MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 033247a6ba1cd0543f27857fb6743e16fdd2990cea1df3dce93e4031c8046d1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 033247a6ba1cd0543f27857fb6743e16fdd2990cea1df3dce93e4031c8046d1a
SHA3-384 hash: c91ed1a7d5d655ada09e367acd308c9d191a40af6ac7d44554fefeceb11980be5f7c6a0f062175c8b061588cfc9ff1f1
SHA1 hash: 310d993f9fbe7fb9cf3892220d980e08eb5e6286
MD5 hash: 5ae3b69c31fe729ac672ba483280f16d
humanhash: west-arizona-illinois-butter
File name:5ae3b69c31fe729ac672ba483280f16d.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:345'088 bytes
First seen:2021-10-29 18:01:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5243e0b7a8cb0f582099146f832c26e4 (4 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 6144:Y5uWaxsOBlJyeq8PStBStFgykET6+lWx:QvRO8R8PStBS4ykETW
Threatray 5'267 similar samples on MalwareBazaar
TLSH T155748D00BAA1C434F5B212F849BA93A9B93F7EB16B3850CB13D516ED5674AE0EC31357
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://194.180.174.181/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.181/ https://threatfox.abuse.ch/ioc/239344/

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5ae3b69c31fe729ac672ba483280f16d.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-29 18:09:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0360dbd6-8020-479c-8b25-2fe0d4e52765

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab70ff34-4c88-4803-8736-5d549b152fbc
Result
Threat name:
Amadey Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879500
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Early bird code injection technique detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Queues an APC in another process (thread injection)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511932 Sample: cnv622JnZv.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 65 znpst.top 2->65 67 nusurtal4f.net 2->67 91 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->91 93 Multi AV Scanner detection for domain / URL 2->93 95 Antivirus detection for URL or domain 2->95 97 13 other signatures 2->97 11 cnv622JnZv.exe 2->11         started        13 jejhieg 2->13         started        signatures3 process4 signatures5 16 cnv622JnZv.exe 11->16         started        141 Machine Learning detection for dropped file 13->141 19 jejhieg 13->19         started        process6 signatures7 83 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->83 85 Maps a DLL or memory area into another process 16->85 87 Checks if the current machine is a virtual machine (disk enumeration) 16->87 89 Creates a thread in another existing process (thread injection) 16->89 21 explorer.exe 14 16->21 injected process8 dnsIp9 69 216.128.137.31, 80 AS-CHOOPAUS United States 21->69 71 sysaheu90.top 185.98.87.159, 49756, 49757, 49758 VM-HOSTINGRU Russian Federation 21->71 73 3 other IPs or domains 21->73 47 C:\Users\user\AppData\Roaming\jejhieg, PE32 21->47 dropped 49 C:\Users\user\AppData\Roaming\bejhieg, PE32 21->49 dropped 51 C:\Users\user\AppData\Local\Temp\C5EA.exe, PE32 21->51 dropped 53 9 other files (8 malicious) 21->53 dropped 99 System process connects to network (likely due to code injection or exploit) 21->99 101 Benign windows process drops PE files 21->101 103 Deletes itself after installation 21->103 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->105 26 8615.exe 1 21->26         started        30 66A4.exe 21 6 21->30         started        33 C5EA.exe 21->33         started        35 5 other processes 21->35 file10 signatures11 process12 dnsIp13 55 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 26->55 dropped 115 Multi AV Scanner detection for dropped file 26->115 117 DLL reload attack detected 26->117 119 Detected unpacking (changes PE section rights) 26->119 137 5 other signatures 26->137 75 cdn.discordapp.com 162.159.130.233, 443, 49804, 49805 CLOUDFLARENETUS United States 30->75 57 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 30->57 dropped 121 Machine Learning detection for dropped file 30->121 123 Writes to foreign memory regions 30->123 139 3 other signatures 30->139 37 AdvancedRun.exe 1 30->37         started        125 Contains functionality to inject code into remote processes 33->125 127 Injects a PE file into a foreign processes 33->127 39 C5EA.exe 33->39         started        77 91.219.236.97, 49847, 80 SERVERASTRA-ASHU Hungary 35->77 79 93.115.20.139, 28978, 49842 MVPShttpswwwmvpsnetEU Romania 35->79 81 4 other IPs or domains 35->81 59 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 35->59 dropped 61 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 35->61 dropped 129 Antivirus detection for dropped file 35->129 131 Detected unpacking (overwrites its own PE header) 35->131 133 Early bird code injection technique detected 35->133 135 Queues an APC in another process (thread injection) 35->135 42 977B.exe 35->42         started        file14 signatures15 process16 file17 45 AdvancedRun.exe 37->45         started        107 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 39->107 109 Maps a DLL or memory area into another process 39->109 111 Checks if the current machine is a virtual machine (disk enumeration) 39->111 113 Creates a thread in another existing process (thread injection) 39->113 63 C:\Users\user\AppData\Local\...\sqtvvs.exe, PE32 42->63 dropped signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/033247a6ba1cd0543f27857fb6743e16fdd2990cea1df3dce93e4031c8046d1a/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 18:02:09 UTC
AV detection:
20 of 44 (45.45%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=amzepjv2dtifipzhqv73m5b6c365fgim5io7hxhjhzaddsaenuna._file
Verdict:
malicious
Similar samples:
555fd11933a1bb3a71714e1c234cdeaf7ea3c614f24eebec3786fb61cb3b5b5e
RaccoonStealer
562207163defcad653f4332b78ae7b6a9ff9c06b5be005e7f7da30420e788c53
RaccoonStealer
669f274f18e59c1600104f77e4622c96b5eb3cc0add18625103346ce9177ea9c
RaccoonStealer
bac4bdaaae7da623a7ba01a0ddfe807c285a36afa6dc502429d407ba70fa4a73
RaccoonStealer
f3fc38ead9aae7ffdb533c056bcc93f6db5cbf153ac9cd8673945535288af947
RaccoonStealer
+ 5'257 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:raccoon family:redline family:smokeloader family:vidar botnet:68e2d75238f7c69859792d206401b6bde2b2515c botnet:754 botnet:936 botnet:999888988 botnet:9b47742e621d3b0f1b0b79db6ed26e2c33328c05 agilenet backdoor collection discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/211029-wme7ysdgf6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Vidar Stealer
Amadey
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Turns off Windows Defender SpyNet reporting
Vidar
Windows security bypass
Malware Config
C2 Extraction:
http://xacokuo8.top/
http://hajezey1.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
http://193.56.146.214/
https://193.56.146.214/
93.115.20.139:28978
https://mas.to/@lilocc
185.215.113.45/g4MbvE/index.php
Unpacked files
SH256 hash:
7504bf3fa2768578ecf547d7ad5ee704bb32a345726f4d6007e4905db82c873c
MD5 hash:
67832761c9fb6dcaa2caaa433aeef1e9
SHA1 hash:
1f40855c5efb001c8dff2d10e10b8c68d573d68f
Link:
https://www.unpac.me/results/cbf61e41-85db-4d35-b475-a38fabd2319f/
SH256 hash:
033247a6ba1cd0543f27857fb6743e16fdd2990cea1df3dce93e4031c8046d1a
MD5 hash:
5ae3b69c31fe729ac672ba483280f16d
SHA1 hash:
310d993f9fbe7fb9cf3892220d980e08eb5e6286
Link:
https://www.unpac.me/results/cbf61e41-85db-4d35-b475-a38fabd2319f/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/033247a6ba1c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/033247a6ba1cd0543f27857fb6743e16fdd2990cea1df3dce93e4031c8046d1a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 033247a6ba1cd0543f27857fb6743e16fdd2990cea1df3dce93e4031c8046d1a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1719493/
  
Delivery method
Distributed via web download

Comments