MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a7a01bdce9c9583c8a67f062615012c3e569fbadcabdc6369c118016acfc248. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a7a01bdce9c9583c8a67f062615012c3e569fbadcabdc6369c118016acfc248
SHA3-384 hash: f10cd20fb26f2b945ee24b7944f3fa82aa842df88fd024f3b6ed29002b25ee8c5d45781662dd4e15d46153cd94cca882
SHA1 hash: 2b1513c05230d9fa10249ff37bd2365e4188350e
MD5 hash: b65c0ff839f99dc7e62be3f78b625b78
humanhash: oscar-arkansas-maryland-north
File name:B65C0FF839F99DC7E62BE3F78B625B78.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'558'882 bytes
First seen:2021-08-14 14:16:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:x8CvLUBsgiJ1a8a2a0wO78eCI5BJ3NVW9AQPOEpssjk:xhLUCg+gbQ71/1NohPOhsI
Threatray 334 similar samples on MalwareBazaar
TLSH T1082633157BC5D0F5F5462031A7483FB221FCC3A92A69D4DB672B924C1B2E2B7C90A74E
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
135.181.123.52:52101

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
135.181.123.52:52101 https://threatfox.abuse.ch/ioc/186204/
http://45.153.230.19/ https://threatfox.abuse.ch/ioc/185490/

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B65C0FF839F99DC7E62BE3F78B625B78.exe
Verdict:
No threats detected
Analysis date:
2021-08-14 14:18:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5c9979a9-d786-4890-a75f-bd707953ef91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179244/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Jaik-9885413-0
Create hunting rule

Win.Packed.Jaik-9885437-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da74d900-6421-4bfe-b8bb-df55c6e06927
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832913
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465344 Sample: ZFNV0gbtpt.exe Startdate: 14/08/2021 Architecture: WINDOWS Score: 100 102 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->102 104 34.97.69.225 GOOGLEUS United States 2->104 106 3 other IPs or domains 2->106 126 Antivirus detection for URL or domain 2->126 128 Antivirus detection for dropped file 2->128 130 Multi AV Scanner detection for dropped file 2->130 132 12 other signatures 2->132 11 ZFNV0gbtpt.exe 8 2->11         started        14 svchost.exe 1 2->14         started        signatures3 process4 file5 64 C:\Users\user\AppData\...\setup_install.exe, PE32 11->64 dropped 66 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 11->66 dropped 68 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 11->68 dropped 70 3 other files (none is malicious) 11->70 dropped 16 setup_install.exe 11 11->16         started        process6 dnsIp7 98 172.67.170.195 CLOUDFLARENETUS United States 16->98 100 127.0.0.1 unknown unknown 16->100 56 C:\Users\user\AppData\Local\...\e7536a043.exe, PE32 16->56 dropped 58 C:\Users\user\AppData\...\df026da6d481.exe, PE32 16->58 dropped 60 C:\Users\user\AppData\...\cbf3f5f878.exe, PE32+ 16->60 dropped 62 7 other files (4 malicious) 16->62 dropped 20 cmd.exe 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 16->24         started        26 8 other processes 16->26 file8 process9 process10 28 8acd9b3697086429.exe 20->28         started        33 7825532f6c2.exe 4 22->33         started        35 cbf3f5f878.exe 24->35         started        37 0fd0e7409d7.exe 26->37         started        39 e7536a043.exe 43 26->39         started        41 820bce1606.exe 26->41         started        43 3 other processes 26->43 dnsIp11 108 37.0.10.236 WKD-ASIE Netherlands 28->108 114 12 other IPs or domains 28->114 72 C:\Users\...\wYuKxdSF8TaUuNHYIwTUuSeS.exe, PE32 28->72 dropped 74 C:\Users\...\sZ40tSHC6CsYt16ZNqWJuGir.exe, PE32 28->74 dropped 76 C:\Users\...\rnhmJrUdc4dYgnALXKlQszUT.exe, PE32 28->76 dropped 84 45 other files (39 malicious) 28->84 dropped 134 Drops PE files to the document folder of the user 28->134 136 Creates HTML files with .exe extension (expired dropper behavior) 28->136 138 Disable Windows Defender real time protection (registry) 28->138 110 192.168.2.1 unknown unknown 33->110 86 2 other files (1 malicious) 33->86 dropped 45 setup.exe 33->45         started        50 chrome2.exe 33->50         started        116 3 other IPs or domains 35->116 78 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 35->78 dropped 80 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 35->80 dropped 140 Contains functionality to steal Chrome passwords or cookies 35->140 142 Drops PE files to the startup folder 35->142 112 162.159.135.233 CLOUDFLARENETUS United States 37->112 82 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 37->82 dropped 144 Antivirus detection for dropped file 37->144 146 Machine Learning detection for dropped file 37->146 118 2 other IPs or domains 39->118 148 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->148 150 Tries to harvest and steal browser information (history, passwords, etc) 39->150 152 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->152 154 Checks if the current machine is a virtual machine (disk enumeration) 41->154 120 4 other IPs or domains 43->120 88 4 other files (none is malicious) 43->88 dropped 156 Creates processes via WMI 43->156 52 df026da6d481.exe 43->52         started        file12 signatures13 process14 dnsIp15 122 45.61.137.242 AS40676US United States 45->122 90 C:\Windows\winnetdriv.exe, PE32 45->90 dropped 92 C:\Users\user\AppData\Local\...\Login Data1, SQLite 45->92 dropped 158 Drops executables to the windows directory (C:\Windows) and starts them 45->158 160 Tries to harvest and steal browser information (history, passwords, etc) 45->160 94 C:\Users\user\AppData\...\services64.exe, PE32+ 50->94 dropped 124 172.67.222.125 CLOUDFLARENETUS United States 52->124 96 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 52->96 dropped 54 conhost.exe 52->54         started        file16 signatures17 process18
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2a7a01bdce9c9583c8a67f062615012c3e569fbadcabdc6369c118016acfc248/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 21:36:53 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fj5adpootskyhsfgp4dcmfibfq7fnh523sv5yy3jyemac2wpyjea._file
Verdict:
unknown
Similar samples:
44d025d67d73ae1215ba9483971bc5205afd91ef92cb2aed8410ab70e316e53e
RaccoonStealer
65624215e9613e4922c32eb184b75ea1334a6a2fa32d45ef535918ef7b9a9eca
RaccoonStealer
799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21
RaccoonStealer
bdf727b2ac0b42a955c4744bf7768cbb9fa67167321e4fb5639ee5529ccbcfa4
RaccoonStealer
befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec
RaccoonStealer
f9029a8f9164bd1b7ec115bb9fbc556bee6b60c61dfefbe16ffb434d1151d5f9
RaccoonStealer
+ 324 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 aspackv2 backdoor evasion infostealer persistence stealer suricata themida trojan
Link:
https://tria.ge/reports/210814-nyqc8778wn/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
https://prophefliloc.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Unpacked files
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
269d2ae2661789f8929d934a7f7e44b6d6fa2e2fc3799fd53b44988aed906b1f
SH256 hash:
6e037f08a0c238f222fa2d717d487896fb12c411129748e6729e5599abc43b13
MD5 hash:
9806f3f87bcb267281009a6fc5c420fa
SHA1 hash:
1e36820c67183d74e9c1f94cfa63863e520b0598
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
Parent samples :
549953d5db2a4646740e721e24ec1b7fa57ef6c4d72ffa32752b17d4a65c36e4
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
SH256 hash:
76fd57122331c7e402c7ab4a48bb9a86529641200f391241e20f31232e5f439b
MD5 hash:
922068b48ff8abb7e513a724443c1f62
SHA1 hash:
fef5db5322dae45dade837d28a2ad1aa159c74b9
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
SH256 hash:
0cfeb696a1e79a5933429e77f1d32b5d95fafbbd7053955a7ade9c0de264a904
MD5 hash:
2354ad9552eb7a2b129b6397be8fdcf1
SHA1 hash:
20218e9b1dc221230e279cdc1e33e012d38a7aeb
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
SH256 hash:
b151ffd0f57b21600a05bb28c5d1f047f423bba9750985ab6c3ffba7a33fa0ff
MD5 hash:
fcd4dda266868b9fe615a1f46767a9be
SHA1 hash:
f5d26b20ebdcd2f48ebbccff80b882ea2fa48e8c
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
SH256 hash:
a5aab74353af8782e4111151292ecae57c895478a18014897d11e4e02def7739
MD5 hash:
036d7303bf6bc8006d005f9b680b7f57
SHA1 hash:
e2b7678d1c0f659455bd9a95d9c43d57d74f1801
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
SH256 hash:
dfb394db4afd88a97ef96063d073c8b7d96add932531fc937a785ad1172ddae2
MD5 hash:
ff1cbe4087d97b166317527e560ef8df
SHA1 hash:
cf043d6a7c99d8ba3de53279f800d1cc6686dcd1
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
SH256 hash:
a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
MD5 hash:
7aaf005f77eea53dc227734db8d7090b
SHA1 hash:
b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
SH256 hash:
b26ad2878bcf341a154bf4fa4f3e1f4e8bff548556a6b5b65818d33ff9bff8f2
MD5 hash:
ee395029aa09950b5f3bdf5710f03982
SHA1 hash:
93d2e98eefb739a5462e4336a6e8ec596a0f8e82
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
SH256 hash:
57209841faff8648f612f9feeeb21eaeb8214f55a729591b4973fe957b550edb
MD5 hash:
295dcfc49cbcf62c6c1621be6ac45406
SHA1 hash:
6be74507f7a0203dc4f0f6a8c946df6589fe91cb
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
SH256 hash:
c23368337323a4f0569795eb9597a109164362b866540e2b9003a95761eb14e8
MD5 hash:
a09b5a5ae131d150f3cbdd0e53fa3213
SHA1 hash:
586261bc4771672a97c5356263209d7d0f4f1abf
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
SH256 hash:
8555e7c4aa11565bca95636c4a3d280296490403d7b906ddfa456958196a468d
MD5 hash:
512755d75b7ce9fe9507a53a3a3cb775
SHA1 hash:
fc0c43eb3c769ffd13b6a76c0e09f31a0cbd9c6e
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
SH256 hash:
f07909033efaca76887ff154cc054964f8baf81de0539f58c9fa1d42bf6cd0db
MD5 hash:
2714ede48783352b78a409f02600269b
SHA1 hash:
5f8710eb30147ab376e40afe2202926700d569ea
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
SH256 hash:
2a7a01bdce9c9583c8a67f062615012c3e569fbadcabdc6369c118016acfc248
MD5 hash:
b65c0ff839f99dc7e62be3f78b625b78
SHA1 hash:
2b1513c05230d9fa10249ff37bd2365e4188350e
Link:
https://www.unpac.me/results/2cf7e9b5-2b8f-450a-941a-f80c772879e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a7a01bdce9c9583c8a67f062615012c3e569fbadcabdc6369c118016acfc248

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179244/

Comments