raccoon | c9f18cc71c7a1fa61d43a32dfb858f9aa247324a188f8182981b853266d3b1c7

Analysis

max time kernel
151s
max time network
145s
platform
windows7_x64
resource
win7-en-20211014
submitted
18-11-2021 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

743f8fec87ebf7c5d6b392261ec3988f.exe
Size

334KB
MD5

743f8fec87ebf7c5d6b392261ec3988f
SHA1

1bc862eecde55f2c1de69bc9e3fdd7468de373d0
SHA256

c9f18cc71c7a1fa61d43a32dfb858f9aa247324a188f8182981b853266d3b1c7
SHA512

59156212c7c800920da3a3f22191799ac4632dda5a3128b4f7bb8a2856a924dedf16c470766ac37ef431df7cc76cc98df4bb1af180c70584caf71cdd28819413

Score

10^/10

raccoon redline smokeloader ddf183af4241e3172885cf1b2c4c1fb4ee03d05a backdoor discovery evasion infostealer spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

185.159.80.90:38637

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

ddf183af4241e3172885cf1b2c4c1fb4ee03d05a

Attributes

url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1660-84-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1660-85-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1660-88-0x0000000000418EEA-mapping.dmp	family_redline
behavioral1/memory/1660-86-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1660-91-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

B886.exeBF1C.exeC66D.exeB886.exeCFEF.exeBF1C.exe

pid process

1412 B886.exe
1696 BF1C.exe
1796 C66D.exe
1952 B886.exe
992 CFEF.exe
1660 BF1C.exe

pid	process
1412	B886.exe
1696	BF1C.exe
1796	C66D.exe
1952	B886.exe
992	CFEF.exe
1660	BF1C.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CFEF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CFEF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CFEF.exe

Deletes itself 1 IoCs

Processes:

pid process

1300
Loads dropped DLL 2 IoCs

Processes:

BF1C.exeB886.exe

pid process

1696 BF1C.exe
1412 B886.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1300

pid	process
1696	BF1C.exe
1412	B886.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CFEF.exe	themida
behavioral1/memory/992-92-0x0000000000A10000-0x0000000000A11000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

CFEF.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CFEF.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

CFEF.exe

pid process

992 CFEF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CFEF.exe

pid	process
992	CFEF.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

743f8fec87ebf7c5d6b392261ec3988f.exeB886.exeBF1C.exe

description	pid	process	target process
PID 1120 set thread context of 472	1120	743f8fec87ebf7c5d6b392261ec3988f.exe	743f8fec87ebf7c5d6b392261ec3988f.exe
PID 1412 set thread context of 1952	1412	B886.exe	B886.exe
PID 1696 set thread context of 1660	1696	BF1C.exe	BF1C.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

B886.exe743f8fec87ebf7c5d6b392261ec3988f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B886.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B886.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B886.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	743f8fec87ebf7c5d6b392261ec3988f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	743f8fec87ebf7c5d6b392261ec3988f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	743f8fec87ebf7c5d6b392261ec3988f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

743f8fec87ebf7c5d6b392261ec3988f.exe

pid	process
472	743f8fec87ebf7c5d6b392261ec3988f.exe
472	743f8fec87ebf7c5d6b392261ec3988f.exe
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1300
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

743f8fec87ebf7c5d6b392261ec3988f.exeB886.exe

pid process

472 743f8fec87ebf7c5d6b392261ec3988f.exe
1952 B886.exe

pid	process
1300

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

CFEF.exeBF1C.exe

description	pid	process
Token: SeShutdownPrivilege	1300
Token: SeShutdownPrivilege	1300
Token: SeShutdownPrivilege	1300
Token: SeDebugPrivilege	992	CFEF.exe
Token: SeDebugPrivilege	1660	BF1C.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1300
1300
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1300
1300

pid	process
1300
1300

pid	process
1300
1300

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

743f8fec87ebf7c5d6b392261ec3988f.exeBF1C.exeB886.exe

description	pid	process	target process
PID 1120 wrote to memory of 472	1120	743f8fec87ebf7c5d6b392261ec3988f.exe	743f8fec87ebf7c5d6b392261ec3988f.exe
PID 1120 wrote to memory of 472	1120	743f8fec87ebf7c5d6b392261ec3988f.exe	743f8fec87ebf7c5d6b392261ec3988f.exe
PID 1120 wrote to memory of 472	1120	743f8fec87ebf7c5d6b392261ec3988f.exe	743f8fec87ebf7c5d6b392261ec3988f.exe
PID 1120 wrote to memory of 472	1120	743f8fec87ebf7c5d6b392261ec3988f.exe	743f8fec87ebf7c5d6b392261ec3988f.exe
PID 1120 wrote to memory of 472	1120	743f8fec87ebf7c5d6b392261ec3988f.exe	743f8fec87ebf7c5d6b392261ec3988f.exe
PID 1120 wrote to memory of 472	1120	743f8fec87ebf7c5d6b392261ec3988f.exe	743f8fec87ebf7c5d6b392261ec3988f.exe
PID 1120 wrote to memory of 472	1120	743f8fec87ebf7c5d6b392261ec3988f.exe	743f8fec87ebf7c5d6b392261ec3988f.exe
PID 1300 wrote to memory of 1412	1300		B886.exe
PID 1300 wrote to memory of 1412	1300		B886.exe
PID 1300 wrote to memory of 1412	1300		B886.exe
PID 1300 wrote to memory of 1412	1300		B886.exe
PID 1300 wrote to memory of 1696	1300		BF1C.exe
PID 1300 wrote to memory of 1696	1300		BF1C.exe
PID 1300 wrote to memory of 1696	1300		BF1C.exe
PID 1300 wrote to memory of 1696	1300		BF1C.exe
PID 1696 wrote to memory of 1660	1696	BF1C.exe	BF1C.exe
PID 1696 wrote to memory of 1660	1696	BF1C.exe	BF1C.exe
PID 1696 wrote to memory of 1660	1696	BF1C.exe	BF1C.exe
PID 1696 wrote to memory of 1660	1696	BF1C.exe	BF1C.exe
PID 1300 wrote to memory of 1796	1300		C66D.exe
PID 1300 wrote to memory of 1796	1300		C66D.exe
PID 1300 wrote to memory of 1796	1300		C66D.exe
PID 1300 wrote to memory of 1796	1300		C66D.exe
PID 1412 wrote to memory of 1952	1412	B886.exe	B886.exe
PID 1412 wrote to memory of 1952	1412	B886.exe	B886.exe
PID 1412 wrote to memory of 1952	1412	B886.exe	B886.exe
PID 1412 wrote to memory of 1952	1412	B886.exe	B886.exe
PID 1412 wrote to memory of 1952	1412	B886.exe	B886.exe
PID 1412 wrote to memory of 1952	1412	B886.exe	B886.exe
PID 1412 wrote to memory of 1952	1412	B886.exe	B886.exe
PID 1300 wrote to memory of 992	1300		CFEF.exe
PID 1300 wrote to memory of 992	1300		CFEF.exe
PID 1300 wrote to memory of 992	1300		CFEF.exe
PID 1300 wrote to memory of 992	1300		CFEF.exe
PID 1696 wrote to memory of 1660	1696	BF1C.exe	BF1C.exe
PID 1696 wrote to memory of 1660	1696	BF1C.exe	BF1C.exe
PID 1696 wrote to memory of 1660	1696	BF1C.exe	BF1C.exe
PID 1696 wrote to memory of 1660	1696	BF1C.exe	BF1C.exe
PID 1696 wrote to memory of 1660	1696	BF1C.exe	BF1C.exe

C:\Users\Admin\AppData\Local\Temp\743f8fec87ebf7c5d6b392261ec3988f.exe
"C:\Users\Admin\AppData\Local\Temp\743f8fec87ebf7c5d6b392261ec3988f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\743f8fec87ebf7c5d6b392261ec3988f.exe
"C:\Users\Admin\AppData\Local\Temp\743f8fec87ebf7c5d6b392261ec3988f.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:472

C:\Users\Admin\AppData\Local\Temp\B886.exe
C:\Users\Admin\AppData\Local\Temp\B886.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\B886.exe
C:\Users\Admin\AppData\Local\Temp\B886.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1952

C:\Users\Admin\AppData\Local\Temp\BF1C.exe
C:\Users\Admin\AppData\Local\Temp\BF1C.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\BF1C.exe
C:\Users\Admin\AppData\Local\Temp\BF1C.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Users\Admin\AppData\Local\Temp\C66D.exe
C:\Users\Admin\AppData\Local\Temp\C66D.exe
1⤵
- Executes dropped EXE
PID:1796

C:\Users\Admin\AppData\Local\Temp\CFEF.exe
C:\Users\Admin\AppData\Local\Temp\CFEF.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B886.exe
MD5
8ef1ae58e545946baca2dbc17e135577

SHA1
5c885447330a3bfd39a1432e876f5315227dc63a

SHA256
0c4f067db78d493cf8966b08555ff8a50e920fe4737786cea5be5348d9785c3c

SHA512
35ca7cfedbd9cd70913a57ca1e1b2be976e8fb067471805b70867b232a8b89772d773eafb0fe49aa7bcc14e6a49d85918657ee3ebf2785d15f5e18b5d660eee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B886.exe
MD5
8ef1ae58e545946baca2dbc17e135577

SHA1
5c885447330a3bfd39a1432e876f5315227dc63a

SHA256
0c4f067db78d493cf8966b08555ff8a50e920fe4737786cea5be5348d9785c3c

SHA512
35ca7cfedbd9cd70913a57ca1e1b2be976e8fb067471805b70867b232a8b89772d773eafb0fe49aa7bcc14e6a49d85918657ee3ebf2785d15f5e18b5d660eee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B886.exe
MD5
8ef1ae58e545946baca2dbc17e135577

SHA1
5c885447330a3bfd39a1432e876f5315227dc63a

SHA256
0c4f067db78d493cf8966b08555ff8a50e920fe4737786cea5be5348d9785c3c

SHA512
35ca7cfedbd9cd70913a57ca1e1b2be976e8fb067471805b70867b232a8b89772d773eafb0fe49aa7bcc14e6a49d85918657ee3ebf2785d15f5e18b5d660eee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF1C.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF1C.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF1C.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\C66D.exe
MD5
9733aef1c8ec194a3198ab8e0130b7d4

SHA1
cf886d1cbabe2c572edd001c0fa55a13d3e191bd

SHA256
fa30571b12211c46fc47639a9d4df6fdeacc8ea6ecffd0a3022f82ffe43d50b1

SHA512
49a343a6fc4e4d75f1177ca8d7f65682f853b956a46bb65fa6b22c2a8d5121fd949cfbbb22c44e7fb5631350f97c10ca726260544bcc0b8a706085f9f9f7ff77

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFEF.exe
MD5
a77f1ed5881d44fc95bf3da05c349385

SHA1
7a80066b7f8b335ccc1a85d9847a29251f2875ca

SHA256
58be03e1a79fedf4f6181c0ce9d819f85cb656b00831c55673e15433183d0206

SHA512
308a8bfbc3396c53ab3d38d55238c692eaaf42bfb1fa074cf432f6c980ab790144697a726d7e8b60db82e60a600a280879fb5d833e4dd8eb6eef8198aa368641

Download Submit
\Users\Admin\AppData\Local\Temp\B886.exe
MD5
8ef1ae58e545946baca2dbc17e135577

SHA1
5c885447330a3bfd39a1432e876f5315227dc63a

SHA256
0c4f067db78d493cf8966b08555ff8a50e920fe4737786cea5be5348d9785c3c

SHA512
35ca7cfedbd9cd70913a57ca1e1b2be976e8fb067471805b70867b232a8b89772d773eafb0fe49aa7bcc14e6a49d85918657ee3ebf2785d15f5e18b5d660eee2

Download Submit
\Users\Admin\AppData\Local\Temp\BF1C.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
memory/472-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/472-57-0x0000000000402DD8-mapping.dmp

Download
memory/472-58-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/992-79-0x0000000000000000-mapping.dmp

Download
memory/992-98-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/992-92-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1120-59-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1120-55-0x00000000020ED000-0x00000000020FE000-memory.dmp

Filesize
68KB

Download
memory/1300-60-0x0000000002200000-0x0000000002216000-memory.dmp

Filesize
88KB

Download
memory/1300-101-0x00000000043D0000-0x00000000043E6000-memory.dmp

Filesize
88KB

Download
memory/1412-72-0x00000000020CD000-0x00000000020DE000-memory.dmp

Filesize
68KB

Download
memory/1412-61-0x0000000000000000-mapping.dmp

Download
memory/1660-88-0x0000000000418EEA-mapping.dmp

Download
memory/1660-86-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1660-84-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1660-82-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1660-85-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1660-99-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1660-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1660-83-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1696-68-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1696-66-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/1696-63-0x0000000000000000-mapping.dmp

Download
memory/1796-70-0x0000000000000000-mapping.dmp

Download
memory/1796-95-0x000000000258B000-0x00000000025DA000-memory.dmp

Filesize
316KB

Download
memory/1796-97-0x0000000000220000-0x00000000002AF000-memory.dmp

Filesize
572KB

Download
memory/1796-100-0x0000000000400000-0x00000000023E7000-memory.dmp

Filesize
31.9MB

Download
memory/1952-76-0x0000000000402DD8-mapping.dmp

Download