raccoon | 427c95ff1528c467e90476ee77b6f7b04a587113629e254e82e5bbdfcbf92bb7 | Triage

Submit
Reports

Overview

overview

Static

static

878dd2cdb7...c8.exe

windows7-x64

878dd2cdb7...c8.exe

windows10-2004-x64

Sharing

General

Target

878dd2cdb73f4e0b533dc811cf5841c8.exe
Size

173KB
Sample

220921-1qf1wacfgp
MD5

878dd2cdb73f4e0b533dc811cf5841c8
SHA1

0c3795bdd8863b08f6db06bb9df0ded7a85ab318
SHA256

427c95ff1528c467e90476ee77b6f7b04a587113629e254e82e5bbdfcbf92bb7
SHA512

5e0371b51cc8e62af101df8ac3f5a3367b843e54f5db168fadca2eabd3d07fd1aa564de9a2f0c54cc492cb31d175d2d42b8316c1e768957187e6f64b568c3ddb
SSDEEP

3072:FfLsLZjc5d2z2+nQbSqvqDpsanMZz/wB5XL/v/Pk9Dn:9ILNdznnGSgqkFmL/

Score

10^/10

raccoon redline smokeloader 4e187ce10576e2a00834f1b52791b121 logsdiller cloud (sup: @mr_golds)backdoor infostealer persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

878dd2cdb73f4e0b533dc811cf5841c8.exe

Resource

win7-20220812-en

smokeloader backdoor trojan

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

878dd2cdb73f4e0b533dc811cf5841c8.exe

Resource

win10v2004-20220901-en

raccoon redline smokeloader 4e187ce10576e2a00834f1b52791b121 logsdiller cloud (sup: @mr_golds)backdoor infostealer persistence spyware stealer trojan

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Sup: @mr_golds)

C2

77.73.134.27:8163

Attributes

auth_value
56c6f7b9024c076f0a96931453da7e56

Extracted

Family

raccoon

Botnet

4e187ce10576e2a00834f1b52791b121

C2

http://74.119.194.185/

rc4.plain

Targets

- Target
  
  878dd2cdb73f4e0b533dc811cf5841c8.exe
- Size
  
  173KB
- MD5
  
  878dd2cdb73f4e0b533dc811cf5841c8
- SHA1
  
  0c3795bdd8863b08f6db06bb9df0ded7a85ab318
- SHA256
  
  427c95ff1528c467e90476ee77b6f7b04a587113629e254e82e5bbdfcbf92bb7
- SHA512
  
  5e0371b51cc8e62af101df8ac3f5a3367b843e54f5db168fadca2eabd3d07fd1aa564de9a2f0c54cc492cb31d175d2d42b8316c1e768957187e6f64b568c3ddb
- SSDEEP
  
  3072:FfLsLZjc5d2z2+nQbSqvqDpsanMZz/wB5XL/v/Pk9Dn:9ILNdznnGSgqkFmL/
Score

10^/10

smokeloader backdoor trojan raccoon redline 4e187ce10576e2a00834f1b52791b121 logsdiller cloud (sup: @mr_golds)infostealer persistence spyware stealer
- Detects Smokeloader packer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

raccoonredlinesmokeloader4e187ce10576e2a00834f1b52791b121logsdiller cloud (sup: @mr_golds)backdoorinfostealerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy