MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10589c1fb2cba252e2abf20c365feabceaf207d24f122cbaa029c3db6bba13d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA File information Comments

SHA256 hash:	10589c1fb2cba252e2abf20c365feabceaf207d24f122cbaa029c3db6bba13d1
SHA3-384 hash:	5bd57129763b83c3b3316bbd7596a525fd5d8cb9344788da12979321b38fa4a9d0aa6579ae5c1b65a083f06062dce7b2
SHA1 hash:	d965ad3bb02e9f65ec23a2b9207bd00325b26660
MD5 hash:	95ef4cceac9deede7ab9587a8babc5ff
humanhash:	fanta-mexico-apart-mango
File name:	95EF4CCEAC9DEEDE7AB9587A8BABC5FF.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	1'028'096 bytes
First seen:	2021-08-30 03:01:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d829f266aa146de717eb87c227ada96a (2 x DiamondFox, 2 x RaccoonStealer, 1 x Adware.FileTour)
ssdeep	12288:8ULdWAyrIhjuOm8oRtyncxQRhJJzhoqgH5sB4dxHGZ:8GdJrPoRhQRh9B4dE
Threatray	42 similar samples on MalwareBazaar
TLSH	T172257D10A3D89A26D6EE1370F0B4092946F5FE317B72E78F9644B4AD1E73BC198107A7
dhash icon	f0d8b06969e0e8f0 (3 x DiamondFox, 2 x RaccoonStealer, 2 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://5.181.156.252/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://5.181.156.252/	https://threatfox.abuse.ch/ioc/201911/

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6128ac938859c_Main-lnstall-v8.1.zip

Verdict:

Malicious activity

Analysis date:

2021-08-27 09:15:44 UTC

Tags:

trojan evasion rat redline stealer vidar loader

Link:

https://app.any.run/tasks/6f9bb4de-00f2-43eb-8be4-2c89a1c956d3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/183371/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending an HTTP GET request

DNS request

Sending a custom TCP request

Sending a UDP request

Creating a file

Deleting a recently created file

Reading critical registry keys

Creating a process from a recently created file

Creating a process with a hidden window

Creating a window

Searching for the window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Launching cmd.exe command interpreter

Blocking the Windows Defender launch

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Malware family:

Glupteba

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/46925eff-a7ab-4803-ba20-899a867569bd

Result

Threat name:

Glupteba Metasploit RedLine SmokeLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/841212

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Allocates memory in foreign processes

Antivirus detection for URL or domain

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates HTML files with .exe extension (expired dropper behavior)

Creates processes via WMI

Detected unpacking (changes PE section rights)

Disable Windows Defender real time protection (registry)

Drops PE files to the document folder of the user

Found C&C like URL pattern

Found Tor onion address

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

May modify the system service descriptor table (often done to hook functions)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Performs DNS queries to domains with low reputation

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Sigma detected: Copying Sensitive Files with Credential Data

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Glupteba

Yara detected Metasploit Payload

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/10589c1fb2cba252e2abf20c365feabceaf207d24f122cbaa029c3db6bba13d1/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-08-30 03:02:07 UTC

AV detection:

21 of 46 (45.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cbmjyh5szorffyvl6igdmx7kxtvpeb6sj4jczovafhb5w252cpiq._file

Verdict:

suspicious

RaccoonStealer

1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031

RaccoonStealer

1cf6570844a3a440ad731d0c72ed9bd8369f2cfb44243a952942f91097767776

RaccoonStealer

2cc5f31570047becc5e77581e2f640afba8d6904c6be61105603d60d01c181d0

RaccoonStealer

4101bd379660a169d50442c9921d6fb0329620efbc5a163856c2f5e5f41e601c

RaccoonStealer

56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482

RaccoonStealer

59babf45239a61449061a606bd3f578c3caf0d604c1b9db4504e74582c6a4d30

RaccoonStealer

ba15a8b7d1ecc6348ee4806b0903afdf5917a595a909ce529e85cacd197c6e77

RaccoonStealer

bda2b27d917dc919d2df7f2768a5d20f4f554e6f0eeb687f5ac45b53aecbb2f3

RaccoonStealer

fff25302774366cdb466fa0e4015f9c7de93fd0192585a3cab2e2f51b635047c

RaccoonStealer

+ 32 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:glupteba family:metasploit family:raccoon family:redline family:smokeloader family:vidar botnet:292.08 botnet:6e76410dbdf2085ebcf2777560bd8cb0790329c9 botnet:build1 botnet:norman backdoor dropper evasion infostealer loader stealer themida trojan

Link:

https://tria.ge/reports/210830-rkzlb1nqdx/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Themida packer

Downloads MZ/PE file

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Glupteba

Glupteba Payload

MetaSploit

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

Raccoon

RedLine

RedLine Payload

SmokeLoader

Vidar

Malware Config

C2 Extraction:

205.185.119.191:18846
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
65.108.48.203:48896
95.181.152.47:15089
45.14.49.184:25321

Unpacked files

SH256 hash:

10589c1fb2cba252e2abf20c365feabceaf207d24f122cbaa029c3db6bba13d1

MD5 hash:

95ef4cceac9deede7ab9587a8babc5ff

SHA1 hash:

d965ad3bb02e9f65ec23a2b9207bd00325b26660

Link:

https://www.unpac.me/results/bf2cceab-e45e-4e30-a341-c403ba568b44/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/10589c1fb2cba252e2abf20c365feabceaf207d24f122cbaa029c3db6bba13d1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/183371/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample