MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14ab6299436aa43e2d039e0fbc6147d6dd495410c9e3c175ec0ac6d82af855ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14ab6299436aa43e2d039e0fbc6147d6dd495410c9e3c175ec0ac6d82af855ca
SHA3-384 hash: 2acc3a9d951ac143eaddb7db4896e2f291cac5d2348b05220a525449b61c74c848a8ce075bdf15471016d575325c063e
SHA1 hash: eb89fd0c85c15299c0785f251ef0495814ec0899
MD5 hash: aa78c45f6e59bd71852b611786349324
humanhash: winter-whiskey-foxtrot-quebec
File name:AA78C45F6E59BD71852B611786349324.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'990'783 bytes
First seen:2021-08-15 17:51:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:9gZTJnybQujEEZhLfTdCrQuQbLLaOLAuoo+nIfjLS:yZlngEEZhndCrQxLfVLS
Threatray 355 similar samples on MalwareBazaar
TLSH T19B9533833D28C477DB968AF67E3EA873DC98A51356B811C6274FAE3837251E73209351
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.45.248/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.45.248/ https://threatfox.abuse.ch/ioc/188584/

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AA78C45F6E59BD71852B611786349324.exe
Verdict:
No threats detected
Analysis date:
2021-08-15 18:00:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/efc4a8c1-f342-4441-bb0a-95bd6fb59f96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179375/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0a90103-6144-405a-9d34-f22ba0a2517d
Result
Threat name:
Metasploit Raccoon RedLine Socelars Vida
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833184
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected Metasploit Payload
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465612 Sample: Xp2gIK4FAC.exe Startdate: 15/08/2021 Architecture: WINDOWS Score: 100 76 208.95.112.1 TUT-ASUS United States 2->76 78 45.153.230.19 TEAM-HOSTASRU Russian Federation 2->78 80 10 other IPs or domains 2->80 94 Antivirus detection for URL or domain 2->94 96 Antivirus detection for dropped file 2->96 98 Multi AV Scanner detection for dropped file 2->98 100 12 other signatures 2->100 10 Xp2gIK4FAC.exe 10 2->10         started        signatures3 process4 dnsIp5 82 192.168.2.1 unknown unknown 10->82 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 14 setup_installer.exe 8 10->14         started        file6 process7 file8 48 C:\Users\user\AppData\...\setup_install.exe, PE32 14->48 dropped 50 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 14->50 dropped 52 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 14->52 dropped 54 3 other files (none is malicious) 14->54 dropped 17 setup_install.exe 8 14->17         started        process9 dnsIp10 72 104.21.47.76 CLOUDFLARENETUS United States 17->72 74 127.0.0.1 unknown unknown 17->74 38 C:\Users\user\AppData\...\cd9ed711254.exe, PE32 17->38 dropped 40 C:\Users\user\...\2eaca7cbe30dba52.exe, PE32 17->40 dropped 42 C:\Users\user\AppData\...\bc0f7de460834e5.exe, PE32 17->42 dropped 44 4 other files (none is malicious) 17->44 dropped 21 cmd.exe 1 17->21         started        23 cmd.exe 1 17->23         started        25 cmd.exe 1 17->25         started        27 2 other processes 17->27 file11 process12 process13 29 2eaca7cbe30dba52.exe 4 68 21->29         started        34 cd9ed711254.exe 90 23->34         started        36 8e122c389911.exe 2 25->36         started        dnsIp14 84 37.0.10.236 WKD-ASIE Netherlands 29->84 86 37.0.11.8 WKD-ASIE Netherlands 29->86 92 13 other IPs or domains 29->92 56 C:\Users\...\zgDmEWOvhKZBbJflr0zhn66v.exe, PE32 29->56 dropped 58 C:\Users\...\yDvWzUytLOGXiW7UHe2jD4iU.exe, PE32 29->58 dropped 60 C:\Users\...\x_xCm18E2LBth0hCdgSnYp6h.exe, PE32 29->60 dropped 68 45 other files (37 malicious) 29->68 dropped 102 Detected unpacking (creates a PE file in dynamic memory) 29->102 104 Drops PE files to the document folder of the user 29->104 106 Creates HTML files with .exe extension (expired dropper behavior) 29->106 108 Disable Windows Defender real time protection (registry) 29->108 88 116.203.127.162 HETZNER-ASDE Germany 34->88 90 74.114.154.18 AUTOMATTICUS Canada 34->90 62 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 34->62 dropped 64 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 34->64 dropped 66 C:\Users\user\AppData\...\softokn3[1].dll, PE32 34->66 dropped 70 9 other files (none is malicious) 34->70 dropped 110 Detected unpacking (changes PE section rights) 34->110 112 Detected unpacking (overwrites its own PE header) 34->112 114 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->114 116 2 other signatures 34->116 file15 signatures16
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/14ab6299436aa43e2d039e0fbc6147d6dd495410c9e3c175ec0ac6d82af855ca/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-08-12 22:49:15 UTC
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=csvwfgkdnksd4lidtyh3yykh23ousvaqzhr4c5pmbldnqkxykxfa._file
Verdict:
unknown
Similar samples:
0df9cc018e5258e289ffea0bb4137ae6f0bc8fe85b48b544520c7dae95453f68
RaccoonStealer
6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347
RaccoonStealer
799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21
RaccoonStealer
854e5c0dbeb31b0953c41b36dc88fa4e959c00c848fb723dc2f9223aeb5a359a
RaccoonStealer
bae14391cbc9ddb999947b70f3975a7309f73d422a02aaa13ae9100baaa0652c
RaccoonStealer
e98c43697773e717610341e0a6f514f165dae8744e0376aef6dfd4054aa50bf9
RaccoonStealer
f9029a8f9164bd1b7ec115bb9fbc556bee6b60c61dfefbe16ffb434d1151d5f9
RaccoonStealer
+ 345 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:15_08_alt botnet:706 botnet:7new aspackv2 backdoor evasion infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210815-nmnevl13j2/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
zertypelil.xyz:80
Unpacked files
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
SH256 hash:
db9c9da8b8dff93878a3d79580fa14c6d94ba629e0bf774aec185031d0b05a54
MD5 hash:
0d3cbea09f4290ba0059e755d7b6eb97
SHA1 hash:
9e19b000f492b6e013e53fe0fd06aa2dec7733f4
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
SH256 hash:
730782c0a967f258e130f12b9ba25a3e582b0bc93b35a122b6b573d45b21adce
MD5 hash:
62fe79781226f327524de7b23525e1c7
SHA1 hash:
20b7a997ea9627320c687d6975ba2c5a6550365f
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
6d5735bc40818aa5725dd06e8145f2d653c9bc64c89e6b1b3b3917f5b6b61770
MD5 hash:
4168326befe9ff224af10c2dd3adbb2c
SHA1 hash:
39b84077951312529796822e970fde442f10b2ed
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
SH256 hash:
430ed661f3be61265c7b657a641032b28c5a38495e6b37149b93428b9efa48a9
MD5 hash:
c465c7eb89a23837379e37046ec398e6
SHA1 hash:
00f6f8b48667dfe44d354953158c6915efd6d260
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
SH256 hash:
40beb41c2e2cd21901cd789bf1e79ad3475a2606b9ce1810fb8473bb779ec237
MD5 hash:
65747b49b7d646ed08de2969846ab71c
SHA1 hash:
b9e39c78bfb4ef64ce62aab461a88b4058af3cc1
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
SH256 hash:
ce284cd65d98b9ee907d19c25c5641238bb75b3a024f2fb17122c46f320673c5
MD5 hash:
ea6a532f3b8236fcc7399c8b37498a9a
SHA1 hash:
9e4fdcc919925b3aab74d3c4514458186a7a8bdb
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
SH256 hash:
5e3ee9e36622303757196e1807f2dbf8fa34bc4eb69568590d2e84602cbd8421
MD5 hash:
4ec69da92f3191f9e647bb6db1c90ce7
SHA1 hash:
4b353250b98c6348ef6203b6426f78ebc5ce9eed
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
SH256 hash:
95b24d603c980a228a46b392b9466228d66277bc058c7fdb616718b8b3bc4abd
MD5 hash:
5c5c765566ac707505b2d4b168e93b5e
SHA1 hash:
34de382a0e48628c20197b20ab97f2a97b7d9c8d
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
SH256 hash:
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
MD5 hash:
5b8639f453da7c204942d918b40181de
SHA1 hash:
2daed225238a9b1fe2359133e6d8e7e85e7d6995
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
SH256 hash:
e8a3f61f854c4bdf15d80e94f09f985a68aba139b07f9b88358bd223c7fccd5f
MD5 hash:
2c845faec68aed24f35a6d0ca082d9fd
SHA1 hash:
584efc5a0767d4c34baf1b29625e32e2440e4422
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
SH256 hash:
14ab6299436aa43e2d039e0fbc6147d6dd495410c9e3c175ec0ac6d82af855ca
MD5 hash:
aa78c45f6e59bd71852b611786349324
SHA1 hash:
eb89fd0c85c15299c0785f251ef0495814ec0899
Link:
https://www.unpac.me/results/9d4e1643-9e0c-441d-81ea-b81af63704ef/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/14ab6299436a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/14ab6299436aa43e2d039e0fbc6147d6dd495410c9e3c175ec0ac6d82af855ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179375/

Comments