raccoon | c4ee4354d0917e030aca0a378b4d6baa2b148bc386536e006b55fd18cd8d27eb | Triage

Sharing

General

Target

c4ee4354d0917e030aca0a378b4d6baa2b148bc386536e006b55fd18cd8d27eb
Size

229KB
Sample

211108-ybat7sdab6
MD5

e17b6e94e25afa0d9f2916399d7be089
SHA1

34f8ae26ed3a92eea1958f3577f5b1f84807a837
SHA256

c4ee4354d0917e030aca0a378b4d6baa2b148bc386536e006b55fd18cd8d27eb
SHA512

5ed2e1c617797f78cf6c65a8f31fbf6f5f08103f23bce9168df5ac6920c4c4d3557c3d5c5e424edcb8a9fd3c82205ada0f58156e74685361233f750ed11974d6

Score

10^/10

raccoon smokeloader fcdc156d3872c18d25e3ee45499599b45e492a67 backdoor stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://misha.at/upload/

http://roohaniinfra.com/upload/

http://0axqpcc.cn/upload/

http://mayak-lombard.ru/upload/

http://mebel-lass.ru/upload/

http://dishakhan.com/upload/

rc4.i32

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

fcdc156d3872c18d25e3ee45499599b45e492a67

Attributes

url4cnc
http://178.23.190.57/rino115sipsip
http://91.219.236.162/rino115sipsip
http://185.163.47.176/rino115sipsip
http://193.38.54.238/rino115sipsip
http://74.119.192.122/rino115sipsip
http://91.219.236.240/rino115sipsip
https://t.me/rino115sipsip

rc4.plain

rc4.plain

Targets

- Target
  
  c4ee4354d0917e030aca0a378b4d6baa2b148bc386536e006b55fd18cd8d27eb
- Size
  
  229KB
- MD5
  
  e17b6e94e25afa0d9f2916399d7be089
- SHA1
  
  34f8ae26ed3a92eea1958f3577f5b1f84807a837
- SHA256
  
  c4ee4354d0917e030aca0a378b4d6baa2b148bc386536e006b55fd18cd8d27eb
- SHA512
  
  5ed2e1c617797f78cf6c65a8f31fbf6f5f08103f23bce9168df5ac6920c4c4d3557c3d5c5e424edcb8a9fd3c82205ada0f58156e74685361233f750ed11974d6
Score

10^/10

raccoon smokeloader fcdc156d3872c18d25e3ee45499599b45e492a67 backdoor stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Drops startup file
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

raccoonsmokeloaderfcdc156d3872c18d25e3ee45499599b45e492a67backdoorstealertrojan