raccoon | 18e34d21763bf34929fe825537f3de25ab7c0fad04b1b7200c36b084fe6877d2 | Triage

Sharing

General

Target

18e34d21763bf34929fe825537f3de25ab7c0fad04b1b7200c36b084fe6877d2
Size

140KB
Sample

211117-2e9z9aebd8
MD5

9f790ec5e860b04a9590d908bae1dcdb
SHA1

4a71f95f655e33e062fd844d23af00dd046a1760
SHA256

18e34d21763bf34929fe825537f3de25ab7c0fad04b1b7200c36b084fe6877d2
SHA512

c9305b8dc21a48cb4a559cadcd5ba6e965b6b82838cd41b32c9d9bec813ecb44b544aeb6e39c5ff9268760c3af41ce1de651381d35a86e3b23c9b7383aa8b1fe

Score

10^/10

raccoon redline smokeloader ddf183af4241e3172885cf1b2c4c1fb4ee03d05a backdoor discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

rc4.i32

Extracted

Family

redline

C2

185.159.80.90:38637

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

ddf183af4241e3172885cf1b2c4c1fb4ee03d05a

Attributes

url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

rc4.plain

Targets

- Target
  
  18e34d21763bf34929fe825537f3de25ab7c0fad04b1b7200c36b084fe6877d2
- Size
  
  140KB
- MD5
  
  9f790ec5e860b04a9590d908bae1dcdb
- SHA1
  
  4a71f95f655e33e062fd844d23af00dd046a1760
- SHA256
  
  18e34d21763bf34929fe825537f3de25ab7c0fad04b1b7200c36b084fe6877d2
- SHA512
  
  c9305b8dc21a48cb4a559cadcd5ba6e965b6b82838cd41b32c9d9bec813ecb44b544aeb6e39c5ff9268760c3af41ce1de651381d35a86e3b23c9b7383aa8b1fe
Score

10^/10

raccoon redline smokeloader ddf183af4241e3172885cf1b2c4c1fb4ee03d05a backdoor discovery infostealer spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

raccoonredlinesmokeloaderddf183af4241e3172885cf1b2c4c1fb4ee03d05abackdoordiscoveryinfostealerspywarestealertrojan