raccoon | a57569957dd2a6dd7678257c5d9d6cf2362adaad6e9666a0a8f872dc8aad412e

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-en-20211014
submitted
04-12-2021 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6546925f07c1e9aa63a24e76485d4048.exe
Size

248KB
MD5

6546925f07c1e9aa63a24e76485d4048
SHA1

55bc7f7e0c83c279b683bd7a92b29da48ea26d5b
SHA256

a57569957dd2a6dd7678257c5d9d6cf2362adaad6e9666a0a8f872dc8aad412e
SHA512

4d02d6d4ee2e4fff37ca8e142310c16d5ed9fa285e542a42f6ba6337b304a3f549019453826de774b583ebe929505d76813f2ac6d304598b66ec224f4abe2b9a

Score

10^/10

raccoon redline smokeloader b620be4c85b4051a92040003edbc322be4eb082d backdoor infostealer stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

b620be4c85b4051a92040003edbc322be4eb082d

Attributes

url4cnc
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1804-85-0x0000000000DC0000-0x0000000000F35000-memory.dmp	family_redline
behavioral1/memory/996-116-0x0000000001040000-0x00000000011A8000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

B951.exe119E.exe149C.exe119E.exe1E0F.exe149C.exe

pid process

2012 B951.exe
1572 119E.exe
960 149C.exe
1772 119E.exe
1804 1E0F.exe
1752 149C.exe
Deletes itself 1 IoCs

Processes:

pid process

1412
Loads dropped DLL 2 IoCs

Processes:

119E.exe149C.exe

pid process

1572 119E.exe
960 149C.exe

pid	process
2012	B951.exe
1572	119E.exe
960	149C.exe
1772	119E.exe
1804	1E0F.exe
1752	149C.exe

pid	process
1412

pid	process
1572	119E.exe
960	149C.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

6546925f07c1e9aa63a24e76485d4048.exe119E.exe149C.exe

description	pid	process	target process
PID 1788 set thread context of 1932	1788	6546925f07c1e9aa63a24e76485d4048.exe	6546925f07c1e9aa63a24e76485d4048.exe
PID 1572 set thread context of 1772	1572	119E.exe	119E.exe
PID 960 set thread context of 1752	960	149C.exe	149C.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6546925f07c1e9aa63a24e76485d4048.exe119E.exeB951.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6546925f07c1e9aa63a24e76485d4048.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	119E.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	119E.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	119E.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6546925f07c1e9aa63a24e76485d4048.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6546925f07c1e9aa63a24e76485d4048.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B951.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B951.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B951.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6546925f07c1e9aa63a24e76485d4048.exe

pid	process
1932	6546925f07c1e9aa63a24e76485d4048.exe
1932	6546925f07c1e9aa63a24e76485d4048.exe
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1412
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

6546925f07c1e9aa63a24e76485d4048.exeB951.exe119E.exe

pid process

1932 6546925f07c1e9aa63a24e76485d4048.exe
2012 B951.exe
1772 119E.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1412
1412
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1412
1412

pid	process
1412

pid	process
1412
1412

pid	process
1412
1412

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

6546925f07c1e9aa63a24e76485d4048.exe119E.exe149C.exe

description	pid	process	target process
PID 1788 wrote to memory of 1932	1788	6546925f07c1e9aa63a24e76485d4048.exe	6546925f07c1e9aa63a24e76485d4048.exe
PID 1788 wrote to memory of 1932	1788	6546925f07c1e9aa63a24e76485d4048.exe	6546925f07c1e9aa63a24e76485d4048.exe
PID 1788 wrote to memory of 1932	1788	6546925f07c1e9aa63a24e76485d4048.exe	6546925f07c1e9aa63a24e76485d4048.exe
PID 1788 wrote to memory of 1932	1788	6546925f07c1e9aa63a24e76485d4048.exe	6546925f07c1e9aa63a24e76485d4048.exe
PID 1788 wrote to memory of 1932	1788	6546925f07c1e9aa63a24e76485d4048.exe	6546925f07c1e9aa63a24e76485d4048.exe
PID 1788 wrote to memory of 1932	1788	6546925f07c1e9aa63a24e76485d4048.exe	6546925f07c1e9aa63a24e76485d4048.exe
PID 1788 wrote to memory of 1932	1788	6546925f07c1e9aa63a24e76485d4048.exe	6546925f07c1e9aa63a24e76485d4048.exe
PID 1412 wrote to memory of 2012	1412		B951.exe
PID 1412 wrote to memory of 2012	1412		B951.exe
PID 1412 wrote to memory of 2012	1412		B951.exe
PID 1412 wrote to memory of 2012	1412		B951.exe
PID 1412 wrote to memory of 1572	1412		119E.exe
PID 1412 wrote to memory of 1572	1412		119E.exe
PID 1412 wrote to memory of 1572	1412		119E.exe
PID 1412 wrote to memory of 1572	1412		119E.exe
PID 1412 wrote to memory of 960	1412		149C.exe
PID 1412 wrote to memory of 960	1412		149C.exe
PID 1412 wrote to memory of 960	1412		149C.exe
PID 1412 wrote to memory of 960	1412		149C.exe
PID 1572 wrote to memory of 1772	1572	119E.exe	119E.exe
PID 1572 wrote to memory of 1772	1572	119E.exe	119E.exe
PID 1572 wrote to memory of 1772	1572	119E.exe	119E.exe
PID 1572 wrote to memory of 1772	1572	119E.exe	119E.exe
PID 1572 wrote to memory of 1772	1572	119E.exe	119E.exe
PID 1572 wrote to memory of 1772	1572	119E.exe	119E.exe
PID 1572 wrote to memory of 1772	1572	119E.exe	119E.exe
PID 1412 wrote to memory of 1804	1412		1E0F.exe
PID 1412 wrote to memory of 1804	1412		1E0F.exe
PID 1412 wrote to memory of 1804	1412		1E0F.exe
PID 1412 wrote to memory of 1804	1412		1E0F.exe
PID 1412 wrote to memory of 1804	1412		1E0F.exe
PID 1412 wrote to memory of 1804	1412		1E0F.exe
PID 1412 wrote to memory of 1804	1412		1E0F.exe
PID 960 wrote to memory of 1752	960	149C.exe	149C.exe
PID 960 wrote to memory of 1752	960	149C.exe	149C.exe
PID 960 wrote to memory of 1752	960	149C.exe	149C.exe
PID 960 wrote to memory of 1752	960	149C.exe	149C.exe
PID 960 wrote to memory of 1752	960	149C.exe	149C.exe
PID 960 wrote to memory of 1752	960	149C.exe	149C.exe
PID 960 wrote to memory of 1752	960	149C.exe	149C.exe
PID 960 wrote to memory of 1752	960	149C.exe	149C.exe
PID 960 wrote to memory of 1752	960	149C.exe	149C.exe
PID 960 wrote to memory of 1752	960	149C.exe	149C.exe

C:\Users\Admin\AppData\Local\Temp\6546925f07c1e9aa63a24e76485d4048.exe
"C:\Users\Admin\AppData\Local\Temp\6546925f07c1e9aa63a24e76485d4048.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\6546925f07c1e9aa63a24e76485d4048.exe
"C:\Users\Admin\AppData\Local\Temp\6546925f07c1e9aa63a24e76485d4048.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1932

C:\Users\Admin\AppData\Local\Temp\B951.exe
C:\Users\Admin\AppData\Local\Temp\B951.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2012

C:\Users\Admin\AppData\Local\Temp\119E.exe
C:\Users\Admin\AppData\Local\Temp\119E.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\119E.exe
C:\Users\Admin\AppData\Local\Temp\119E.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1772

C:\Users\Admin\AppData\Local\Temp\149C.exe
C:\Users\Admin\AppData\Local\Temp\149C.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\149C.exe
C:\Users\Admin\AppData\Local\Temp\149C.exe
2⤵
- Executes dropped EXE
PID:1752

C:\Users\Admin\AppData\Local\Temp\1E0F.exe
C:\Users\Admin\AppData\Local\Temp\1E0F.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Users\Admin\AppData\Local\Temp\4069.exe
C:\Users\Admin\AppData\Local\Temp\4069.exe
1⤵
PID:996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\119E.exe
MD5
abc129961e3bf1a860d06d098650086b

SHA1
2abfd118d815b6986da344ea8153f39193f7eea2

SHA256
12a3a8e92cab5c40d73db1670eea5e97f84d1ba4e6af723e4c2ee8f4cf6323fa

SHA512
04a5ff61a6b558385648686065afdc3b18a20e1381d2e923093ca22a777a439b3669da5552185a803b1535540dc888896c9783451664d3f2f47e3d736826ae53

Download Submit
C:\Users\Admin\AppData\Local\Temp\119E.exe
MD5
abc129961e3bf1a860d06d098650086b

SHA1
2abfd118d815b6986da344ea8153f39193f7eea2

SHA256
12a3a8e92cab5c40d73db1670eea5e97f84d1ba4e6af723e4c2ee8f4cf6323fa

SHA512
04a5ff61a6b558385648686065afdc3b18a20e1381d2e923093ca22a777a439b3669da5552185a803b1535540dc888896c9783451664d3f2f47e3d736826ae53

Download Submit
C:\Users\Admin\AppData\Local\Temp\119E.exe
MD5
abc129961e3bf1a860d06d098650086b

SHA1
2abfd118d815b6986da344ea8153f39193f7eea2

SHA256
12a3a8e92cab5c40d73db1670eea5e97f84d1ba4e6af723e4c2ee8f4cf6323fa

SHA512
04a5ff61a6b558385648686065afdc3b18a20e1381d2e923093ca22a777a439b3669da5552185a803b1535540dc888896c9783451664d3f2f47e3d736826ae53

Download Submit
C:\Users\Admin\AppData\Local\Temp\149C.exe
MD5
61a3807e15231687f38358e3ae6b670c

SHA1
b577ef08f60b55811aa5b8b93e5b3755b899115f

SHA256
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1

SHA512
8dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\149C.exe
MD5
61a3807e15231687f38358e3ae6b670c

SHA1
b577ef08f60b55811aa5b8b93e5b3755b899115f

SHA256
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1

SHA512
8dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\149C.exe
MD5
61a3807e15231687f38358e3ae6b670c

SHA1
b577ef08f60b55811aa5b8b93e5b3755b899115f

SHA256
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1

SHA512
8dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E0F.exe
MD5
4df0d4be3b3abb5ca237d11013411885

SHA1
7b9376e633769eb52a70ec887143826f924f6fee

SHA256
2cf6a392704eb1ede9545577028283a714d4abd1b53318ca11b3075dee799813

SHA512
14e1543c4f8a5c331ef1de493c7aaf8e2ade61b6a4cc9e15e2e3ce988be4cd5c72a2558c78e39ebe8f71de592945192df7cb2093ce71d62d5a417f5cf6858db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E0F.exe
MD5
4df0d4be3b3abb5ca237d11013411885

SHA1
7b9376e633769eb52a70ec887143826f924f6fee

SHA256
2cf6a392704eb1ede9545577028283a714d4abd1b53318ca11b3075dee799813

SHA512
14e1543c4f8a5c331ef1de493c7aaf8e2ade61b6a4cc9e15e2e3ce988be4cd5c72a2558c78e39ebe8f71de592945192df7cb2093ce71d62d5a417f5cf6858db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4069.exe
MD5
4d96f213bfbba34ffba4986724d3a99c

SHA1
b7dfe9e3a186bf0d0a0e3793c84cd83d23b4c526

SHA256
f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7

SHA512
4e333f8fd1fca9784deb59c12645be1b68e12771dbc77f48419365df7da46638b40bb0a00f0640225a1ee652096c0f3cf7ebd12ed3463afb24f7df27c3717937

Download Submit
C:\Users\Admin\AppData\Local\Temp\4069.exe
MD5
4d96f213bfbba34ffba4986724d3a99c

SHA1
b7dfe9e3a186bf0d0a0e3793c84cd83d23b4c526

SHA256
f901c29eb448ec4288c6215ba6af0ce804009b69e6505ab35f1037f23851f5b7

SHA512
4e333f8fd1fca9784deb59c12645be1b68e12771dbc77f48419365df7da46638b40bb0a00f0640225a1ee652096c0f3cf7ebd12ed3463afb24f7df27c3717937

Download Submit
C:\Users\Admin\AppData\Local\Temp\B951.exe
MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
\Users\Admin\AppData\Local\Temp\119E.exe
MD5
abc129961e3bf1a860d06d098650086b

SHA1
2abfd118d815b6986da344ea8153f39193f7eea2

SHA256
12a3a8e92cab5c40d73db1670eea5e97f84d1ba4e6af723e4c2ee8f4cf6323fa

SHA512
04a5ff61a6b558385648686065afdc3b18a20e1381d2e923093ca22a777a439b3669da5552185a803b1535540dc888896c9783451664d3f2f47e3d736826ae53

Download Submit
\Users\Admin\AppData\Local\Temp\149C.exe
MD5
61a3807e15231687f38358e3ae6b670c

SHA1
b577ef08f60b55811aa5b8b93e5b3755b899115f

SHA256
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1

SHA512
8dfe85f3779d08a083e6be58d8ea9638daa1fe03716e1a8a88ab9be90cd9fa03a6c05c8e7e6ab37a2d729fe422c8a280133ea4cc2820d140a71b6eb78231b9f4

Download Submit
memory/960-89-0x0000000000698000-0x00000000006FE000-memory.dmp

Filesize
408KB

Download
memory/960-70-0x0000000000000000-mapping.dmp

Download
memory/960-98-0x0000000000220000-0x00000000002AF000-memory.dmp

Filesize
572KB

Download
memory/996-115-0x0000000074850000-0x000000007489A000-memory.dmp

Filesize
296KB

Download
memory/996-121-0x0000000076C00000-0x0000000076CAC000-memory.dmp

Filesize
688KB

Download
memory/996-116-0x0000000001040000-0x00000000011A8000-memory.dmp

Filesize
1.4MB

Download
memory/996-117-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/996-111-0x0000000000000000-mapping.dmp

Download
memory/996-119-0x0000000000240000-0x0000000000287000-memory.dmp

Filesize
284KB

Download
memory/1412-99-0x00000000041C0000-0x00000000041D6000-memory.dmp

Filesize
88KB

Download
memory/1412-67-0x0000000003AA0000-0x0000000003AB6000-memory.dmp

Filesize
88KB

Download
memory/1412-60-0x0000000002990000-0x00000000029A6000-memory.dmp

Filesize
88KB

Download
memory/1572-68-0x0000000000000000-mapping.dmp

Download
memory/1572-72-0x00000000002AB000-0x00000000002B4000-memory.dmp

Filesize
36KB

Download
memory/1752-118-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/1752-107-0x000000000340B000-0x000000000345A000-memory.dmp

Filesize
316KB

Download
memory/1752-100-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/1752-108-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/1752-110-0x0000000000230000-0x00000000002BF000-memory.dmp

Filesize
572KB

Download
memory/1752-95-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/1752-96-0x0000000000456A80-mapping.dmp

Download
memory/1772-76-0x0000000000402F47-mapping.dmp

Download
memory/1788-59-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1788-55-0x00000000005CB000-0x00000000005D4000-memory.dmp

Filesize
36KB

Download
memory/1804-86-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1804-85-0x0000000000DC0000-0x0000000000F35000-memory.dmp

Filesize
1.5MB

Download
memory/1804-90-0x00000000768E0000-0x0000000076927000-memory.dmp

Filesize
284KB

Download
memory/1804-88-0x0000000076C00000-0x0000000076CAC000-memory.dmp

Filesize
688KB

Download
memory/1804-102-0x0000000076CC0000-0x0000000076E1C000-memory.dmp

Filesize
1.4MB

Download
memory/1804-103-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/1804-105-0x0000000076B70000-0x0000000076BFF000-memory.dmp

Filesize
572KB

Download
memory/1804-91-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1804-106-0x0000000074750000-0x00000000747D0000-memory.dmp

Filesize
512KB

Download
memory/1804-92-0x00000000767B0000-0x0000000076807000-memory.dmp

Filesize
348KB

Download
memory/1804-84-0x0000000000210000-0x0000000000253000-memory.dmp

Filesize
268KB

Download
memory/1804-83-0x0000000074850000-0x000000007489A000-memory.dmp

Filesize
296KB

Download
memory/1804-79-0x0000000000000000-mapping.dmp

Download
memory/1932-58-0x0000000075901000-0x0000000075903000-memory.dmp

Filesize
8KB

Download
memory/1932-57-0x0000000000402F47-mapping.dmp

Download
memory/1932-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2012-66-0x0000000000400000-0x0000000002B64000-memory.dmp

Filesize
39.4MB

Download
memory/2012-64-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2012-65-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/2012-61-0x0000000000000000-mapping.dmp

Download