raccoon

Sharing

Copy URL

Twitter E-mail

General

Target

d8ba690a888d144be39d35edbb8c1b0b.exe
Size

402KB
Sample

211030-lk1qrsegb6
MD5

d8ba690a888d144be39d35edbb8c1b0b
SHA1

236d096f35b8fb375f0604b723016e34d3ed186f
SHA256

fdadaa29cddfdc73c668258fea6614be64a933dcfa19072a6342024985a0a68b
SHA512

98b42d6ddfc9bacf44f103ff1df0399c2985d63e8939f8641816b6042397bf44a721f991bb3e9a50ec67fa3d89182727af0cc2a51d3b201f83d6af177ba45c75

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

s0iw

http://www.kyiejenner.com/s0iw/

Decoy

ortopediamodelo.com

orimshirts.store

universecatholicweekly.info

yvettechan.com

sersaudavelsempre.online

face-booking.net

europeanretailgroup.com

umofan.com

roemahbajumuslim.online

joyrosecuisine.net

3dmaker.house

megdb.xyz

stereoshopie.info

gv5rm.com

tdc-trust.com

mcglobal.club

choral.works

onlineconsultantgroup.com

friscopaintandbody.com

midwestii.com

Extracted

Family

redline

Botnet

@kugurtilzt

185.215.113.79:41465

Extracted

Family

redline

Botnet

ddddd4

91.206.14.151:16764

Extracted

Family

vidar

Version

41.6

Botnet

937

https://mas.to/@lilocc

Attributes

profile_id
937

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes

url4cnc
http://telegin.top/capibar

http://ttmirror.top/capibar

http://teletele.top/capibar

http://telegalive.top/capibar

http://toptelete.top/capibar

http://telegraf.top/capibar

https://t.me/capibar

rc4.plain

Extracted

Family

smokeloader

Version

2020

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/

rc4.i32

Extracted

Family

vidar

Version

41.6

Botnet

933

https://mas.to/@lilocc

Attributes

profile_id
933

Targets

- Target
  
  d8ba690a888d144be39d35edbb8c1b0b.exe
- Size
  
  402KB
- MD5
  
  d8ba690a888d144be39d35edbb8c1b0b
- SHA1
  
  236d096f35b8fb375f0604b723016e34d3ed186f
- SHA256
  
  fdadaa29cddfdc73c668258fea6614be64a933dcfa19072a6342024985a0a68b
- SHA512
  
  98b42d6ddfc9bacf44f103ff1df0399c2985d63e8939f8641816b6042397bf44a721f991bb3e9a50ec67fa3d89182727af0cc2a51d3b201f83d6af177ba45c75
Score

10^/10

evasion spyware stealer trojan raccoon redline smokeloader socelars vidar xloader 8dec62c1db2959619dca43e02fa46ad7bd606400 933 937 @kugurtilzt ddddd4 s0iw backdoor discovery infostealer loader rat themida
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Nirsoft
- Vidar Stealer
  stealer
- Xloader Payload
  rat
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Vidar

Xloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Nirsoft

Vidar Stealer

Xloader Payload

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2