raccoon | 6af109fc0adbf4d70eb2559299b138f2ff0987bc441b80ea1f18879540ac4638 | Triage

Submit
Reports

Overview

overview

Static

static

3

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

290KB
Sample

231206-j83h6ada24
MD5

c4a6d45c1681adc54d23963e22792cd2
SHA1

3c78b51fecc2e1f7103be16bc20f562ab3d85861
SHA256

6af109fc0adbf4d70eb2559299b138f2ff0987bc441b80ea1f18879540ac4638
SHA512

d102f7a4e8d71f60155497d19877658bff64ef44d5c22ecfbf08245ec36cb1029ac7d763e0b070e97dc7833048961cc31a0b884deaa9188c6c33fcf125dd14f5
SSDEEP

3072:MbPBwvnmkQ51yEEIUiuq7s1j2UHRK9mMzj3t5UM6aVdbVryTk+:8wvygEEIUtMcj2uqLzCY52T

Score

10^/10

raccoon smokeloader backdoor collection evasion spyware stealer themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20231130-en

smokeloader backdoor trojan

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20231127-en

raccoon smokeloader backdoor collection evasion spyware stealer themida trojan

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

rc4.i32

rc4.i32

Targets

- Target
  
  file.exe
- Size
  
  290KB
- MD5
  
  c4a6d45c1681adc54d23963e22792cd2
- SHA1
  
  3c78b51fecc2e1f7103be16bc20f562ab3d85861
- SHA256
  
  6af109fc0adbf4d70eb2559299b138f2ff0987bc441b80ea1f18879540ac4638
- SHA512
  
  d102f7a4e8d71f60155497d19877658bff64ef44d5c22ecfbf08245ec36cb1029ac7d763e0b070e97dc7833048961cc31a0b884deaa9188c6c33fcf125dd14f5
- SSDEEP
  
  3072:MbPBwvnmkQ51yEEIUiuq7s1j2UHRK9mMzj3t5UM6aVdbVryTk+:8wvygEEIUtMcj2uqLzCY52T
Score

10^/10

smokeloader backdoor trojan raccoon collection evasion spyware stealer themida
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V2 payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Email Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

raccoonsmokeloaderbackdoorcollectionevasionspywarestealerthemidatrojan

© 2018-2024

Terms | Privacy