raccoon | 0da6fa4b335e835322515d0a96c88d6a133349d57560f476821d90e2477ffbeb

Analysis

max time kernel
4294211s
max time network
132s
platform
windows7_x64
resource
win7-20220310-en
submitted
12-03-2022 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe
Size

234KB
MD5

c84fc9842b288932a1c1cc8f1371ea21
SHA1

2e048768e866cb00596b3b6718956d0ff070f615
SHA256

0da6fa4b335e835322515d0a96c88d6a133349d57560f476821d90e2477ffbeb
SHA512

04eedd48ac09195da84eb9d7b7fb37a77f9ebc13cbb9f342a33e3d1e821536622ae90d3c29c2c76b68cb2076eea7f627e84b34a5fb4b5f6cd3924fa749be9a46

Score

10^/10

raccoon redline smokeloader ccba3157b9f42051adf38fbb8f5d0aca7f2b7366 ww backdoor discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://coralee.at/upload/

http://ducvietcao.com/upload/

http://biz-acc.ru/upload/

http://toimap.com/upload/

http://bbb7d.com/upload/

http://piratia-life.ru/upload/

http://curvreport.com/upload/

http://viagratos.com/upload/

http://mordo.ru/upload/

http://pkodev.net/upload/

rc4.i32

Extracted

Family

redline

Botnet

193.106.191.67:44400

Attributes

auth_value
5a1b28ccd05953f5c3f99729c12427cc

Extracted

Family

raccoon

Botnet

ccba3157b9f42051adf38fbb8f5d0aca7f2b7366

Attributes

url4cnc
http://185.163.204.81/nui8xtgen
http://194.180.191.33/nui8xtgen
http://174.138.11.98/nui8xtgen
http://194.180.191.44/nui8xtgen
http://91.219.236.120/nui8xtgen
https://t.me/nui8xtgen

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1292-105-0x0000000000320000-0x0000000000354000-memory.dmp	family_redline
behavioral1/memory/1292-113-0x0000000002130000-0x0000000002162000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

BF59.exeE4D4.exe192E.exerdbdrgi

pid process

1656 BF59.exe
1292 E4D4.exe
2040 192E.exe
1468 rdbdrgi
Deletes itself 1 IoCs

Processes:

pid process

1192
Loads dropped DLL 7 IoCs

Processes:

WerFault.exe

pid process

828 WerFault.exe
828 WerFault.exe
828 WerFault.exe
828 WerFault.exe
828 WerFault.exe
828 WerFault.exe
828 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1188 976 WerFault.exe rundll32.exe
828 2040 WerFault.exe 192E.exe

pid	process
1656	BF59.exe
1292	E4D4.exe
2040	192E.exe
1468	rdbdrgi

pid	process
1192

pid	process
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe

pid	pid_target	process	target process
1188	976	WerFault.exe	rundll32.exe
828	2040	WerFault.exe	192E.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rdbdrgi0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rdbdrgi
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rdbdrgi
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rdbdrgi
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe

pid	process
1752	0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe
1752	0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1192
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

0da6fa4b335e835322515d0a96c88d6a133349d57560f.exerdbdrgi

pid process

1752 0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe
1468 rdbdrgi
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

E4D4.exe

description pid process

Token: SeShutdownPrivilege 1192
Token: SeShutdownPrivilege 1192
Token: SeDebugPrivilege 1292 E4D4.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1192
1192
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1192
1192

pid	process
1192

description	pid	process
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeDebugPrivilege	1292	E4D4.exe

pid	process
1192
1192

pid	process
1192
1192

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

BF59.exerundll32.exe192E.exetaskeng.exe

description	pid	process	target process
PID 1192 wrote to memory of 1656	1192		BF59.exe
PID 1192 wrote to memory of 1656	1192		BF59.exe
PID 1192 wrote to memory of 1656	1192		BF59.exe
PID 1192 wrote to memory of 1656	1192		BF59.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1656 wrote to memory of 976	1656	BF59.exe	rundll32.exe
PID 1192 wrote to memory of 1292	1192		E4D4.exe
PID 1192 wrote to memory of 1292	1192		E4D4.exe
PID 1192 wrote to memory of 1292	1192		E4D4.exe
PID 1192 wrote to memory of 1292	1192		E4D4.exe
PID 976 wrote to memory of 1188	976	rundll32.exe	WerFault.exe
PID 976 wrote to memory of 1188	976	rundll32.exe	WerFault.exe
PID 976 wrote to memory of 1188	976	rundll32.exe	WerFault.exe
PID 976 wrote to memory of 1188	976	rundll32.exe	WerFault.exe
PID 1192 wrote to memory of 2040	1192		192E.exe
PID 1192 wrote to memory of 2040	1192		192E.exe
PID 1192 wrote to memory of 2040	1192		192E.exe
PID 1192 wrote to memory of 2040	1192		192E.exe
PID 2040 wrote to memory of 828	2040	192E.exe	WerFault.exe
PID 2040 wrote to memory of 828	2040	192E.exe	WerFault.exe
PID 2040 wrote to memory of 828	2040	192E.exe	WerFault.exe
PID 2040 wrote to memory of 828	2040	192E.exe	WerFault.exe
PID 2032 wrote to memory of 1468	2032	taskeng.exe	rdbdrgi
PID 2032 wrote to memory of 1468	2032	taskeng.exe	rdbdrgi
PID 2032 wrote to memory of 1468	2032	taskeng.exe	rdbdrgi
PID 2032 wrote to memory of 1468	2032	taskeng.exe	rdbdrgi

C:\Users\Admin\AppData\Local\Temp\0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe
"C:\Users\Admin\AppData\Local\Temp\0da6fa4b335e835322515d0a96c88d6a133349d57560f.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1752

C:\Users\Admin\AppData\Local\Temp\BF59.exe
C:\Users\Admin\AppData\Local\Temp\BF59.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 280
3⤵
- Program crash
PID:1188

C:\Users\Admin\AppData\Local\Temp\E4D4.exe
C:\Users\Admin\AppData\Local\Temp\E4D4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Users\Admin\AppData\Local\Temp\192E.exe
C:\Users\Admin\AppData\Local\Temp\192E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 416
2⤵
- Loads dropped DLL
- Program crash
PID:828

C:\Windows\system32\taskeng.exe
taskeng.exe {F724C85E-67F9-494D-98A0-2BD8ACE05599} S-1-5-21-2932610838-281738825-1127631353-1000:NXLKCZKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Roaming\rdbdrgi
C:\Users\Admin\AppData\Roaming\rdbdrgi
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\192E.exe
MD5
e86f1cd73f0be7895872a04dcdfb7766

SHA1
3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

SHA256
e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

SHA512
8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF59.exe
MD5
5db4e7f04bb163a1337f216ee2076568

SHA1
d1f09aadd4d7583c18a5dbe889477179718de362

SHA256
12cdcdee943f989fc68b7781176572822605b5ace00dcdb445e58e6bf60c9a5a

SHA512
2b14db4807294180165c472a16fcb1ce4fd156165d760b6d0c6eb176e8775e67097db629a88c66ec1ff69e31772455e7957beea20f2288b03647f5134de83263

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4D4.exe
MD5
7d1e1e8f8d1712e01666a44a72c014bc

SHA1
affc7539af503e63f704d6132b595033649c00ee

SHA256
fe7eb31f333370fd0cfdb136ec609e73ec8a2bf23121bf0147bd91f85037f484

SHA512
f470e316198cfbcc518592a543f9fc64ed8d9ca347bf7683265ae23fab123940db2e5d4aad8f9525f82aa17590c8c708f32a921f97048cdc0bffc16348be40c1

Download Submit
C:\Users\Admin\AppData\Roaming\rdbdrgi
MD5
c84fc9842b288932a1c1cc8f1371ea21

SHA1
2e048768e866cb00596b3b6718956d0ff070f615

SHA256
0da6fa4b335e835322515d0a96c88d6a133349d57560f476821d90e2477ffbeb

SHA512
04eedd48ac09195da84eb9d7b7fb37a77f9ebc13cbb9f342a33e3d1e821536622ae90d3c29c2c76b68cb2076eea7f627e84b34a5fb4b5f6cd3924fa749be9a46

Download Submit
C:\Users\Admin\AppData\Roaming\rdbdrgi
MD5
c84fc9842b288932a1c1cc8f1371ea21

SHA1
2e048768e866cb00596b3b6718956d0ff070f615

SHA256
0da6fa4b335e835322515d0a96c88d6a133349d57560f476821d90e2477ffbeb

SHA512
04eedd48ac09195da84eb9d7b7fb37a77f9ebc13cbb9f342a33e3d1e821536622ae90d3c29c2c76b68cb2076eea7f627e84b34a5fb4b5f6cd3924fa749be9a46

Download Submit
\Users\Admin\AppData\Local\Temp\192E.exe
MD5
e86f1cd73f0be7895872a04dcdfb7766

SHA1
3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

SHA256
e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

SHA512
8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

Download Submit
\Users\Admin\AppData\Local\Temp\192E.exe
MD5
e86f1cd73f0be7895872a04dcdfb7766

SHA1
3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

SHA256
e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

SHA512
8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

Download Submit
\Users\Admin\AppData\Local\Temp\192E.exe
MD5
e86f1cd73f0be7895872a04dcdfb7766

SHA1
3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

SHA256
e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

SHA512
8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

Download Submit
\Users\Admin\AppData\Local\Temp\192E.exe
MD5
e86f1cd73f0be7895872a04dcdfb7766

SHA1
3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

SHA256
e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

SHA512
8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

Download Submit
\Users\Admin\AppData\Local\Temp\192E.exe
MD5
e86f1cd73f0be7895872a04dcdfb7766

SHA1
3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

SHA256
e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

SHA512
8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

Download Submit
\Users\Admin\AppData\Local\Temp\192E.exe
MD5
e86f1cd73f0be7895872a04dcdfb7766

SHA1
3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

SHA256
e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

SHA512
8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

Download Submit
\Users\Admin\AppData\Local\Temp\192E.exe
MD5
e86f1cd73f0be7895872a04dcdfb7766

SHA1
3b2b9441b33ad62ffd0482fb7809751d3b9bad2a

SHA256
e7add15b111b57233b6b738daa79d3be3369d2a8858618c2906b6ef1347dc2c3

SHA512
8b80db7f3133be76feda9c0c05d4739018df74d763d15c8d910ebe77917fa6533bbef3c73a085219874a3d0f1c6de6260bb6bd3f0c514bf99dcfd6a2ed13baab

Download Submit
memory/976-67-0x0000000000180000-0x0000000000184000-memory.dmp

Filesize
16KB

Download
memory/976-69-0x0000000000180000-0x0000000000184000-memory.dmp

Filesize
16KB

Download
memory/976-102-0x00000000764A0000-0x00000000765A0000-memory.dmp

Filesize
1024KB

Download
memory/1192-59-0x0000000002760000-0x0000000002776000-memory.dmp

Filesize
88KB

Download
memory/1192-129-0x0000000002140000-0x0000000002156000-memory.dmp

Filesize
88KB

Download
memory/1292-104-0x00000000048F1000-0x00000000048F2000-memory.dmp

Filesize
4KB

Download
memory/1292-97-0x000000000064E000-0x000000000067A000-memory.dmp

Filesize
176KB

Download
memory/1292-101-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1292-99-0x000000000064E000-0x000000000067A000-memory.dmp

Filesize
176KB

Download
memory/1292-103-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1292-113-0x0000000002130000-0x0000000002162000-memory.dmp

Filesize
200KB

Download
memory/1292-105-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/1292-100-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1292-122-0x00000000048F4000-0x00000000048F6000-memory.dmp

Filesize
8KB

Download
memory/1292-108-0x00000000048F2000-0x00000000048F3000-memory.dmp

Filesize
4KB

Download
memory/1292-109-0x00000000048F3000-0x00000000048F4000-memory.dmp

Filesize
4KB

Download
memory/1468-125-0x000000000026E000-0x0000000000277000-memory.dmp

Filesize
36KB

Download
memory/1468-127-0x000000000026E000-0x0000000000277000-memory.dmp

Filesize
36KB

Download
memory/1468-128-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1656-85-0x0000000077CD0000-0x0000000077E50000-memory.dmp

Filesize
1.5MB

Download
memory/1656-61-0x0000000001E50000-0x0000000001F2C000-memory.dmp

Filesize
880KB

Download
memory/1656-65-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/1656-64-0x0000000001F30000-0x000000000214D000-memory.dmp

Filesize
2.1MB

Download
memory/1656-63-0x0000000001E50000-0x0000000001F2C000-memory.dmp

Filesize
880KB

Download
memory/1656-62-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/1752-58-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1752-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1752-56-0x000000000051E000-0x0000000000527000-memory.dmp

Filesize
36KB

Download
memory/1752-54-0x000000000051E000-0x0000000000527000-memory.dmp

Filesize
36KB

Download
memory/1752-55-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/2040-114-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2040-112-0x0000000000720000-0x00000000007B2000-memory.dmp

Filesize
584KB

Download
memory/2040-111-0x000000000091E000-0x000000000096E000-memory.dmp

Filesize
320KB

Download
memory/2040-107-0x000000000091E000-0x000000000096E000-memory.dmp

Filesize
320KB

Download