele.top/kaba4ello

http://telegalive.top/kaba4ello

http://toptelete.top/kaba4ello

http://telegraf.top/kaba4ello

https://t.me/kaba4ello

rc4.plain

rc4.plain

Targets

- Target
  
  05752b79392b345726047b4144ff962d8b8aecc637b00356af4a4125469245fa
- Size
  
  334KB
- MD5
  
  a37afed14e9637ff86b25721762d7ad6
- SHA1
  
  9a453519a049b33df972197ac0962500092f5123
- SHA256
  
  05752b79392b345726047b4144ff962d8b8aecc637b00356af4a4125469245fa
- SHA512
  
  59f10993e3fc87c92ebc766f892bddc50c93ac8f3213e3541b8be1e57d0638d28f463c302407805e48c8212ef3559a6d39b88c04a10d567fd10c5d499db6bd3e
Score

10^/10

raccoon redline smokeloader 7ebf9b416b72a203df65383eec899dc689d2c3d7 a4b1cb9c5c4d693cc9860fbe648999419f9d3d4f backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

raccoonredlinesmokeloader7ebf9b416b72a203df65383eec899dc689d2c3d7a4b1cb9c5c4d693cc9860fbe648999419f9d3d4fbackdoordiscoveryinfostealerspywarestealertrojan