raccoon

General

Target

JonnyBoi_SmokeLoader.ps1.ps1
Size

456B
Sample

220906-2ayresaee5
MD5

f44e1099a3ad7de77b06b0884a0195a1
SHA1

32c5bdf2346986abb3afa44c0b259d10b4fa0793
SHA256

06db102d1c5d9386cd8d13e22237b286e4ecf1869c84cc70f17da0d421ccad3d
SHA512

ec60b1401b6f83e05f2b6a377c04f5b53322b78b3482faea8240789dc321b8a4e36ca743a5d0944b15f14eee77d644ce8237332b21836a6ee05d9c1690f7f205

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://85.192.63.184/s.exe

Extracted

Family

redline

Botnet

747

C2

78.153.144.6:2510

Attributes

auth_value
842e51893ada92572d9bc2e846237976

Extracted

Family

redline

Botnet

nam5

C2

103.89.90.61:34589

Attributes

auth_value
f23be8e9063fe5d0c6fc3ee8e7d565bd

Extracted

Family

raccoon

Botnet

d020f14a64593b123f5299012b4c811a

C2

http://116.203.167.5/

http://195.201.248.58/

rc4.plain

Targets

- Target
  
  JonnyBoi_SmokeLoader.ps1.ps1
- Size
  
  456B
- MD5
  
  f44e1099a3ad7de77b06b0884a0195a1
- SHA1
  
  32c5bdf2346986abb3afa44c0b259d10b4fa0793
- SHA256
  
  06db102d1c5d9386cd8d13e22237b286e4ecf1869c84cc70f17da0d421ccad3d
- SHA512
  
  ec60b1401b6f83e05f2b6a377c04f5b53322b78b3482faea8240789dc321b8a4e36ca743a5d0944b15f14eee77d644ce8237332b21836a6ee05d9c1690f7f205
Score

10^/10

redline 747 nam5 discovery infostealer spyware stealer raccoon smokeloader d020f14a64593b123f5299012b4c811a backdoor trojan
- Detects Smokeloader packer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Detects Smokeloader packer

RedLine

RedLine payload

SmokeLoader

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3