MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34ab5727b71b4ada8d2ee6b551bb9af7fde0751633ae8f0a12812304a7a36c1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34ab5727b71b4ada8d2ee6b551bb9af7fde0751633ae8f0a12812304a7a36c1c
SHA3-384 hash: 0fd1aa2ebe64cf45a0d281a69497051f666cfd94b07d66d075971ed336ac670c40b92d4f92a3ec587e7b22f8ddd9674a
SHA1 hash: 0189017b624c27be97a8e20b45a28f8c11422e54
MD5 hash: afe2ba17c466acfbfc827dff9b5413a1
humanhash: stairway-lemon-iowa-saturn
File name:afe2ba17c466acfbfc827dff9b5413a1.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:206'848 bytes
First seen:2021-09-21 19:35:42 UTC
Last seen:2021-09-21 20:56:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b423274974f58a1d1a63a5242c6dcf99 (12 x RedLineStealer, 5 x RaccoonStealer, 3 x ArkeiStealer)
ssdeep 3072:zVxXL7o02OrgwNM0Xt89w5m5OnGATcghhIIxAwjtqAWb:TAOr6ALfGAnhIBwjt4
Threatray 1'851 similar samples on MalwareBazaar
TLSH T13514AD013ED0CAB1C5A305334462D6E01266FB7DFE68CD877759FAEE2E342905666387
File icon (PE):PE icon
dhash icon 327e7c7d727e6e76 (14 x RedLineStealer, 13 x RaccoonStealer, 3 x Stop)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.95.11.122/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.95.11.122/ https://threatfox.abuse.ch/ioc/224422/

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
afe2ba17c466acfbfc827dff9b5413a1.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-21 19:36:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/40449bcc-38f1-4508-873d-7aea4e33f07f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189986/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.24084.20736.23315.UNOFFICIAL
Create hunting rule

Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fdba2115-444f-489b-898f-a3a5aa15a540
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855170
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487601 Sample: xAXmYQxwZk.exe Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 61 kevonahira2.top 2->61 63 defeatwax.ru 2->63 65 api.ip.sb 2->65 93 Multi AV Scanner detection for submitted file 2->93 95 Yara detected SmokeLoader 2->95 97 Yara detected RedLine Stealer 2->97 99 6 other signatures 2->99 10 xAXmYQxwZk.exe 2->10         started        13 resfihe 2->13         started        15 svchost.exe 2->15         started        17 9 other processes 2->17 signatures3 process4 dnsIp5 109 Detected unpacking (changes PE section rights) 10->109 20 xAXmYQxwZk.exe 10->20         started        111 Multi AV Scanner detection for dropped file 13->111 113 Machine Learning detection for dropped file 13->113 23 resfihe 13->23         started        115 Changes security center settings (notifications, updates, antivirus, firewall) 15->115 25 MpCmdRun.exe 15->25         started        57 127.0.0.1 unknown unknown 17->57 59 192.168.2.1 unknown unknown 17->59 signatures6 process7 signatures8 101 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->101 103 Maps a DLL or memory area into another process 20->103 105 Checks if the current machine is a virtual machine (disk enumeration) 20->105 27 explorer.exe 7 20->27 injected 107 Creates a thread in another existing process (thread injection) 23->107 32 conhost.exe 25->32         started        process9 dnsIp10 71 kevonahira2.top 194.87.234.157, 49742, 49743, 49744 MTW-ASRU Russian Federation 27->71 73 193.56.146.41, 49818, 9080 LVLT-10753US unknown 27->73 75 3 other IPs or domains 27->75 49 C:\Users\user\AppData\Roaming\resfihe, PE32 27->49 dropped 51 C:\Users\user\AppData\Local\Temp\F5E0.exe, PE32 27->51 dropped 53 C:\Users\user\AppData\Local\Temp\1ACE.exe, PE32 27->53 dropped 55 C:\Users\user\...\resfihe:Zone.Identifier, ASCII 27->55 dropped 121 System process connects to network (likely due to code injection or exploit) 27->121 123 Benign windows process drops PE files 27->123 125 Deletes itself after installation 27->125 127 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->127 34 1ACE.exe 2 27->34         started        37 FC46.exe 27->37         started        39 F5E0.exe 27->39         started        file11 signatures12 process13 signatures14 77 Antivirus detection for dropped file 34->77 79 Multi AV Scanner detection for dropped file 34->79 81 Machine Learning detection for dropped file 34->81 89 2 other signatures 34->89 41 1ACE.exe 15 24 34->41         started        45 conhost.exe 34->45         started        83 Detected unpacking (changes PE section rights) 37->83 85 Query firmware table information (likely to detect VMs) 37->85 87 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->87 91 2 other signatures 37->91 47 F5E0.exe 39->47         started        process15 dnsIp16 67 146.70.35.170, 30905, 49806 TENET-1ZA United Kingdom 41->67 69 api.ip.sb 41->69 117 Tries to harvest and steal browser information (history, passwords, etc) 41->117 119 Tries to steal Crypto Currency Wallets 41->119 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34ab5727b71b4ada8d2ee6b551bb9af7fde0751633ae8f0a12812304a7a36c1c/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 19:36:19 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gsvvoj5xdnfnvdjo422vdo426766a5iwgoxi6cqsqerqjj5dnqoa._file
Verdict:
malicious
Similar samples:
198032ed08a5197c0b5ceefa0be69749d46a724b7d88915fe0762242692cb942
RaccoonStealer
22ab54095a6f6c605e638a4f4bc2c26e65d16fed3f9459871611f2368b64e431
RaccoonStealer
3c5232362ea229f9e937a7bb4263a5f1dc2bd3a3a040088901a5a74edf943c7e
RaccoonStealer
ae885f7399e866a92c723cd37afaed16c5ffc61dd48c3fc58c409bf8402729dd
RaccoonStealer
d9d7678108e2232287ddb69fe46c5b11d6eeb39e83cb57bc229b050e481008a4
RaccoonStealer
e206cdfadd769d8506f7dde22b1a3277075506810b455f491ff08fd42707a0a0
RaccoonStealer
e2182bd67553bff631bb93f7a016163c7cb82485cf9614bf566c9b49e821b158
RaccoonStealer
f62a8d9f1eea507f85a7f6c9146712fe9cb0bc9313fd45d47eeb14818618d0d3
RaccoonStealer
f9413fb1d83a6b6c776d29b764d28895bc7b7d878d1a9c317c3d5a00fd288a99
RaccoonStealer
f9a8afdccfeca1e80e4e695cc01a288b9aa7efcbb08a514ea346c9cfa9742cdb
RaccoonStealer
+ 1'841 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:12 botnet:khripchenko2k backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210921-ya81lsdbbk/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
.NET Reactor proctector
Raccoon
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://venerynnet1.top/
http://kevonahira2.top/
http://vegangelist3.top/
http://kingriffaele4.top/
http://arakeishant5.top/
109.234.34.165:35254
185.244.180.224:39957
116.203.27.211:4803
Unpacked files
SH256 hash:
61a8d403c777699f36db41e26c95ee6f29ff6cdbc4b3768bd06db2aa6bdfe2f7
MD5 hash:
cfcd9c4378e041fb0d07d607727c024b
SHA1 hash:
7e06773d4a2e07501b171e0187e2997cc7de1dac
Link:
https://www.unpac.me/results/70a60670-3fa6-4540-8815-5e059978ba5a/
SH256 hash:
34ab5727b71b4ada8d2ee6b551bb9af7fde0751633ae8f0a12812304a7a36c1c
MD5 hash:
afe2ba17c466acfbfc827dff9b5413a1
SHA1 hash:
0189017b624c27be97a8e20b45a28f8c11422e54
Link:
https://www.unpac.me/results/70a60670-3fa6-4540-8815-5e059978ba5a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34ab5727b71b4ada8d2ee6b551bb9af7fde0751633ae8f0a12812304a7a36c1c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 34ab5727b71b4ada8d2ee6b551bb9af7fde0751633ae8f0a12812304a7a36c1c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1612961/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189986/

Comments