MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b18ce7b513855676ef76c17fcf6b6d492f20e197fae1090e722b43f7f5ff2df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 5 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b18ce7b513855676ef76c17fcf6b6d492f20e197fae1090e722b43f7f5ff2df
SHA3-384 hash: 856e2c8f7c690c16477a7114bb16147f6204c52a356c26bca3bf69894ff6b582050300950d6a581b88a17c7823dc80d5
SHA1 hash: fe2dd09f8cc1ab4efabae2456d3d485f3b17ef6a
MD5 hash: c553fba557e7aa0974b59f921ceba201
humanhash: victor-mike-chicken-fifteen
File name:1B18CE7B513855676EF76C17FCF6B6D492F20E197FAE1.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:766'353 bytes
First seen:2021-10-05 12:06:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 12288:woQ7Xar2BHs/EIzm/OwD7Hv78Aqg0CLE4xD95mG5izApeI55XCSZTtaN:wZ7Xar2VsBq/OQLqg3F95mjiPdptaN
Threatray 93 similar samples on MalwareBazaar
TLSH T1AEF47C33798644F2F47D13F067D58B3249EE2C7B2EE00A5667D83AB985B6360818D35B
File icon (PE):PE icon
dhash icon 8cc7aba5635383b3 (2 x RaccoonStealer, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://194.180.174.80/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.244.217.195:21588 https://threatfox.abuse.ch/ioc/230304/
http://194.180.174.80/ https://threatfox.abuse.ch/ioc/230436/
45.147.197.123:49301 https://threatfox.abuse.ch/ioc/230453/
195.133.18.154:32513 https://threatfox.abuse.ch/ioc/230454/
194.87.92.7:22033 https://threatfox.abuse.ch/ioc/230455/

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1B18CE7B513855676EF76C17FCF6B6D492F20E197FAE1.exe
Verdict:
Malicious activity
Analysis date:
2021-10-05 12:21:02 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/fe045d61-9fb1-4330-88d0-1753c41d4a85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195010/
Detection(s):
Win.Packed.Prepscram-9882054-1
Create hunting rule

SecuriteInfo.com.Generic.mg.7118444d587a1d65.31770.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a service
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed packed
Link:
https://www.filescan.io/uploads/615c3fe8e3d213d202b77bc0/reports/5fb7b42f-7abb-44e1-baf2-a683cf491089/overview
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff25d724-dda9-45b9-b8ac-ef082874a9b8
Result
Threat name:
Raccoon RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864745
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 497173 Sample: 1B18CE7B513855676EF76C17FCF... Startdate: 05/10/2021 Architecture: WINDOWS Score: 100 79 208.95.112.1 TUT-ASUS United States 2->79 81 45.136.151.102 ENZUINC-US Latvia 2->81 107 Antivirus detection for URL or domain 2->107 109 Antivirus detection for dropped file 2->109 111 Antivirus / Scanner detection for submitted sample 2->111 113 13 other signatures 2->113 9 1B18CE7B513855676EF76C17FCF6B6D492F20E197FAE1.exe 11 2->9         started        signatures3 process4 file5 65 C:\Users\user\AppData\Local\...\update.exe, PE32 9->65 dropped 67 C:\Users\user\AppData\...\SetpMoonFile.exe, PE32 9->67 dropped 69 C:\Users\user\AppData\...\kunzhang-game.exe, PE32 9->69 dropped 12 update.exe 4 61 9->12         started        17 SetpMoonFile.exe 15 3 9->17         started        19 kunzhang-game.exe 2 9->19         started        process6 dnsIp7 97 37.0.10.171 WKD-ASIE Netherlands 12->97 99 37.0.10.214 WKD-ASIE Netherlands 12->99 105 10 other IPs or domains 12->105 71 C:\Users\...\zz90Lmhehk3mt8rzoctY4uE1.exe, PE32 12->71 dropped 73 C:\Users\...\mBjjv1lCOzbn0KDmNWaX0S49.exe, PE32+ 12->73 dropped 75 C:\Users\...\efAa5iw6IRXLfjz7ZOO1fpkZ.exe, PE32 12->75 dropped 77 22 other files (19 malicious) 12->77 dropped 141 Drops PE files to the document folder of the user 12->141 143 Creates HTML files with .exe extension (expired dropper behavior) 12->143 145 Disable Windows Defender real time protection (registry) 12->145 21 dLN8vG0JqDrqkfFxSCOsM1my.exe 12->21         started        26 zz90Lmhehk3mt8rzoctY4uE1.exe 12->26         started        28 eSHOnsTJuSHr_y8Wlu1QTDwp.exe 12->28         started        34 14 other processes 12->34 101 88.99.66.31 HETZNER-ASDE Germany 17->101 103 8.8.8.8 GOOGLEUS United States 17->103 147 Detected unpacking (changes PE section rights) 17->147 149 Detected unpacking (overwrites its own PE header) 17->149 30 kunzhang-game.exe 1 19->30         started        32 conhost.exe 19->32         started        file8 signatures9 process10 dnsIp11 83 149.154.167.99 TELEGRAMRU United Kingdom 21->83 85 45.133.1.182 DEDIPATH-LLCUS Netherlands 21->85 87 162.159.129.233 CLOUDFLARENETUS United States 21->87 49 C:\Users\...\iAeXXqhQNJKur7teIlOrvF32.exe, PE32 21->49 dropped 51 C:\Users\...\XUTJTSQdX9ITDLyCRBKvHrxJ.exe, PE32 21->51 dropped 53 C:\Users\user\AppData\...\Cube_WW14[1].bmp, PE32 21->53 dropped 61 2 other files (1 malicious) 21->61 dropped 119 Drops PE files to the document folder of the user 21->119 121 Contains functionality to inject code into remote processes 26->121 123 Injects a PE file into a foreign processes 26->123 36 zz90Lmhehk3mt8rzoctY4uE1.exe 26->36         started        125 Query firmware table information (likely to detect VMs) 28->125 127 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->127 129 Hides threads from debuggers 28->129 131 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->131 39 conhost.exe 28->39         started        89 192.168.2.1 unknown unknown 30->89 41 WerFault.exe 20 9 30->41         started        43 conhost.exe 30->43         started        91 88.99.75.82 HETZNER-ASDE Germany 34->91 93 144.202.76.47 AS-CHOOPAUS United States 34->93 95 65.108.80.190 ALABANZA-BALTUS United States 34->95 55 C:\Program Files (x86)\...\inst002.exe, PE32 34->55 dropped 57 C:\Program Files (x86)\Company\...\cm3.exe, PE32+ 34->57 dropped 59 C:\Program Files (x86)\...\DownFlSetup999.exe, PE32 34->59 dropped 63 15 other files (none is malicious) 34->63 dropped 133 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->133 135 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 34->135 137 Tries to harvest and steal browser information (history, passwords, etc) 34->137 139 3 other signatures 34->139 45 conhost.exe 34->45         started        47 conhost.exe 34->47         started        file12 signatures13 process14 signatures15 115 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->115 117 Checks if the current machine is a virtual machine (disk enumeration) 36->117
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b18ce7b513855676ef76c17fcf6b6d492f20e197fae1090e722b43f7f5ff2df/
Threat name:
ByteCode-MSIL.Trojan.ElysiumStealer
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 01:13:57 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmmm462rhbkwo3xxnql7z5vw2sjpedqzp6xbbehhek2d67276lpq._file
Verdict:
malicious
Similar samples:
11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
RaccoonStealer
2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324
RaccoonStealer
401bbd8d6f3e957749b523d8e9477005eaa8c9ff20aea6c32bee59fdeaa2c766
RaccoonStealer
4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
RaccoonStealer
719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280
RaccoonStealer
79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a
RaccoonStealer
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
RaccoonStealer
aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
RaccoonStealer
c9371cc485825207fe107e6600c14cfd9049c34f74c8c7332f16a20afea88164
RaccoonStealer
d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
RaccoonStealer
+ 83 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:987654345 botnet:ee26c90dee713d612f197e15111bd20545528a48 backdoor evasion infostealer spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/211005-pabknshfg9/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Arkei
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
188.227.87.46:51843
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Unpacked files
SH256 hash:
2ab43a91488dc69c564359a2ccc2fea98cd214addcbf97ac8abf764485f8373b
MD5 hash:
a470be1b9550bbaaabcafe5dc11d4e6f
SHA1 hash:
0dd8443853ccd0935d3e5511b8a3e0bf48b501d2
Link:
https://www.unpac.me/results/7fe991be-9192-446a-ad0a-b627d8848883/
SH256 hash:
adc3b45703d81ec3fa52c42e9788beed4eb6ba0a70bf0566960211c796d7cec9
MD5 hash:
f0c5c2f3ee8b8e26e6ca6d6b5bca1ba1
SHA1 hash:
2722a265424bf36b5072dbb3ff65df7b47e4e5fa
Link:
https://www.unpac.me/results/7fe991be-9192-446a-ad0a-b627d8848883/
SH256 hash:
1b18ce7b513855676ef76c17fcf6b6d492f20e197fae1090e722b43f7f5ff2df
MD5 hash:
c553fba557e7aa0974b59f921ceba201
SHA1 hash:
fe2dd09f8cc1ab4efabae2456d3d485f3b17ef6a
Link:
https://www.unpac.me/results/7fe991be-9192-446a-ad0a-b627d8848883/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b18ce7b513855676ef76c17fcf6b6d492f20e197fae1090e722b43f7f5ff2df

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/195010/

Comments