raccoon

General

Target

a5d0f5e9023afe30c7222f952dc0dc06.exe
Size

185KB
Sample

211027-bth7zaabbn
MD5

a5d0f5e9023afe30c7222f952dc0dc06
SHA1

a51e4b3640a39036947e17db520b313d74265ef9
SHA256

7e52d4da15fe2a58de032652081f0875c6edb3259033a50acccd288d3aa3d8dc
SHA512

461ec79b9418a2c8e992a69133273dcf51a6841300e03cb73bb6d12d2f20c5f5d3d7a74cfcde49ccf1f218d64185ba5c471c02c95244541ec4f752f853468609

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://gejajoo7.top/

http://sysaheu9.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32

Extracted

Family

vidar

Version

41.6

Botnet

754

C2

https://mas.to/@lilocc

Attributes

profile_id
754

Extracted

Family

redline

Botnet

11111

C2

93.115.20.139:28978

Extracted

Family

raccoon

Botnet

60e59be328fbd2ebac1839ea99411dccb00a6f49

Attributes

url4cnc
http://telegin.top/agrybirdsgamerept
http://ttmirror.top/agrybirdsgamerept
http://teletele.top/agrybirdsgamerept
http://telegalive.top/agrybirdsgamerept
http://toptelete.top/agrybirdsgamerept
http://telegraf.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

dksajdlkj32lkj13211211

C2

84.38.189.175:18214

Targets

- Target
  
  a5d0f5e9023afe30c7222f952dc0dc06.exe
- Size
  
  185KB
- MD5
  
  a5d0f5e9023afe30c7222f952dc0dc06
- SHA1
  
  a51e4b3640a39036947e17db520b313d74265ef9
- SHA256
  
  7e52d4da15fe2a58de032652081f0875c6edb3259033a50acccd288d3aa3d8dc
- SHA512
  
  461ec79b9418a2c8e992a69133273dcf51a6841300e03cb73bb6d12d2f20c5f5d3d7a74cfcde49ccf1f218d64185ba5c471c02c95244541ec4f752f853468609
Score

10^/10

raccoon redline smokeloader vidar 11111 60e59be328fbd2ebac1839ea99411dccb00a6f49 754 backdoor discovery infostealer spyware stealer suricata trojan dksajdlkj32lkj13211211
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Known Sinkhole Response Header
  suricata: ET MALWARE Known Sinkhole Response Header
  suricata
- suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2