MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06a230f0ab409f9d41e63698b35f0bed4dad07bf3063caa97101c122474c5260. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06a230f0ab409f9d41e63698b35f0bed4dad07bf3063caa97101c122474c5260
SHA3-384 hash: e6f11d621fe6f0cdd6d123bb57adae730becd101ea70980b26a5e88142844f7eccacafd8ad683477848086ae970c3278
SHA1 hash: 65d66ed6249dd6fc2842ca07f06e0a860a47a5ef
MD5 hash: aff946bab64dfc32582a77f9cb0a6923
humanhash: mississippi-alaska-item-oxygen
File name:aff946bab64dfc32582a77f9cb0a6923.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:247'296 bytes
First seen:2021-10-06 20:30:26 UTC
Last seen:2021-10-06 21:57:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e7a97aff935fd5f902aa97ce23e1da74 (5 x RaccoonStealer, 1 x Smoke Loader, 1 x ArkeiStealer)
ssdeep 3072:MhG3CiG/txhEzDX42nLwO+qm+nIWBvapaZkIaeyrESIO81Yl0zl19pwoJpZ:MhGMzKf42nLwXi5ByqjSn0zl19pDJf
Threatray 4'845 similar samples on MalwareBazaar
TLSH T198349E1131D3CAF1E67356307A61C6E48B2ABD697A32704B3BD4261F1E3D6E18E66307
File icon (PE):PE icon
dhash icon 4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.47.232/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.47.232/ https://threatfox.abuse.ch/ioc/231118/

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aff946bab64dfc32582a77f9cb0a6923.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-06 20:35:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0999a086-7c08-4b32-b75c-1c81e994d7c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195546/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.28900.28881.24554.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d1507c7-98da-4d79-a4b6-3e2b39c31a59
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865867
Signature
.NET source code contains very large array initializations
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 498295 Sample: 2H69p1kjC4.exe Startdate: 06/10/2021 Architecture: WINDOWS Score: 100 93 microsoft-com.mail.protection.outlook.com 40.93.207.1, 25, 49856 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->93 95 defeatwax.ru 193.56.146.188, 443, 49857 LVLT-10753US unknown 2->95 97 4 other IPs or domains 2->97 137 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->137 139 System process connects to network (likely due to code injection or exploit) 2->139 141 Multi AV Scanner detection for submitted file 2->141 143 16 other signatures 2->143 11 2H69p1kjC4.exe 2->11         started        14 tbhutgv 2->14         started        16 svchost.exe 1 2->16         started        18 4 other processes 2->18 signatures3 process4 signatures5 161 Detected unpacking (changes PE section rights) 11->161 163 Contains functionality to inject code into remote processes 11->163 165 Injects a PE file into a foreign processes 11->165 20 2H69p1kjC4.exe 11->20         started        23 tbhutgv 14->23         started        process6 signatures7 145 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->145 147 Maps a DLL or memory area into another process 20->147 149 Checks if the current machine is a virtual machine (disk enumeration) 20->149 151 Creates a thread in another existing process (thread injection) 20->151 25 explorer.exe 18 20->25 injected process8 dnsIp9 99 193.56.146.41, 49803, 9080 LVLT-10753US unknown 25->99 101 privacy-toolz-for-you-3000.top 94.142.140.28, 49786, 49787, 49788 IHOR-ASRU Russian Federation 25->101 103 3 other IPs or domains 25->103 65 C:\Users\user\AppData\Roaming\tbhutgv, PE32 25->65 dropped 67 C:\Users\user\AppData\Local\Temp\4908.exe, PE32 25->67 dropped 69 C:\Users\user\AppData\Local\Temp\42C5.exe, PE32 25->69 dropped 71 7 other files (5 malicious) 25->71 dropped 167 System process connects to network (likely due to code injection or exploit) 25->167 169 Benign windows process drops PE files 25->169 171 Deletes itself after installation 25->171 173 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->173 30 4908.exe 25->30         started        35 1DA7.exe 25->35         started        37 2917.exe 2 25->37         started        39 4 other processes 25->39 file10 signatures11 process12 dnsIp13 105 91.219.236.103, 49854, 80 SERVERASTRA-ASHU Hungary 30->105 107 teletop.top 172.67.176.216, 49853, 80 CLOUDFLARENETUS United States 30->107 75 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 30->75 dropped 77 C:\Users\user\AppData\...\vcruntime140.dll, PE32 30->77 dropped 79 C:\Users\user\AppData\...\ucrtbase.dll, PE32 30->79 dropped 89 56 other files (none is malicious) 30->89 dropped 115 Detected unpacking (changes PE section rights) 30->115 117 Detected unpacking (overwrites its own PE header) 30->117 119 Tries to steal Mail credentials (via file access) 30->119 121 Tries to harvest and steal browser information (history, passwords, etc) 30->121 123 Injects a PE file into a foreign processes 35->123 41 1DA7.exe 35->41         started        81 C:\Users\user\AppData\Local\...\iugoozow.exe, PE32 37->81 dropped 125 Uses netsh to modify the Windows network and firewall settings 37->125 127 Modifies the windows firewall 37->127 44 cmd.exe 37->44         started        47 cmd.exe 37->47         started        49 sc.exe 37->49         started        109 190.2.145.108, 12608, 49885 WORLDSTREAMNL Curacao 39->109 111 mas.to 88.99.75.82, 443, 49845, 49863 HETZNER-ASDE Germany 39->111 113 65.108.80.190, 49852, 49864, 80 ALABANZA-BALTUS United States 39->113 83 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 39->83 dropped 85 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 39->85 dropped 87 C:\Users\user\AppData\...\mozglue[1].dll, PE32 39->87 dropped 91 9 other files (none is malicious) 39->91 dropped 129 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->129 131 Query firmware table information (likely to detect VMs) 39->131 133 Tries to detect sandboxes and other dynamic analysis tools (window names) 39->133 135 3 other signatures 39->135 51 247E.exe 2 39->51         started        53 conhost.exe 39->53         started        55 conhost.exe 39->55         started        57 2 other processes 39->57 file14 signatures15 process16 file17 153 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->153 155 Maps a DLL or memory area into another process 41->155 157 Checks if the current machine is a virtual machine (disk enumeration) 41->157 159 Creates a thread in another existing process (thread injection) 41->159 73 C:\Windows\SysWOW64\...\iugoozow.exe (copy), PE32 44->73 dropped 59 conhost.exe 44->59         started        61 conhost.exe 47->61         started        63 conhost.exe 49->63         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06a230f0ab409f9d41e63698b35f0bed4dad07bf3063caa97101c122474c5260/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 20:31:07 UTC
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2rdb4flicpz2qpgg2mlgxyl5vg22b57gbr4vklrahaser2mkjqa._file
Verdict:
malicious
Similar samples:
02aade8f11ebeb13f9072de70ca49a6f83aa1c23b1bafe8978b5681dab12282c
RaccoonStealer
04a77c819d0028948adb252dee0fec6618bf66c079086b9993267ddb7b1d70a6
RaccoonStealer
2b1b66d7ab2022d41004937b8ea3d9f375364347b4f51d9d14bddc314296a1c5
RaccoonStealer
44e29e5cd002e8d4d4f13432847f38fa79a1667b5fdef9b9f316c3501f3bb480
RaccoonStealer
938029b6b522bdd22cbba8cfb88a1d97d0fbc264d1d7a5ded22a4924a15e6161
RaccoonStealer
a1b29584402503925406ceeb5be6a463eea7755f401e3a2c8f82ae3897e3820a
RaccoonStealer
abcd86df71b0dcd29c9fd43c17efc16763dadecac5e071d588ba6c409e536e56
RaccoonStealer
f2edf69ca64bb435d61ded2c3ca210d1bd19952c19275b7bd65d0d707fedadaa
RaccoonStealer
f74d7500782ca945d3296cd4fcf19af60b7035ff65d646c64b0c8761e38ea193
RaccoonStealer
fab15b7f61f816cf3128cc02c96d98d3385533087bc5afe3cd3799e7e034ce7f
RaccoonStealer
+ 4'835 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:2ea41939378a473cbe7002fd507389778c0f10e7 botnet:777 botnet:800 botnet:8d179b9e611eee525425544ee8c6d77360ab7cd9 backdoor discovery evasion infostealer miner persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/211006-zaqppsbef4/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Vidar
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
93.115.20.139:28978
87.251.71.44:80
Unpacked files
SH256 hash:
592b089027938156e18387e4402b965a5f1ffc25e96d7efc3aa9331254587bdd
MD5 hash:
2dbb1eb8c40c88994738a736ad55c79b
SHA1 hash:
88e2fc9242606c7dfcd68d5da8c6d457837157a3
Link:
https://www.unpac.me/results/493d982b-147d-4759-a538-1ce2b7566d15/
SH256 hash:
06a230f0ab409f9d41e63698b35f0bed4dad07bf3063caa97101c122474c5260
MD5 hash:
aff946bab64dfc32582a77f9cb0a6923
SHA1 hash:
65d66ed6249dd6fc2842ca07f06e0a860a47a5ef
Link:
https://www.unpac.me/results/493d982b-147d-4759-a538-1ce2b7566d15/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/06a230f0ab40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06a230f0ab409f9d41e63698b35f0bed4dad07bf3063caa97101c122474c5260

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 06a230f0ab409f9d41e63698b35f0bed4dad07bf3063caa97101c122474c5260

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1653238/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195546/

Comments