MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a7682c0607e0fcb3580d28aec0e3439d6eae0cde1ab3359832046f7f33cdb0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 11

Intelligence 11 IOCs 2 YARA 2 File information Comments

SHA256 hash:	0a7682c0607e0fcb3580d28aec0e3439d6eae0cde1ab3359832046f7f33cdb0f
SHA3-384 hash:	ca9d0581f3d7d76c74985f781310edb3af6b00f56f080f7ae495fc66dcedfa4e5a5b32ca9abf5d33c1fe098e9cf54fd8
SHA1 hash:	7b228125e631c037ec24e4cc175e4774fe6c67cd
MD5 hash:	582a63b29a17c25c0c2e13927151b68e
humanhash:	two-alanine-delaware-arkansas
File name:	0A7682C0607E0FCB3580D28AEC0E3439D6EAE0CDE1AB3.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	1'366'016 bytes
First seen:	2022-02-08 21:31:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	148d482ece6903c9871bc6044bd1df9b (1 x CoinMiner.XMRig, 1 x GCleaner, 1 x Tofsee)
ssdeep	12288:HtDgjQoQgNuMmT4EXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9L:NDgX0/sqjnhMgeiCl7G0nehbGZpbD
TLSH	T1955512A7B485C0B3E5A6193746A8FD28982FFD220B245DE337551C7B5BB01C08F3696B
File icon (PE):
dhash icon	aab292b2b2c8e0ae (1 x CoinMiner.XMRig, 1 x GCleaner, 1 x Tofsee)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
195.2.84.92:5328

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
195.2.84.92:5328	https://threatfox.abuse.ch/ioc/384295/
5.182.5.22:32245	https://threatfox.abuse.ch/ioc/384296/

Intelligence

File Origin

# of uploads :

# of downloads :

200

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/238771/

Detection(s):

PUA.Win.Packer.Pequake-4

Win.Malware.Lazy-9918569-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Creating a window

Delayed reading of the file

Launching a process

Blocking the Windows Defender launch

Unauthorized injection to a recently created process

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6410/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

explorer.exe greyware virus virut

Link:

https://www.filescan.io/uploads/6202e1cec79b424d720918aa/reports/dbbd9b5a-1268-49dd-af5a-deb3e1a000ed/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Socelars

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/598f7e33-570b-4564-b25d-97917e30a283

Result

Threat name:

RedLine Socelars onlyLogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/936428

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0a7682c0607e0fcb3580d28aec0e3439d6eae0cde1ab3359832046f7f33cdb0f/

Threat name:

Win32.Virus.Expiro

Status:

Malicious

First seen:

2022-01-03 14:35:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 43 (69.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bj3ifqdapyh4wnma2kfoydruhhlovygn4gvtgwmdebdpp4z43mhq._file

Verdict:

malicious

Label(s):

raccoon

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:onlylogger family:raccoon family:redline family:socelars family:xmrig botnet:1c0fad6805a0f65d7b597130eb9f089ffbe9857d botnet:@bradmcguire botnet:pot discovery evasion infostealer loader miner spyware stealer trojan

Link:

https://tria.ge/reports/220208-1dl2csfbc2/

Behaviour

Creates scheduled task(s)

Enumerates system info in registry

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

NSIS installer

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

OnlyLogger Payload

Modifies Windows Defender Real-time Protection settings

OnlyLogger

Raccoon

RedLine

RedLine Payload

Socelars

Socelars Payload

Suspicious use of NtCreateProcessExOtherParentProcess

xmrig

Malware Config

C2 Extraction:

http://www.mkpmc.com/
jainestaynor.xyz:80
91.243.59.167:44301
185.215.113.24:15994

Unpacked files

SH256 hash:

0a7682c0607e0fcb3580d28aec0e3439d6eae0cde1ab3359832046f7f33cdb0f

MD5 hash:

582a63b29a17c25c0c2e13927151b68e

SHA1 hash:

7b228125e631c037ec24e4cc175e4774fe6c67cd

Link:

https://www.unpac.me/results/b3c5c21d-c064-442e-a45e-7ff09f31e6f3/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_DLInjector06 Create hunting rule
Author:	ditekSHen
Description:	Detects downloader / injector

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/238771/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample