raccoon

General

Target

4735a64e5d517a5c55a53557e089a7cf62845ba629d1753f34ec4730b889aded
Size

251KB
Sample

211204-fmjmdaadek
MD5

35cc2057342197542eedfe1eec4469bb
SHA1

089a57bd193c0c5076081d86ea979effc8ed2478
SHA256

4735a64e5d517a5c55a53557e089a7cf62845ba629d1753f34ec4730b889aded
SHA512

842333dcf97cc9ea44955917d58c3aec9a142c2dbcbaf070c0e372db329eece2287cf3dc7f0d7ec09e7b81644ccaddbdce9d6886b5d1c4d9ae5d341efe4cea60

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

J3J3-US

C2

kent0mushinec0n3t.casacam.net:32095

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Pin.exe
copy_folder
J3J3-US
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
J3J3-US
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-TFIQE4
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
J3J3-US
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

b620be4c85b4051a92040003edbc322be4eb082d

Attributes

url4cnc
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Targets

- Target
  
  4735a64e5d517a5c55a53557e089a7cf62845ba629d1753f34ec4730b889aded
- Size
  
  251KB
- MD5
  
  35cc2057342197542eedfe1eec4469bb
- SHA1
  
  089a57bd193c0c5076081d86ea979effc8ed2478
- SHA256
  
  4735a64e5d517a5c55a53557e089a7cf62845ba629d1753f34ec4730b889aded
- SHA512
  
  842333dcf97cc9ea44955917d58c3aec9a142c2dbcbaf070c0e372db329eece2287cf3dc7f0d7ec09e7b81644ccaddbdce9d6886b5d1c4d9ae5d341efe4cea60
Score

10^/10

raccoon redline remcos smokeloader b620be4c85b4051a92040003edbc322be4eb082d j3j3-us backdoor discovery infostealer persistence rat spyware stealer trojan
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1