MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30ac6a662fbc040f84b7cc5b940768a1ea01ed3bd8bf257c27573ba343069ecb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30ac6a662fbc040f84b7cc5b940768a1ea01ed3bd8bf257c27573ba343069ecb
SHA3-384 hash: da2ea6e843b91bfc39256110a322693e065a5bd98698f64f74d59e8d2f5f49aec3bf8dfced9a6ad8d1bfd6740e7a9410
SHA1 hash: 7e1c0cc0ef97485664808a7018cdcf6b68a07520
MD5 hash: 3c1f1208e4c2de2323256281ffbc9ce2
humanhash: arizona-zebra-alaska-wisconsin
File name:3c1f1208e4c2de2323256281ffbc9ce2.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:247'808 bytes
First seen:2021-10-06 20:00:37 UTC
Last seen:2021-10-06 20:44:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b53fbcd1371b756c61ce06a61be781ec (4 x RaccoonStealer, 1 x DanaBot, 1 x ArkeiStealer)
ssdeep 6144:FxJuCt0YRhVI7Fsu4PSq0s/Sn0zl19pDJj:llt0YRhUFsYn0B19b
Threatray 4'835 similar samples on MalwareBazaar
TLSH T12E349F1071D28FF1E67326307A71D6A08B2ABD6D6A32714F37D4263F1E3C6E18A65316
File icon (PE):PE icon
dhash icon 4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.47.232/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.47.232/ https://threatfox.abuse.ch/ioc/231118/

Intelligence

File Origin
# of uploads :
2
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3c1f1208e4c2de2323256281ffbc9ce2.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-06 20:01:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/32cf8617-b1eb-4c7a-a712-784dfef1932b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195541/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader43.36544.32330.11518.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c14168a6-9bb0-40cb-be24-479cb774cda9
Result
Threat name:
Vidar Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865849
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected Info Stealer Vidar
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 498277 Sample: p5mN2OilDC.exe Startdate: 06/10/2021 Architecture: WINDOWS Score: 100 90 yje.ckauni.ru 2->90 92 defeatwax.ru 2->92 94 2 other IPs or domains 2->94 112 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->112 114 Multi AV Scanner detection for domain / URL 2->114 116 Antivirus detection for dropped file 2->116 118 16 other signatures 2->118 11 p5mN2OilDC.exe 2->11         started        14 whffduc 2->14         started        16 svchost.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 152 Detected unpacking (changes PE section rights) 11->152 154 Contains functionality to inject code into remote processes 11->154 156 Injects a PE file into a foreign processes 11->156 21 p5mN2OilDC.exe 11->21         started        158 Machine Learning detection for dropped file 14->158 24 whffduc 14->24         started        160 Changes security center settings (notifications, updates, antivirus, firewall) 16->160 26 MpCmdRun.exe 1 16->26         started        96 192.168.2.1 unknown unknown 18->96 signatures6 process7 signatures8 144 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->144 146 Maps a DLL or memory area into another process 21->146 148 Checks if the current machine is a virtual machine (disk enumeration) 21->148 28 explorer.exe 18 21->28 injected 150 Creates a thread in another existing process (thread injection) 24->150 33 conhost.exe 26->33         started        process9 dnsIp10 106 193.56.146.41, 49812, 9080 LVLT-10753US unknown 28->106 108 privacy-toolz-for-you-3000.top 94.142.140.28, 49778, 49781, 49783 IHOR-ASRU Russian Federation 28->108 110 2 other IPs or domains 28->110 82 C:\Users\user\AppData\Roaming\whffduc, PE32 28->82 dropped 84 C:\Users\user\AppData\Local\Temp\97C3.exe, PE32 28->84 dropped 86 C:\Users\user\AppData\Local\Temp\73E6.exe, PE32 28->86 dropped 88 7 other malicious files 28->88 dropped 162 System process connects to network (likely due to code injection or exploit) 28->162 164 Benign windows process drops PE files 28->164 166 Deletes itself after installation 28->166 168 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->168 35 3BEB.exe 28->35         started        38 AD40.exe 28->38         started        42 545F.exe 28->42         started        44 7 other processes 28->44 file11 signatures12 process13 dnsIp14 120 Detected unpacking (changes PE section rights) 35->120 122 Machine Learning detection for dropped file 35->122 124 Injects a PE file into a foreign processes 35->124 46 3BEB.exe 35->46         started        64 C:\ProgramData\...\information.txt, ISO-8859 38->64 dropped 66 C:\ProgramData\...\Default.zip, Zip 38->66 dropped 78 6 other files (none is malicious) 38->78 dropped 126 Detected Info Stealer Vidar 38->126 128 Detected unpacking (overwrites its own PE header) 38->128 130 Tries to harvest and steal browser information (history, passwords, etc) 38->130 98 mas.to 88.99.75.82, 443, 49830, 49847 HETZNER-ASDE Germany 42->98 100 65.108.80.190, 49836, 49848, 80 ALABANZA-BALTUS United States 42->100 68 C:\ProgramData\...\screenshot.jpg, JPEG 42->68 dropped 70 C:\ProgramData\...\information.txt, ISO-8859 42->70 dropped 72 C:\ProgramData\...\Default.zip, Zip 42->72 dropped 80 6 other files (none is malicious) 42->80 dropped 132 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->132 134 Tries to steal Crypto Currency Wallets 42->134 102 185.163.47.232, 49838, 80 MIVOCLOUDMD Moldova Republic of 44->102 104 teletop.top 104.21.17.146, 49837, 80 CLOUDFLARENETUS United States 44->104 74 C:\Users\user\AppData\Local\...\elxktghb.exe, PE32 44->74 dropped 76 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 44->76 dropped 136 Antivirus detection for dropped file 44->136 138 Query firmware table information (likely to detect VMs) 44->138 140 Tries to detect sandboxes and other dynamic analysis tools (window names) 44->140 142 3 other signatures 44->142 49 cmd.exe 44->49         started        52 cmd.exe 44->52         started        54 433F.exe 2 44->54         started        56 4 other processes 44->56 file15 signatures16 process17 file18 170 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 46->170 172 Maps a DLL or memory area into another process 46->172 174 Checks if the current machine is a virtual machine (disk enumeration) 46->174 176 Creates a thread in another existing process (thread injection) 46->176 62 C:\Windows\SysWOW64\...\elxktghb.exe (copy), PE32 49->62 dropped 58 conhost.exe 49->58         started        60 conhost.exe 52->60         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30ac6a662fbc040f84b7cc5b940768a1ea01ed3bd8bf257c27573ba343069ecb/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 18:39:00 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gcwguzrpxqca7bfxzrnzib3iuhvad3j33c7sk7bhk452gqygt3fq._file
Verdict:
malicious
Similar samples:
02aade8f11ebeb13f9072de70ca49a6f83aa1c23b1bafe8978b5681dab12282c
RaccoonStealer
04a77c819d0028948adb252dee0fec6618bf66c079086b9993267ddb7b1d70a6
RaccoonStealer
2b1b66d7ab2022d41004937b8ea3d9f375364347b4f51d9d14bddc314296a1c5
RaccoonStealer
44e29e5cd002e8d4d4f13432847f38fa79a1667b5fdef9b9f316c3501f3bb480
RaccoonStealer
938029b6b522bdd22cbba8cfb88a1d97d0fbc264d1d7a5ded22a4924a15e6161
RaccoonStealer
a1b29584402503925406ceeb5be6a463eea7755f401e3a2c8f82ae3897e3820a
RaccoonStealer
abcd86df71b0dcd29c9fd43c17efc16763dadecac5e071d588ba6c409e536e56
RaccoonStealer
f2edf69ca64bb435d61ded2c3ca210d1bd19952c19275b7bd65d0d707fedadaa
RaccoonStealer
f74d7500782ca945d3296cd4fcf19af60b7035ff65d646c64b0c8761e38ea193
RaccoonStealer
fab15b7f61f816cf3128cc02c96d98d3385533087bc5afe3cd3799e7e034ce7f
RaccoonStealer
+ 4'825 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar botnet:2ea41939378a473cbe7002fd507389778c0f10e7 botnet:777 botnet:800 botnet:8d179b9e611eee525425544ee8c6d77360ab7cd9 backdoor discovery evasion infostealer persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211006-yrlawabggp/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Checks BIOS information in registry
Deletes itself
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
93.115.20.139:28978
87.251.71.44:80
Unpacked files
SH256 hash:
592b089027938156e18387e4402b965a5f1ffc25e96d7efc3aa9331254587bdd
MD5 hash:
2dbb1eb8c40c88994738a736ad55c79b
SHA1 hash:
88e2fc9242606c7dfcd68d5da8c6d457837157a3
Link:
https://www.unpac.me/results/46af0066-889b-45f8-86be-04e93dec2620/
SH256 hash:
30ac6a662fbc040f84b7cc5b940768a1ea01ed3bd8bf257c27573ba343069ecb
MD5 hash:
3c1f1208e4c2de2323256281ffbc9ce2
SHA1 hash:
7e1c0cc0ef97485664808a7018cdcf6b68a07520
Link:
https://www.unpac.me/results/46af0066-889b-45f8-86be-04e93dec2620/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/30ac6a662fbc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30ac6a662fbc040f84b7cc5b940768a1ea01ed3bd8bf257c27573ba343069ecb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 30ac6a662fbc040f84b7cc5b940768a1ea01ed3bd8bf257c27573ba343069ecb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1653238/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195541/

Comments