Malware Analysis Report

2025-04-14 08:09

Sample ID 250320-qsrv2stwcx
Target 2025-03-20_a6ee68a3af1a97be5140f8bbe8e1951f_amadey_rhadamanthys_sakula_smoke-loader
SHA256 4eb1537b1b1fac89e3a5b1c40b80500a6385e3a3601ec903971d88fa00740232
Tags
raccoon e593428d572f64087cbbaacf2f970ff1f26a86b7 discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4eb1537b1b1fac89e3a5b1c40b80500a6385e3a3601ec903971d88fa00740232

Threat Level: Known bad

The file 2025-03-20_a6ee68a3af1a97be5140f8bbe8e1951f_amadey_rhadamanthys_sakula_smoke-loader was found to be: Known bad.

Malicious Activity Summary

raccoon e593428d572f64087cbbaacf2f970ff1f26a86b7 discovery stealer

Raccoon

Raccoon Stealer V1 payload

Raccoon family

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-20 13:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-20 13:31

Reported

2025-03-20 13:34

Platform

win7-20240903-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-03-20_a6ee68a3af1a97be5140f8bbe8e1951f_amadey_rhadamanthys_sakula_smoke-loader.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-03-20_a6ee68a3af1a97be5140f8bbe8e1951f_amadey_rhadamanthys_sakula_smoke-loader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-03-20_a6ee68a3af1a97be5140f8bbe8e1951f_amadey_rhadamanthys_sakula_smoke-loader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-03-20_a6ee68a3af1a97be5140f8bbe8e1951f_amadey_rhadamanthys_sakula_smoke-loader.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 telete.in udp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 tcp
US 199.59.243.228:443 tcp

Files

memory/2328-1-0x0000000000270000-0x0000000000370000-memory.dmp

memory/2328-2-0x0000000000A10000-0x0000000000AA3000-memory.dmp

memory/2328-3-0x0000000000400000-0x0000000000495000-memory.dmp

memory/2328-4-0x0000000000270000-0x0000000000370000-memory.dmp

memory/2328-5-0x0000000000A10000-0x0000000000AA3000-memory.dmp

memory/2328-7-0x0000000000400000-0x0000000000495000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-20 13:31

Reported

2025-03-20 13:34

Platform

win10v2004-20250314-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-03-20_a6ee68a3af1a97be5140f8bbe8e1951f_amadey_rhadamanthys_sakula_smoke-loader.exe"

Signatures

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-03-20_a6ee68a3af1a97be5140f8bbe8e1951f_amadey_rhadamanthys_sakula_smoke-loader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-03-20_a6ee68a3af1a97be5140f8bbe8e1951f_amadey_rhadamanthys_sakula_smoke-loader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-03-20_a6ee68a3af1a97be5140f8bbe8e1951f_amadey_rhadamanthys_sakula_smoke-loader.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 telete.in udp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp

Files

memory/452-1-0x0000000000AF0000-0x0000000000BF0000-memory.dmp

memory/452-2-0x0000000002830000-0x00000000028C3000-memory.dmp

memory/452-3-0x0000000000400000-0x0000000000495000-memory.dmp

memory/452-4-0x0000000000AF0000-0x0000000000BF0000-memory.dmp

memory/452-6-0x0000000002830000-0x00000000028C3000-memory.dmp

memory/452-7-0x0000000000400000-0x0000000000495000-memory.dmp