MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 244e43b042445635b9311f0a575a30bf27644ec34e5fc7085447f09859c7d968. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 2 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 244e43b042445635b9311f0a575a30bf27644ec34e5fc7085447f09859c7d968
SHA3-384 hash: 3d98cf68e9a6bdc1c7c7b920d0f4074bb8d8614c0e51a5d24e24f07894eaa53259477a30b367353d7f884b8fed040034
SHA1 hash: 0bbd2356f940693922fbdea90e56295c153e9a20
MD5 hash: 236ca8b4f80b283513cb59ea19f5c343
humanhash: yankee-carbon-bacon-glucose
File name:236CA8B4F80B283513CB59EA19F5C343.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'890'240 bytes
First seen:2021-07-18 09:00:17 UTC
Last seen:2021-07-18 09:34:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:i1jg5zS/ivRdDEbGc25Hcijo7ah6wjL+1XkpN3vYpTFn/V5HfIRTwcMvjYBF7N9v:Fy8Li6RETFnN5A1PUj27N
Threatray 1'764 similar samples on MalwareBazaar
TLSH T196D5CF22B832CB17696ACEDF5FB077E345783FBC9892C98632653386950165BB21C347
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://wymesc72.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://wymesc72.top/index.php https://threatfox.abuse.ch/ioc/160942/
http://morjed07.top/index.php https://threatfox.abuse.ch/ioc/160943/

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
main_setup_x86x64.exe
Verdict:
Malicious activity
Analysis date:
2021-07-15 11:21:59 UTC
Tags:
evasion trojan stealer vidar rat redline loader phishing keylogger agenttesla raccoon
Link:
https://app.any.run/tasks/cba7f896-5687-4f17-9abf-0c07476045c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172393/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.26354.10445.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08cd7cf7-ec67-48d8-9d33-858ced07239c
Result
Threat name:
Backstage Stealer Cookie Stealer Oski Re
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817907
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Regsvr32 Anomaly
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Backstage Stealer
Yara detected Cookie Stealer
Yara detected Oski Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450318 Sample: QQ9XxgbU1G.exe Startdate: 18/07/2021 Architecture: WINDOWS Score: 100 88 google.vrthcobj.com 2->88 138 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->138 140 Multi AV Scanner detection for domain / URL 2->140 142 Found malware configuration 2->142 144 20 other signatures 2->144 9 QQ9XxgbU1G.exe 7 2->9         started        12 haleng.exe 2->12         started        signatures3 process4 dnsIp5 78 C:\Users\user\AppData\Local\...\playfile.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\Local\Temp\jhuuee.exe, PE32 9->80 dropped 82 C:\Users\user\AppData\Local\Temp\chenh.exe, PE32 9->82 dropped 86 3 other files (2 malicious) 9->86 dropped 16 playfile.exe 4 9->16         started        20 OLKbrowser.exe 2 9->20         started        22 setup.exe 29 9->22         started        29 2 other processes 9->29 102 157.240.17.35 FACEBOOKUS United States 12->102 84 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 12->84 dropped 146 Antivirus detection for dropped file 12->146 148 Machine Learning detection for dropped file 12->148 25 jfiag3g_gg.exe 12->25         started        27 jfiag3g_gg.exe 12->27         started        file6 signatures7 process8 dnsIp9 52 C:\Users\user\AppData\Local\...\svchost.exe, PE32 16->52 dropped 110 Writes to foreign memory regions 16->110 112 Allocates memory in foreign processes 16->112 114 Sample uses process hollowing technique 16->114 116 Drops PE files with benign system names 16->116 31 svchost.exe 16->31         started        118 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->118 120 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->120 122 Injects a PE file into a foreign processes 20->122 36 OLKbrowser.exe 20->36         started        38 conhost.exe 20->38         started        90 91.241.19.12 REDBYTES-ASRU Russian Federation 22->90 92 47.243.129.23 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 22->92 98 3 other IPs or domains 22->98 54 C:\Users\user\AppData\...\rollerkind2[1].exe, PE32 22->54 dropped 56 C:\Users\user\AppData\Local\...\file[1].exe, PE32 22->56 dropped 58 C:\Users\user\AppData\...\pl_installer[1].exe, PE32 22->58 dropped 62 6 other files (none is malicious) 22->62 dropped 40 WerFault.exe 22->40         started        94 ip-api.com 208.95.112.1, 49711, 80 TUT-ASUS United States 29->94 96 88.99.66.31 HETZNER-ASDE Germany 29->96 100 4 other IPs or domains 29->100 60 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 29->60 dropped 124 May check the online IP address of the machine 29->124 126 Creates processes via WMI 29->126 42 chenh.exe 5 29->42         started        44 jfiag3g_gg.exe 1 29->44         started        46 conhost.exe 29->46         started        48 2 other processes 29->48 file10 signatures11 process12 dnsIp13 104 a343345.me 198.54.114.131, 49713, 80 NAMECHEAP-NETUS United States 31->104 64 C:\ProgramData\vcruntime140.dll, PE32 31->64 dropped 66 C:\ProgramData\sqlite3.dll, PE32 31->66 dropped 68 C:\ProgramData\softokn3.dll, PE32 31->68 dropped 76 4 other files (none is malicious) 31->76 dropped 128 System process connects to network (likely due to code injection or exploit) 31->128 130 Detected unpacking (changes PE section rights) 31->130 132 Detected unpacking (overwrites its own PE header) 31->132 106 185.125.18.50 QS-ASRU Russian Federation 36->106 108 172.67.75.172 CLOUDFLARENETUS United States 36->108 134 Tries to harvest and steal browser information (history, passwords, etc) 36->134 136 Tries to steal Crypto Currency Wallets 36->136 70 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 42->70 dropped 72 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 42->72 dropped 74 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 42->74 dropped 50 conhost.exe 42->50         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/244e43b042445635b9311f0a575a30bf27644ec34e5fc7085447f09859c7d968/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 16:41:12 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=erhehmccirldlojrd4ffowrqx4twitwdjzp4occui7yjqwoh3fua._file
Verdict:
malicious
Similar samples:
09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac
RaccoonStealer
0ef2423530764d0f9a745e60c251176c903929d958ce3ff1c22a6867c97bbc13
RaccoonStealer
83b3a04479c4310f0ac695041b3c1d60c144be650d4b8838a395ca5a46e722e2
RaccoonStealer
ab8d377d550ebae841ab75d2d6257fb38960efc049037bbd2468483871897e5d
RaccoonStealer
afdbdff7a2510b208b5ebc47ac621ff14a15aa5673ed6cdf7f7f0f8ad4c1e1fb
RaccoonStealer
d03c955b566ad3308d6f9fe90c320300b097e649c9c7380d48cf06815d4988b9
RaccoonStealer
e1fffde5cce94f703cbaf29b14bf0e7569ad207a0a7f4fc63484ced33307198b
RaccoonStealer
fcebd1383b524b3ed55ce93204ab0199fc3c8871783dc2b197ce3148c66a5ca1
RaccoonStealer
fe8417ad3e0bad396fd009f20ad6cb106605098ec72fb933bb6f8e16cb6d437d
RaccoonStealer
+ 1'754 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:oski family:redline botnet:aninew discovery infostealer persistence spyware stealer upx
Link:
https://tria.ge/reports/210718-9l9er3w4f6/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Oski
Process spawned unexpected child process
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
a343345.me
akedauiver.xyz:80
Unpacked files
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/1f4d1a66-2959-475c-9bb5-32cc4584e218/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/1f4d1a66-2959-475c-9bb5-32cc4584e218/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/1f4d1a66-2959-475c-9bb5-32cc4584e218/
SH256 hash:
c903df66e3e3c3dc0759b666896fe7f6816d691446044bdb1dfd4ff90904935a
MD5 hash:
dbbfe7aab44f31c2f03da866ed6a2288
SHA1 hash:
2950979d1dc657d95908a0e1d65b7f48173810f0
Link:
https://www.unpac.me/results/1f4d1a66-2959-475c-9bb5-32cc4584e218/
SH256 hash:
3c648992d1546155e984774bc4b6ca5f3ffd83d084f4e0d08346a08a95e30aa2
MD5 hash:
de1559dbbf4a543bd6ea181340105ae5
SHA1 hash:
d88509684b84254f2dc27f6ff86d6e20540b21b7
Link:
https://www.unpac.me/results/1f4d1a66-2959-475c-9bb5-32cc4584e218/
SH256 hash:
dff28812909d091652d5c6617c38dd4e60f80c6a6c4287d9aa65ad309e96093a
MD5 hash:
499ddcc70150ef2df77600b7865896fb
SHA1 hash:
43877ca0e904073af8f720b622ece53354eca649
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/1f4d1a66-2959-475c-9bb5-32cc4584e218/
Parent samples :
ab8d377d550ebae841ab75d2d6257fb38960efc049037bbd2468483871897e5d
244e43b042445635b9311f0a575a30bf27644ec34e5fc7085447f09859c7d968
f2fcd49dd7ce2e64415e73f5276e813e90d53dea18f5fba68e1c8b55e0c1f631
SH256 hash:
532022f3404acdffcf96dfab6571b56c3ed1f5d3190639b180193702a16d1d74
MD5 hash:
cf15b7d441c17528eadf214e6cf220a2
SHA1 hash:
f060f2d5ef363eea173a0342365fb3b85d521f9a
Link:
https://www.unpac.me/results/1f4d1a66-2959-475c-9bb5-32cc4584e218/
SH256 hash:
403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56
MD5 hash:
6800f4c8b2d1326dab120a6ad2b99ff6
SHA1 hash:
d45ad1d4567dd41b9676885c1d7c5e5ef8fe5fc0
Link:
https://www.unpac.me/results/1f4d1a66-2959-475c-9bb5-32cc4584e218/
SH256 hash:
e6fa662bbc80c8a6fcee0dd97f2a51b2c0fa30b5ba4f0ddca116c0ad3fec2ba3
MD5 hash:
1f824168d4bfe8b390bec6b290625c89
SHA1 hash:
aecee36b25fb8482c68baaad9788560779f86121
Link:
https://www.unpac.me/results/1f4d1a66-2959-475c-9bb5-32cc4584e218/
SH256 hash:
8ae32b045f89889b218e0e0c46088fce5bbbf4af876ef2305c10cfcef0d9f30c
MD5 hash:
f7477a1033d5c4b99f294a50a2eb2521
SHA1 hash:
559b315f76610b6ae5702681771c03a095bd898a
Link:
https://www.unpac.me/results/1f4d1a66-2959-475c-9bb5-32cc4584e218/
SH256 hash:
f9d902d85eadc53d490b2a04313d0d32810d827925013ee59351136b08295c2f
MD5 hash:
9c4c4a75ad5cd816f5443104cbec11ec
SHA1 hash:
c2ff0375368af9d8171ed42583b4f7fc7b94e9ff
Link:
https://www.unpac.me/results/1f4d1a66-2959-475c-9bb5-32cc4584e218/
SH256 hash:
440a8133913c58ba6b472f0595b5687754a183a6c8dc9c04d0ccff57803c6d0d
MD5 hash:
0a95910c8294c9627bb8a785ad59d992
SHA1 hash:
c47c4179aa92634406d5aea072df1eab760307b2
Link:
https://www.unpac.me/results/1f4d1a66-2959-475c-9bb5-32cc4584e218/
SH256 hash:
244e43b042445635b9311f0a575a30bf27644ec34e5fc7085447f09859c7d968
MD5 hash:
236ca8b4f80b283513cb59ea19f5c343
SHA1 hash:
0bbd2356f940693922fbdea90e56295c153e9a20
Link:
https://www.unpac.me/results/1f4d1a66-2959-475c-9bb5-32cc4584e218/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/244e43b042445635b9311f0a575a30bf27644ec34e5fc7085447f09859c7d968

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172393/

Comments