raccoon

Sharing

General

Target

dcba7c36b83b569d84f0e71207ccffd26aa6b9d9befb00279887f761ac76f600
Size

315KB
Sample

211113-1p2aesceej
MD5

b52c132e6000c854d16a83c40409977f
SHA1

c1d708eb3a35a3e0665d92c0a98ced9db2419923
SHA256

dcba7c36b83b569d84f0e71207ccffd26aa6b9d9befb00279887f761ac76f600
SHA512

c25f18574864afe84468a64a932df0aacdd3efe788f0ebda545153017c2af50ec75dfa64dbe683943e90ae48261c865cd35c24e16af37c0b2639798762ae2f48

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

redline

185.159.80.90:38637

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

ddf183af4241e3172885cf1b2c4c1fb4ee03d05a

Attributes

url4cnc
http://91.219.236.27/capibar

http://5.181.156.92/capibar

http://91.219.236.207/capibar

http://185.225.19.18/capibar

http://91.219.237.227/capibar

https://t.me/capibar

rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

675718a5f2ce6d3cacf6cb04a512f5637eae995f

Attributes

url4cnc
http://91.219.236.27/agrybirdsgamerept

http://5.181.156.92/agrybirdsgamerept

http://91.219.236.207/agrybirdsgamerept

http://185.225.19.18/agrybirdsgamerept

http://91.219.237.227/agrybirdsgamerept

http://185.163.47.176/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

imbest

45.153.186.153:56675

Extracted

Family

redline

Botnet

stay clean

95.168.174.42:42482

Targets

- Target
  
  dcba7c36b83b569d84f0e71207ccffd26aa6b9d9befb00279887f761ac76f600
- Size
  
  315KB
- MD5
  
  b52c132e6000c854d16a83c40409977f
- SHA1
  
  c1d708eb3a35a3e0665d92c0a98ced9db2419923
- SHA256
  
  dcba7c36b83b569d84f0e71207ccffd26aa6b9d9befb00279887f761ac76f600
- SHA512
  
  c25f18574864afe84468a64a932df0aacdd3efe788f0ebda545153017c2af50ec75dfa64dbe683943e90ae48261c865cd35c24e16af37c0b2639798762ae2f48
Score

10^/10

raccoon redline smokeloader vkeylogger 675718a5f2ce6d3cacf6cb04a512f5637eae995f ddf183af4241e3172885cf1b2c4c1fb4ee03d05a imbest stay clean superstar backdoor collection discovery infostealer keylogger persistence spyware stealer suricata trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- VKeylogger
  A keylogger first seen in Nov 2020.
  stealer keylogger vkeylogger
- VKeylogger Payload
- suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
  suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1