MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2db5b8398fe40439d40336311f84437499781d8659a4557b76ff7db71fa4e05e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	2db5b8398fe40439d40336311f84437499781d8659a4557b76ff7db71fa4e05e
SHA3-384 hash:	c9da922cb6207a5f42b37fb0dba3619e76187c990d5ead24edfa28b39c562ffbbe045f937d439483a513a3f4512bcb9d
SHA1 hash:	f717f31f41dfaf979968ace386d16a7ccc93a063
MD5 hash:	687646c50086bcf4e5c3474b4e0054ea
humanhash:	freddie-london-oven-fish
File name:	687646c50086bcf4e5c3474b4e0054ea.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	243'200 bytes
First seen:	2021-09-02 05:56:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	63fc28335e602552107036f2ceb974a9 (10 x RaccoonStealer, 2 x ArkeiStealer, 2 x RedLineStealer)
ssdeep	6144:5J2kT9lFO+KDAQ0JFiv/sSp35h9nwetopuPC:KkxlDKDAQ0JQ0Yph9nLOuK
Threatray	3'974 similar samples on MalwareBazaar
TLSH	T11E348D20BB91C036F4BB11F469BA83BC652979702B3460CBA3D556EE96347E4EC30797
dhash icon	68e8e8e8aa66a499 (33 x RaccoonStealer, 14 x ArkeiStealer, 11 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://45.142.215.144/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://45.142.215.144/	https://threatfox.abuse.ch/ioc/204183/

Intelligence

File Origin

# of uploads :

# of downloads :

174

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

687646c50086bcf4e5c3474b4e0054ea.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-02 05:58:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d6ef5a20-0864-489d-a3dc-ce118c0e9812

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/184678/

Detection(s):

Win.Packed.Generic-9890178-0

Win.Malware.Generic-9890222-0

Win.Dropper.Raccoon-9890239-0

Win.Malware.Generic-9890308-0

Win.Dropper.StopCrypt-9890322-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Connection attempt

Sending an HTTP POST request

Creating a file in the %temp% directory

Creating a process from a recently created file

Sending a custom TCP request

Launching a process

Searching for the window

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Deleting a recently created file

Replacing files

Changing a file

Creating a file in the %AppData% subdirectories

Running batch commands

Creating a process with a hidden window

Setting browser functions hooks

Unauthorized injection to a recently created process

Query of malicious DNS domain

Unauthorized injection to a system process

Stealing user critical data

Deleting of the original file

Enabling autorun by creating a file

Unauthorized injection to a browser process

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8f34018a-ac49-485f-ae34-5b5c13606789

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/843807

Signature

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

System process connects to network (likely due to code injection or exploit)

Tries to resolve many domain names, but no domain seems valid

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2db5b8398fe40439d40336311f84437499781d8659a4557b76ff7db71fa4e05e/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-09-02 05:56:10 UTC

AV detection:

17 of 45 (37.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fw23qomp4qcdtvadgyyr7bcdosmxqhmglgsfk63w7563oh5e4bpa._file

Verdict:

suspicious

RaccoonStealer

2c835a908ce2e7c313393fe2689a36f087794f35583766076a0e3d842b01aee8

RaccoonStealer

67ebaa4e613b155a8584614552de369a48d854f8b38e9c6f6319d71f287ea0f9

RaccoonStealer

682ef52e3ab62fc62e75477915bf98a8da2ef787676c0d9dfb05de1875195885

RaccoonStealer

68e731d3431bc9223c2ff57b2d319194c4a6b8027e15c75f16b841bc78499172

RaccoonStealer

9dad1f618e1ebf28e43f4af049feb9d75a03b139a63bdd1901f51497fd4ed50b

RaccoonStealer

cfcb21c8c129c8c2c525ecfac8bd883260eda6038e3991210765e582007451dd

RaccoonStealer

f4e1fc78ba0a65bde5687a67eb89e20166e062356b77227c9e0211060bd14dc8

RaccoonStealer

f74c97d626730018ba9a8dd5e6fb806bfcc42d15a8b20ef328cc5f0d6a052ccc

RaccoonStealer

+ 3'964 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:raccoon family:redline family:smokeloader botnet:fe582536ec580228180f270f7cb80a867860e010 botnet:install backdoor discovery infostealer spyware stealer trojan

Link:

https://tria.ge/reports/210902-mdevevd6a6/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Raccoon

RedLine

RedLine Payload

SmokeLoader

Malware Config

C2 Extraction:

http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
185.167.97.37:30904