raccoon | 5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b

Analysis

max time kernel
153s
max time network
153s
platform
windows7_x64
resource
win7-en-20211104
submitted
16-11-2021 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

739b497fa91e90193c649338ca8fcbce.exe
Size

326KB
MD5

739b497fa91e90193c649338ca8fcbce
SHA1

faba0ec2f6e2190be027015f2eae23b55525250c
SHA256

5241bfe2b10e10c08c3ed731298b27dfd708be81460ad281dab3e6987e41712b
SHA512

93d75e63e3ab18a640b3313babf52ad5b8db01c505d72e74a3e56cb4303564f11338df84f575db2a87d8d4d4ad9c2d88dbfaa2fcce2fb0e76f267fed703b9245

Score

10^/10

raccoon redline smokeloader ddf183af4241e3172885cf1b2c4c1fb4ee03d05a backdoor infostealer stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

redline

185.159.80.90:38637

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

ddf183af4241e3172885cf1b2c4c1fb4ee03d05a

Attributes

url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1700-91-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1700-92-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1700-95-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1700-96-0x0000000000418EEA-mapping.dmp	family_redline
behavioral1/memory/1700-99-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

BC4D.exeBC4D.exeD6B1.exeE236.exeD6B1.exeFBDF.exeD6B1.exe

pid process

776 BC4D.exe
940 BC4D.exe
1860 D6B1.exe
1816 E236.exe
1968 D6B1.exe
596 FBDF.exe
1700 D6B1.exe
Deletes itself 1 IoCs

Processes:

pid process

1360
Loads dropped DLL 3 IoCs

Processes:

BC4D.exeD6B1.exe

pid process

776 BC4D.exe
1860 D6B1.exe
1860 D6B1.exe

pid	process
776	BC4D.exe
940	BC4D.exe
1860	D6B1.exe
1816	E236.exe
1968	D6B1.exe
596	FBDF.exe
1700	D6B1.exe

pid	process
1360

pid	process
776	BC4D.exe
1860	D6B1.exe
1860	D6B1.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

739b497fa91e90193c649338ca8fcbce.exeBC4D.exeD6B1.exe

description	pid	process	target process
PID 1196 set thread context of 668	1196	739b497fa91e90193c649338ca8fcbce.exe	739b497fa91e90193c649338ca8fcbce.exe
PID 776 set thread context of 940	776	BC4D.exe	BC4D.exe
PID 1860 set thread context of 1700	1860	D6B1.exe	D6B1.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

739b497fa91e90193c649338ca8fcbce.exeBC4D.exeE236.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	739b497fa91e90193c649338ca8fcbce.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BC4D.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BC4D.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E236.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E236.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	739b497fa91e90193c649338ca8fcbce.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	739b497fa91e90193c649338ca8fcbce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BC4D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E236.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

739b497fa91e90193c649338ca8fcbce.exe

pid	process
668	739b497fa91e90193c649338ca8fcbce.exe
668	739b497fa91e90193c649338ca8fcbce.exe
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1360
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

739b497fa91e90193c649338ca8fcbce.exeBC4D.exeE236.exe

pid process

668 739b497fa91e90193c649338ca8fcbce.exe
940 BC4D.exe
1816 E236.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1360
Token: SeShutdownPrivilege 1360
Token: SeShutdownPrivilege 1360
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1360
1360
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1360
1360

pid	process
1360

description	pid	process
Token: SeShutdownPrivilege	1360
Token: SeShutdownPrivilege	1360
Token: SeShutdownPrivilege	1360

pid	process
1360
1360

pid	process
1360
1360

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

739b497fa91e90193c649338ca8fcbce.exeBC4D.exeD6B1.exe

description	pid	process	target process
PID 1196 wrote to memory of 668	1196	739b497fa91e90193c649338ca8fcbce.exe	739b497fa91e90193c649338ca8fcbce.exe
PID 1196 wrote to memory of 668	1196	739b497fa91e90193c649338ca8fcbce.exe	739b497fa91e90193c649338ca8fcbce.exe
PID 1196 wrote to memory of 668	1196	739b497fa91e90193c649338ca8fcbce.exe	739b497fa91e90193c649338ca8fcbce.exe
PID 1196 wrote to memory of 668	1196	739b497fa91e90193c649338ca8fcbce.exe	739b497fa91e90193c649338ca8fcbce.exe
PID 1196 wrote to memory of 668	1196	739b497fa91e90193c649338ca8fcbce.exe	739b497fa91e90193c649338ca8fcbce.exe
PID 1196 wrote to memory of 668	1196	739b497fa91e90193c649338ca8fcbce.exe	739b497fa91e90193c649338ca8fcbce.exe
PID 1196 wrote to memory of 668	1196	739b497fa91e90193c649338ca8fcbce.exe	739b497fa91e90193c649338ca8fcbce.exe
PID 1360 wrote to memory of 776	1360		BC4D.exe
PID 1360 wrote to memory of 776	1360		BC4D.exe
PID 1360 wrote to memory of 776	1360		BC4D.exe
PID 1360 wrote to memory of 776	1360		BC4D.exe
PID 776 wrote to memory of 940	776	BC4D.exe	BC4D.exe
PID 776 wrote to memory of 940	776	BC4D.exe	BC4D.exe
PID 776 wrote to memory of 940	776	BC4D.exe	BC4D.exe
PID 776 wrote to memory of 940	776	BC4D.exe	BC4D.exe
PID 776 wrote to memory of 940	776	BC4D.exe	BC4D.exe
PID 776 wrote to memory of 940	776	BC4D.exe	BC4D.exe
PID 776 wrote to memory of 940	776	BC4D.exe	BC4D.exe
PID 1360 wrote to memory of 1860	1360		D6B1.exe
PID 1360 wrote to memory of 1860	1360		D6B1.exe
PID 1360 wrote to memory of 1860	1360		D6B1.exe
PID 1360 wrote to memory of 1860	1360		D6B1.exe
PID 1360 wrote to memory of 1816	1360		E236.exe
PID 1360 wrote to memory of 1816	1360		E236.exe
PID 1360 wrote to memory of 1816	1360		E236.exe
PID 1360 wrote to memory of 1816	1360		E236.exe
PID 1860 wrote to memory of 1968	1860	D6B1.exe	D6B1.exe
PID 1860 wrote to memory of 1968	1860	D6B1.exe	D6B1.exe
PID 1860 wrote to memory of 1968	1860	D6B1.exe	D6B1.exe
PID 1860 wrote to memory of 1968	1860	D6B1.exe	D6B1.exe
PID 1860 wrote to memory of 1700	1860	D6B1.exe	D6B1.exe
PID 1860 wrote to memory of 1700	1860	D6B1.exe	D6B1.exe
PID 1860 wrote to memory of 1700	1860	D6B1.exe	D6B1.exe
PID 1860 wrote to memory of 1700	1860	D6B1.exe	D6B1.exe
PID 1360 wrote to memory of 596	1360		FBDF.exe
PID 1360 wrote to memory of 596	1360		FBDF.exe
PID 1360 wrote to memory of 596	1360		FBDF.exe
PID 1360 wrote to memory of 596	1360		FBDF.exe
PID 1860 wrote to memory of 1700	1860	D6B1.exe	D6B1.exe
PID 1860 wrote to memory of 1700	1860	D6B1.exe	D6B1.exe
PID 1860 wrote to memory of 1700	1860	D6B1.exe	D6B1.exe
PID 1860 wrote to memory of 1700	1860	D6B1.exe	D6B1.exe
PID 1860 wrote to memory of 1700	1860	D6B1.exe	D6B1.exe

C:\Users\Admin\AppData\Local\Temp\739b497fa91e90193c649338ca8fcbce.exe
"C:\Users\Admin\AppData\Local\Temp\739b497fa91e90193c649338ca8fcbce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\739b497fa91e90193c649338ca8fcbce.exe
"C:\Users\Admin\AppData\Local\Temp\739b497fa91e90193c649338ca8fcbce.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:668

C:\Users\Admin\AppData\Local\Temp\BC4D.exe
C:\Users\Admin\AppData\Local\Temp\BC4D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\BC4D.exe
C:\Users\Admin\AppData\Local\Temp\BC4D.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:940

C:\Users\Admin\AppData\Local\Temp\D6B1.exe
C:\Users\Admin\AppData\Local\Temp\D6B1.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Local\Temp\D6B1.exe
C:\Users\Admin\AppData\Local\Temp\D6B1.exe
2⤵
- Executes dropped EXE
PID:1968

C:\Users\Admin\AppData\Local\Temp\D6B1.exe
C:\Users\Admin\AppData\Local\Temp\D6B1.exe
2⤵
- Executes dropped EXE
PID:1700

C:\Users\Admin\AppData\Local\Temp\E236.exe
C:\Users\Admin\AppData\Local\Temp\E236.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1816

C:\Users\Admin\AppData\Local\Temp\FBDF.exe
C:\Users\Admin\AppData\Local\Temp\FBDF.exe
1⤵
- Executes dropped EXE
PID:596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BC4D.exe
MD5
48fd8f05e5a677b58426c5dab5d08eff

SHA1
df8bd201bbdb28c82fe39add3cc7b1dd4bd44bcf

SHA256
c8979e45772f27f483fb243c184d03736d13db281df31082f24c7eac22ec4848

SHA512
81ab18c9994d94ba2ff5f9edaeaeb284d0017ac649fd9d6190f68ac5bd28b8bbc51dc77e016b49f126dd8a5069e85a563b7dba10b71a48ae8a62a68585653d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4D.exe
MD5
48fd8f05e5a677b58426c5dab5d08eff

SHA1
df8bd201bbdb28c82fe39add3cc7b1dd4bd44bcf

SHA256
c8979e45772f27f483fb243c184d03736d13db281df31082f24c7eac22ec4848

SHA512
81ab18c9994d94ba2ff5f9edaeaeb284d0017ac649fd9d6190f68ac5bd28b8bbc51dc77e016b49f126dd8a5069e85a563b7dba10b71a48ae8a62a68585653d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC4D.exe
MD5
48fd8f05e5a677b58426c5dab5d08eff

SHA1
df8bd201bbdb28c82fe39add3cc7b1dd4bd44bcf

SHA256
c8979e45772f27f483fb243c184d03736d13db281df31082f24c7eac22ec4848

SHA512
81ab18c9994d94ba2ff5f9edaeaeb284d0017ac649fd9d6190f68ac5bd28b8bbc51dc77e016b49f126dd8a5069e85a563b7dba10b71a48ae8a62a68585653d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\E236.exe
MD5
d985b4cfdceecc3c0fe4f3e4fda4e416

SHA1
f3c14a4d87569e54faaf0eac73ec1aafa2621dfa

SHA256
a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7

SHA512
560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBDF.exe
MD5
8f79110737dc06d512478b5f7d8d5c2b

SHA1
6c1cb2cb48d77ec4bb4e500f0fa7ab873d35e063

SHA256
bf5031c61e39f9dfb379eba03181bfc5bdc63527c25588279fc9e2684e462c11

SHA512
efc3b733905b6266d17c33ef8e091307ea6afcef2d1f292431ffc6701eb07d49197512d24d583f82781f9eccad4084c808ce547e82deaec28f1adac8251836e6

Download Submit
\Users\Admin\AppData\Local\Temp\BC4D.exe
MD5
48fd8f05e5a677b58426c5dab5d08eff

SHA1
df8bd201bbdb28c82fe39add3cc7b1dd4bd44bcf

SHA256
c8979e45772f27f483fb243c184d03736d13db281df31082f24c7eac22ec4848

SHA512
81ab18c9994d94ba2ff5f9edaeaeb284d0017ac649fd9d6190f68ac5bd28b8bbc51dc77e016b49f126dd8a5069e85a563b7dba10b71a48ae8a62a68585653d32

Download Submit
\Users\Admin\AppData\Local\Temp\D6B1.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
\Users\Admin\AppData\Local\Temp\D6B1.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
memory/596-94-0x0000000000220000-0x000000000026F000-memory.dmp

Filesize
316KB

Download
memory/596-86-0x0000000000000000-mapping.dmp

Download
memory/596-101-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/596-97-0x0000000000310000-0x000000000039F000-memory.dmp

Filesize
572KB

Download
memory/668-57-0x0000000000402DD8-mapping.dmp

Download
memory/668-58-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/668-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/776-63-0x00000000024DB000-0x00000000024EC000-memory.dmp

Filesize
68KB

Download
memory/776-61-0x0000000000000000-mapping.dmp

Download
memory/940-67-0x0000000000402DD8-mapping.dmp

Download
memory/1196-59-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1196-55-0x000000000250B000-0x000000000251C000-memory.dmp

Filesize
68KB

Download
memory/1360-88-0x0000000004830000-0x0000000004846000-memory.dmp

Filesize
88KB

Download
memory/1360-78-0x00000000041E0000-0x00000000041F6000-memory.dmp

Filesize
88KB

Download
memory/1360-60-0x00000000029C0000-0x00000000029D6000-memory.dmp

Filesize
88KB

Download
memory/1700-90-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1700-95-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1700-102-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/1700-99-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1700-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1700-92-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1700-89-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1700-96-0x0000000000418EEA-mapping.dmp

Download
memory/1816-75-0x0000000000000000-mapping.dmp

Download
memory/1816-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-81-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1816-80-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1860-73-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1860-79-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1860-70-0x0000000000000000-mapping.dmp

Download