raccoon | eebb0bc908c35371455035b1bfdf3e1b89abd056deaece5b295f0863f0c5aeed

General

Target

90b477d2d26f07e17a71d0e17dbb706b.exe
Size

213KB
MD5

90b477d2d26f07e17a71d0e17dbb706b
SHA1

5d2a4046cf3aad360ada50ab052e4cd702592722
SHA256

eebb0bc908c35371455035b1bfdf3e1b89abd056deaece5b295f0863f0c5aeed
SHA512

625f48bc38070c80f0b99a13ec87920f3f073be417a52ff3316be08f9d8fa56e17b7b2d344e8fd86e83076355d007d735577b092aa943d2e6f8f39fc64ecb131

Score

10^/10

raccoon redline smokeloader f797145799b7b1b77b35d81de942eee0908da519 backdoor infostealer stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

f797145799b7b1b77b35d81de942eee0908da519

Attributes

url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1496-78-0x0000000001130000-0x0000000001199000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

34F5.exe34F5.exe47EA.exe4E22.exe

pid process

612 34F5.exe
1820 34F5.exe
1132 47EA.exe
1496 4E22.exe
Deletes itself 1 IoCs

Processes:

pid process

1380
Loads dropped DLL 1 IoCs

Processes:

34F5.exe

pid process

612 34F5.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

4E22.exe

pid process

1496 4E22.exe

pid	process
612	34F5.exe
1820	34F5.exe
1132	47EA.exe
1496	4E22.exe

pid	process
1380

pid	process
612	34F5.exe

pid	process
1496	4E22.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

90b477d2d26f07e17a71d0e17dbb706b.exe34F5.exe

description	pid	process	target process
PID 692 set thread context of 876	692	90b477d2d26f07e17a71d0e17dbb706b.exe	90b477d2d26f07e17a71d0e17dbb706b.exe
PID 612 set thread context of 1820	612	34F5.exe	34F5.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

34F5.exe90b477d2d26f07e17a71d0e17dbb706b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34F5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34F5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34F5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	90b477d2d26f07e17a71d0e17dbb706b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	90b477d2d26f07e17a71d0e17dbb706b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	90b477d2d26f07e17a71d0e17dbb706b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

90b477d2d26f07e17a71d0e17dbb706b.exe

pid	process
876	90b477d2d26f07e17a71d0e17dbb706b.exe
876	90b477d2d26f07e17a71d0e17dbb706b.exe
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1380
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

90b477d2d26f07e17a71d0e17dbb706b.exe

pid process

876 90b477d2d26f07e17a71d0e17dbb706b.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1380
1380
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1380
1380

pid	process
1380

pid	process
1380
1380

pid	process
1380
1380

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

90b477d2d26f07e17a71d0e17dbb706b.exe34F5.exe

description	pid	process	target process
PID 692 wrote to memory of 876	692	90b477d2d26f07e17a71d0e17dbb706b.exe	90b477d2d26f07e17a71d0e17dbb706b.exe
PID 692 wrote to memory of 876	692	90b477d2d26f07e17a71d0e17dbb706b.exe	90b477d2d26f07e17a71d0e17dbb706b.exe
PID 692 wrote to memory of 876	692	90b477d2d26f07e17a71d0e17dbb706b.exe	90b477d2d26f07e17a71d0e17dbb706b.exe
PID 692 wrote to memory of 876	692	90b477d2d26f07e17a71d0e17dbb706b.exe	90b477d2d26f07e17a71d0e17dbb706b.exe
PID 692 wrote to memory of 876	692	90b477d2d26f07e17a71d0e17dbb706b.exe	90b477d2d26f07e17a71d0e17dbb706b.exe
PID 692 wrote to memory of 876	692	90b477d2d26f07e17a71d0e17dbb706b.exe	90b477d2d26f07e17a71d0e17dbb706b.exe
PID 692 wrote to memory of 876	692	90b477d2d26f07e17a71d0e17dbb706b.exe	90b477d2d26f07e17a71d0e17dbb706b.exe
PID 1380 wrote to memory of 612	1380		34F5.exe
PID 1380 wrote to memory of 612	1380		34F5.exe
PID 1380 wrote to memory of 612	1380		34F5.exe
PID 1380 wrote to memory of 612	1380		34F5.exe
PID 612 wrote to memory of 1820	612	34F5.exe	34F5.exe
PID 612 wrote to memory of 1820	612	34F5.exe	34F5.exe
PID 612 wrote to memory of 1820	612	34F5.exe	34F5.exe
PID 612 wrote to memory of 1820	612	34F5.exe	34F5.exe
PID 612 wrote to memory of 1820	612	34F5.exe	34F5.exe
PID 612 wrote to memory of 1820	612	34F5.exe	34F5.exe
PID 612 wrote to memory of 1820	612	34F5.exe	34F5.exe
PID 1380 wrote to memory of 1132	1380		47EA.exe
PID 1380 wrote to memory of 1132	1380		47EA.exe
PID 1380 wrote to memory of 1132	1380		47EA.exe
PID 1380 wrote to memory of 1132	1380		47EA.exe
PID 1380 wrote to memory of 1496	1380		4E22.exe
PID 1380 wrote to memory of 1496	1380		4E22.exe
PID 1380 wrote to memory of 1496	1380		4E22.exe
PID 1380 wrote to memory of 1496	1380		4E22.exe
PID 1380 wrote to memory of 1496	1380		4E22.exe
PID 1380 wrote to memory of 1496	1380		4E22.exe
PID 1380 wrote to memory of 1496	1380		4E22.exe

C:\Users\Admin\AppData\Local\Temp\90b477d2d26f07e17a71d0e17dbb706b.exe
"C:\Users\Admin\AppData\Local\Temp\90b477d2d26f07e17a71d0e17dbb706b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Local\Temp\90b477d2d26f07e17a71d0e17dbb706b.exe
"C:\Users\Admin\AppData\Local\Temp\90b477d2d26f07e17a71d0e17dbb706b.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:876

C:\Users\Admin\AppData\Local\Temp\34F5.exe
C:\Users\Admin\AppData\Local\Temp\34F5.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:612

C:\Users\Admin\AppData\Local\Temp\34F5.exe
C:\Users\Admin\AppData\Local\Temp\34F5.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1820

C:\Users\Admin\AppData\Local\Temp\47EA.exe
C:\Users\Admin\AppData\Local\Temp\47EA.exe
1⤵
- Executes dropped EXE
PID:1132

C:\Users\Admin\AppData\Local\Temp\4E22.exe
C:\Users\Admin\AppData\Local\Temp\4E22.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\34F5.exe
MD5
90b477d2d26f07e17a71d0e17dbb706b

SHA1
5d2a4046cf3aad360ada50ab052e4cd702592722

SHA256
eebb0bc908c35371455035b1bfdf3e1b89abd056deaece5b295f0863f0c5aeed

SHA512
625f48bc38070c80f0b99a13ec87920f3f073be417a52ff3316be08f9d8fa56e17b7b2d344e8fd86e83076355d007d735577b092aa943d2e6f8f39fc64ecb131

Download Submit
C:\Users\Admin\AppData\Local\Temp\34F5.exe
MD5
90b477d2d26f07e17a71d0e17dbb706b

SHA1
5d2a4046cf3aad360ada50ab052e4cd702592722

SHA256
eebb0bc908c35371455035b1bfdf3e1b89abd056deaece5b295f0863f0c5aeed

SHA512
625f48bc38070c80f0b99a13ec87920f3f073be417a52ff3316be08f9d8fa56e17b7b2d344e8fd86e83076355d007d735577b092aa943d2e6f8f39fc64ecb131

Download Submit
C:\Users\Admin\AppData\Local\Temp\34F5.exe
MD5
90b477d2d26f07e17a71d0e17dbb706b

SHA1
5d2a4046cf3aad360ada50ab052e4cd702592722

SHA256
eebb0bc908c35371455035b1bfdf3e1b89abd056deaece5b295f0863f0c5aeed

SHA512
625f48bc38070c80f0b99a13ec87920f3f073be417a52ff3316be08f9d8fa56e17b7b2d344e8fd86e83076355d007d735577b092aa943d2e6f8f39fc64ecb131

Download Submit
C:\Users\Admin\AppData\Local\Temp\47EA.exe
MD5
bce50d5b17bb88f22f0000511026520d

SHA1
599aaed4ee72ec0e0fc4cada844a1c210e332961

SHA256
77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455

SHA512
c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E22.exe
MD5
0cefed061e2a2241ecd302d7790a2f80

SHA1
5f119195af2db118c5fbac21634bea00f5d5b8da

SHA256
014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983

SHA512
7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E22.exe
MD5
0cefed061e2a2241ecd302d7790a2f80

SHA1
5f119195af2db118c5fbac21634bea00f5d5b8da

SHA256
014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983

SHA512
7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

Download Submit
\Users\Admin\AppData\Local\Temp\34F5.exe
MD5
90b477d2d26f07e17a71d0e17dbb706b

SHA1
5d2a4046cf3aad360ada50ab052e4cd702592722

SHA256
eebb0bc908c35371455035b1bfdf3e1b89abd056deaece5b295f0863f0c5aeed

SHA512
625f48bc38070c80f0b99a13ec87920f3f073be417a52ff3316be08f9d8fa56e17b7b2d344e8fd86e83076355d007d735577b092aa943d2e6f8f39fc64ecb131

Download Submit
memory/612-61-0x0000000000000000-mapping.dmp

Download
memory/692-55-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/692-56-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/876-59-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/876-58-0x0000000000402F47-mapping.dmp

Download
memory/876-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1132-82-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1132-69-0x0000000000000000-mapping.dmp

Download
memory/1132-71-0x000000000030B000-0x000000000035A000-memory.dmp

Filesize
316KB

Download
memory/1132-79-0x0000000001CC0000-0x0000000001D4F000-memory.dmp

Filesize
572KB

Download
memory/1380-60-0x0000000002640000-0x0000000002656000-memory.dmp

Filesize
88KB

Download
memory/1496-78-0x0000000001130000-0x0000000001199000-memory.dmp

Filesize
420KB

Download
memory/1496-89-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/1496-73-0x0000000000000000-mapping.dmp

Download
memory/1496-81-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1496-94-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1496-80-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/1496-84-0x0000000074B50000-0x0000000074BFC000-memory.dmp

Filesize
688KB

Download
memory/1496-85-0x0000000074E80000-0x0000000074EC7000-memory.dmp

Filesize
284KB

Download
memory/1496-86-0x0000000075470000-0x00000000754C7000-memory.dmp

Filesize
348KB

Download
memory/1496-88-0x0000000076770000-0x00000000768CC000-memory.dmp

Filesize
1.4MB

Download
memory/1496-77-0x00000000743F0000-0x000000007443A000-memory.dmp

Filesize
296KB

Download
memory/1496-91-0x0000000075600000-0x000000007568F000-memory.dmp

Filesize
572KB

Download
memory/1496-92-0x0000000073990000-0x0000000073A10000-memory.dmp

Filesize
512KB

Download
memory/1820-66-0x0000000000402F47-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads