MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cb7b724ba108cfab0f07348997e32c7c531084ffd2c9326e6ba51ad8f4ed656. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cb7b724ba108cfab0f07348997e32c7c531084ffd2c9326e6ba51ad8f4ed656
SHA3-384 hash: cbd365a24d8de39f70691b0297c3b10a3c1234b9e3653e89c6f854bdf6474c6f8a758f3816a87e9663caf6a3d040f8d7
SHA1 hash: 10d78089cebab23bf04a9d1502f078077c344176
MD5 hash: de91f84e9b1a869d1e7890e9bf4d8c3c
humanhash: steak-jersey-sweet-triple
File name:de91f84e9b1a869d1e7890e9bf4d8c3c.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'583'044 bytes
First seen:2021-08-12 08:25:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBRCpZgu25meQkEwJ84vLRaBtIl9mTVjj1+0:xlZ25m7TCvLUBsKVv1+0
Threatray 295 similar samples on MalwareBazaar
TLSH T16A75237277E2C4FBEA815031AE4C6F7126F9C7491A321DDB7794C70D5F38892D22AA48
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://74.119.195.135/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://74.119.195.135/ https://threatfox.abuse.ch/ioc/171652/
45.14.49.128:16334 https://threatfox.abuse.ch/ioc/172157/

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
de91f84e9b1a869d1e7890e9bf4d8c3c.exe
Verdict:
No threats detected
Analysis date:
2021-08-12 08:32:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3cfd13a6-5cc6-428d-a906-9cb5f28a1417

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178543/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Dropper.Chapak-9884592-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Moving a file to the %temp% subdirectory
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Sending an HTTP POST request
Reading critical registry keys
Creating a file
Creating a process with a hidden window
Creating a window
Delayed reading of the file
Launching the default Windows debugger (dwwin.exe)
Creating a file in the Program Files subdirectories
Creating a file in the %AppData% subdirectories
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9498cd28-b58f-41bc-950c-506ec2fd617b
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831554
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Found C&C like URL pattern
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 464000 Sample: vh5pKnelJF.exe Startdate: 12/08/2021 Architecture: WINDOWS Score: 100 97 Multi AV Scanner detection for domain / URL 2->97 99 Antivirus detection for URL or domain 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 5 other signatures 2->103 11 vh5pKnelJF.exe 10 2->11         started        14 wtertdj 1 2->14         started        process3 file4 61 C:\Users\user\AppData\...\setup_install.exe, PE32 11->61 dropped 63 C:\Users\user\AppData\Local\...\libcurlpp.dll, PE32 11->63 dropped 65 C:\Users\user\AppData\Local\...\libcurl.dll, PE32 11->65 dropped 69 5 other files (2 malicious) 11->69 dropped 17 setup_install.exe 1 11->17         started        67 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 14->67 dropped 137 DLL reload attack detected 14->137 139 Detected unpacking (changes PE section rights) 14->139 141 Machine Learning detection for dropped file 14->141 143 4 other signatures 14->143 signatures5 process6 dnsIp7 71 marisana.xyz 104.21.19.116, 49710, 80 CLOUDFLARENETUS United States 17->71 73 127.0.0.1 unknown unknown 17->73 51 C:\Users\user~1\...\karotima_2.exe (copy), PE32 17->51 dropped 53 C:\Users\user~1\...\karotima_1.exe (copy), PE32 17->53 dropped 105 Detected unpacking (changes PE section rights) 17->105 107 Performs DNS queries to domains with low reputation 17->107 22 cmd.exe 1 17->22         started        24 cmd.exe 1 17->24         started        26 conhost.exe 17->26         started        file8 signatures9 process10 process11 28 karotima_2.exe 1 22->28         started        31 karotima_1.exe 4 24->31         started        dnsIp12 123 DLL reload attack detected 28->123 125 Detected unpacking (changes PE section rights) 28->125 127 Renames NTDLL to bypass HIPS 28->127 135 3 other signatures 28->135 34 explorer.exe 3 28->34 injected 81 37.0.10.236, 49714, 80 WKD-ASIE Netherlands 31->81 83 37.0.8.235, 49712, 80 WKD-ASIE Netherlands 31->83 85 ipinfo.io 34.117.59.81, 443, 49711 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 31->85 129 May check the online IP address of the machine 31->129 131 Tries to harvest and steal browser information (history, passwords, etc) 31->131 133 Disable Windows Defender real time protection (registry) 31->133 39 WerFault.exe 23 9 31->39         started        signatures13 process14 dnsIp15 75 45.61.138.10, 49751, 80 AS40676US United States 34->75 77 conceitosseg.com 175.117.131.127, 49738, 49739, 49740 SKB-ASSKBroadbandCoLtdKR Korea Republic of 34->77 79 3 other IPs or domains 34->79 55 C:\Users\user\AppData\Roaming\wtertdj, PE32 34->55 dropped 57 C:\Users\user\AppData\Local\Temp\8D78.exe, PE32 34->57 dropped 109 System process connects to network (likely due to code injection or exploit) 34->109 111 Benign windows process drops PE files 34->111 113 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->113 41 C3BC.exe 2 4 34->41         started        45 8D78.exe 34->45         started        file16 signatures17 process18 file19 59 C:\ProgramData\...\33A2E4F0.exe, PE32 41->59 dropped 115 Detected unpacking (overwrites its own PE header) 41->115 117 Creates autostart registry keys with suspicious names 41->117 47 33A2E4F0.exe 41->47         started        119 Detected unpacking (changes PE section rights) 45->119 121 Machine Learning detection for dropped file 45->121 signatures20 process21 dnsIp22 87 ebanat6977769.com 8.209.79.46, 49764, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 47->87 89 Detected unpacking (overwrites its own PE header) 47->89 91 Machine Learning detection for dropped file 47->91 93 Maps a DLL or memory area into another process 47->93 95 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 47->95 signatures23
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2cb7b724ba108cfab0f07348997e32c7c531084ffd2c9326e6ba51ad8f4ed656/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-07-31 05:27:00 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fs33ojf2ccgpvmhqonejs7rsy7ctcccp7uwjgjxgxji23d2o2zla._file
Verdict:
unknown
Similar samples:
1a263b2603212ff1e492d9e0c718f12601789e27eaaba9a7a7048b4080c08bcb
RaccoonStealer
4927f0b88f61a54fb9c8d14081cd5a80c6c6f358e8431af76fda5a5366d81aa8
RaccoonStealer
5d0215d15cc28fd783808e7fe1103cff029e1a1caa1370057c6e5cf9c00d1b2a
RaccoonStealer
5d10fa7657f41f17d508c1dbb3f63b5b2ad6deea2f47e747b118345a56ab6cdc
RaccoonStealer
6430e35390b94f25e609d8dc2edadd8f6b0b30bec768ce894c67028de438ab13
RaccoonStealer
6538789051b9ca8da7b851a2c775d0468d547d9fddb6a32433f4b1e5fe9a6ece
RaccoonStealer
9674d5eec506800988ac7469acafaab10d6c879c83aba6ccb023935de5cd2a0e
RaccoonStealer
d74a07eeb26faeed4799f582bcb3c22ba985cc7bf21685d3b6e37aa694a72d97
RaccoonStealer
+ 285 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:danabot family:glupteba family:metasploit family:redline family:smokeloader family:vidar botnet:11_08_r botnet:7new botnet:916 botnet:937 aspackv2 backdoor banker discovery dropper evasion infostealer loader stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/210812-f4wh1w23rs/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Danabot
Danabot Loader Component
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
https://lenak513.tumblr.com/
sytareliar.xyz:80
yabelesatg.xyz:80
ceneimarck.xyz:80
zertypelil.xyz:80
Unpacked files
SH256 hash:
5da0d850941091855ce3a6f48447d2873452443282751fe376c104ef65a45efa
MD5 hash:
5df4d842ec44f8e63168ecb7cafd7e42
SHA1 hash:
cba084a866650d9a06d7dd1873f26ad3ba483163
Link:
https://www.unpac.me/results/ebe7e766-4626-48f8-ac4a-1e0c30b9600f/
Parent samples :
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
5d57a70c759a4d840821ca0a5d80a7caf3f7dc41d9c4a62a161a6b4a8b54be97
MD5 hash:
83fce219e533ab0372f7d503be6a77b9
SHA1 hash:
e0a2840af2a66887ffdf33eb7c385205cdf0d679
Link:
https://www.unpac.me/results/ebe7e766-4626-48f8-ac4a-1e0c30b9600f/
SH256 hash:
c9d5525b2f2b76087121039ee1c23ed35508e60f653479722ec64ea3a064878e
MD5 hash:
9108ad5775c76cccbb4eadf02de24f5d
SHA1 hash:
82996bc4f72b3234536d0b58630d5d26bcf904b0
Link:
https://www.unpac.me/results/ebe7e766-4626-48f8-ac4a-1e0c30b9600f/
Parent samples :
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
e54f1a3b63aa2a148bd7d71cdd0cd35e0ee14940c50f3d870a7b0aa0b9089379
MD5 hash:
4cf48cef81eb5c6b4b188a96f2f67ef8
SHA1 hash:
4988f380fbd72106a36b2c018d66bb7d80ff9a21
Link:
https://www.unpac.me/results/ebe7e766-4626-48f8-ac4a-1e0c30b9600f/
SH256 hash:
24e7dcf422c6b3df3fe03e9d4b293088a1688d0688c145e8ac7467d57a6db96e
MD5 hash:
8b25551611dae7b179214dc021670749
SHA1 hash:
455917bef50202f04399578f2908f2a357736f02
Link:
https://www.unpac.me/results/ebe7e766-4626-48f8-ac4a-1e0c30b9600f/
SH256 hash:
2cb7b724ba108cfab0f07348997e32c7c531084ffd2c9326e6ba51ad8f4ed656
MD5 hash:
de91f84e9b1a869d1e7890e9bf4d8c3c
SHA1 hash:
10d78089cebab23bf04a9d1502f078077c344176
Link:
https://www.unpac.me/results/ebe7e766-4626-48f8-ac4a-1e0c30b9600f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2cb7b724ba10/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cb7b724ba108cfab0f07348997e32c7c531084ffd2c9326e6ba51ad8f4ed656

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178543/

Comments