MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
SHA3-384 hash: 16025ce745cb4bebfad33ef8d61007a942a0eca6b2fdd88c3191b5ba29ea6e069e52c54b5b72133a8819b6132f9a6697
SHA1 hash: a64e6493828aecb49bcbe66a0f27f2f0264970a8
MD5 hash: ef87292437102675a87732ba36caa664
humanhash: fanta-jersey-eleven-oregon
File name:EF87292437102675A87732BA36CAA664.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'028'608 bytes
First seen:2021-09-02 19:06:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d829f266aa146de717eb87c227ada96a (2 x DiamondFox, 2 x RaccoonStealer, 1 x Adware.FileTour)
ssdeep 12288:Fms03Pohy2krjuOmU9RtyncxQRhJJzhoqgH5sB4dxHGOV:F/+PYcz9RhQRh9B4dT
Threatray 331 similar samples on MalwareBazaar
TLSH T185257C10A3D85A26D6FE1370F0B4092946F5BE317B72E78F9644B4AD1E73BC298107A7
dhash icon f0d8b06969e0e8f0 (3 x DiamondFox, 2 x RaccoonStealer, 2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://5.181.156.221/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.221/ https://threatfox.abuse.ch/ioc/213378/

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Your+File+is+Ready+for+Download.rar
Verdict:
Malicious activity
Analysis date:
2021-08-28 02:23:40 UTC
Tags:
evasion opendir loader trojan rat redline stealer vidar
Link:
https://app.any.run/tasks/986b2fe7-9c6c-478c-8e6c-0582fb3c2359

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184955/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.2034.11552.18845.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Sending an HTTP GET request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Delayed reading of the file
Searching for the window
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Launching a process
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59b9b9bd-fa75-41d5-bff2-28cfeb56ebfa
Result
Threat name:
Glupteba Metasploit Raccoon RedLine Vida
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844287
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Glupteba
Yara detected Metasploit Payload
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 476714 Sample: kWhElUg959.exe Startdate: 02/09/2021 Architecture: WINDOWS Score: 100 54 88.99.66.31 HETZNER-ASDE Germany 2->54 56 142.250.203.110 GOOGLEUS United States 2->56 58 7 other IPs or domains 2->58 76 Antivirus detection for URL or domain 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 14 other signatures 2->82 8 kWhElUg959.exe 4 60 2->8         started        signatures3 process4 dnsIp5 60 37.0.10.214 WKD-ASIE Netherlands 8->60 62 37.0.10.237 WKD-ASIE Netherlands 8->62 64 10 other IPs or domains 8->64 30 C:\Users\...\xHXlBCYzYlMhjwBvW8M9B6ab.exe, PE32 8->30 dropped 32 C:\Users\...\wsF00G7Gw6q0HDZwtevFjtGA.exe, PE32 8->32 dropped 34 C:\Users\...\wbdHmW89B4yPHZEhk9FB8Lz1.exe, PE32 8->34 dropped 36 38 other files (18 malicious) 8->36 dropped 84 Drops PE files to the document folder of the user 8->84 86 Creates HTML files with .exe extension (expired dropper behavior) 8->86 88 Disable Windows Defender real time protection (registry) 8->88 13 MghHi3tV1V1vIw1UPNiEOuMH.exe 8->13         started        18 fteg86JP3ygXRT5P0aF7ZOH0.exe 8->18         started        20 wbdHmW89B4yPHZEhk9FB8Lz1.exe 8->20         started        22 15 other processes 8->22 file6 signatures7 process8 dnsIp9 66 5.181.156.221 MIVOCLOUDMD Moldova Republic of 13->66 68 195.201.225.248 HETZNER-ASDE Germany 13->68 38 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 13->38 dropped 40 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->40 dropped 42 C:\Users\user\AppData\...\ucrtbase.dll, PE32 13->42 dropped 50 56 other files (none is malicious) 13->50 dropped 90 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->90 92 Tries to steal Mail credentials (via file access) 13->92 94 Tries to harvest and steal browser information (history, passwords, etc) 13->94 96 Tries to detect virtualization through RDTSC time measurements 13->96 98 Query firmware table information (likely to detect VMs) 18->98 100 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->100 110 2 other signatures 18->110 102 Writes to foreign memory regions 20->102 112 3 other signatures 20->112 70 208.95.112.1 TUT-ASUS United States 22->70 72 149.154.167.99 TELEGRAMRU United Kingdom 22->72 74 5 other IPs or domains 22->74 44 C:\Users\...\J77cmUgJX0OQi4nZtiqUPG2L.exe, PE32 22->44 dropped 46 C:\...\PowerControl_Svc.exe, PE32 22->46 dropped 48 C:\Users\user\AppData\Roaming\8945152.exe, PE32 22->48 dropped 52 18 other files (none is malicious) 22->52 dropped 104 Detected unpacking (changes PE section rights) 22->104 106 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->106 108 Drops PE files to the document folder of the user 22->108 114 3 other signatures 22->114 24 conhost.exe 22->24         started        26 conhost.exe 22->26         started        28 conhost.exe 22->28         started        file10 signatures11 process12
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 00:58:00 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cgw3n7kpxs4p42adh7zlyo4myrnzqdcxh56frprjcob5lok5nzaq._file
Verdict:
malicious
Similar samples:
0fc23c2e005cdfed1a0380dd7a06dda83b882f8d392c7f157b783822d21d78a1
RaccoonStealer
20586a2f58155f672c3a5356ede6d6eb515246da481d92c724971c1536ced8d1
RaccoonStealer
68d83afa2dc4272e54c4ebb1ab8981e7f00442dfe6e66c8b7299c30a230be997
RaccoonStealer
7648e6caa40622f2d5c625f3b05b3a5c985592f845c26126311a769c7e256c78
RaccoonStealer
79123c765ff9f7d116bbf4bd64a52c2bc33195a1287666ea379d89a5eaf0ec40
RaccoonStealer
b6c20b3a2c6ecd2f50faf45c41218417dadfadc6b4230ca7c8fd1e4439d1046e
RaccoonStealer
+ 321 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:redline family:smokeloader family:vidar botnet:02_09_fat botnet:1 botnet:7ec37c4e52b45215a7a83ab1f127b87c27384d9a botnet:937 botnet:norman3 botnet:test backdoor dropper evasion infostealer loader stealer themida trojan
Link:
https://tria.ge/reports/210902-xsmpnabea4/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Vidar
Malware Config
C2 Extraction:
185.215.113.104:18754
45.14.49.169:22411
37.0.8.88:44263
45.14.49.184:28743
https://romkaxarit.tumblr.com/
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
Unpacked files
SH256 hash:
11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
MD5 hash:
ef87292437102675a87732ba36caa664
SHA1 hash:
a64e6493828aecb49bcbe66a0f27f2f0264970a8
Link:
https://www.unpac.me/results/b6ae61f0-0d13-41f4-8a04-87c97f64cece/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184955/

Comments