MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34eea6a07ea67c590471581473b4a17d5ac8214e1ec94464af43fb2ce7334808. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34eea6a07ea67c590471581473b4a17d5ac8214e1ec94464af43fb2ce7334808
SHA3-384 hash: ab861b5de01f1824c8317e512ac95a3cd84ebd97637a6dc59bdf629514e4580ccccc53d3fd9f8693b9fef227c23e4317
SHA1 hash: 5b0771b1886a5e77bc9fe9505a11e94d10a23d07
MD5 hash: 1ea80e6a35c7ebf9661d9c7fa5ae85ab
humanhash: carolina-carpet-artist-pip
File name:1EA80E6A35C7EBF9661D9C7FA5AE85AB.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:6'656 bytes
First seen:2021-05-27 09:35:27 UTC
Last seen:2021-05-27 10:47:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 96:3WmCPRTgQRmMnG6+0zP1JkJXNMaIXMe0fzNt:mlTiqXxzP7uXNocZJ
Threatray 54 similar samples on MalwareBazaar
TLSH 25D1EA04B3C84A32EEFA42B66E6363518774F795D8278BAF28C4224B5C37B450E52B31
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.144.29.143/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.144.29.143/ https://threatfox.abuse.ch/ioc/64495/

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fucker.exe
Verdict:
Malicious activity
Analysis date:
2021-05-22 07:39:25 UTC
Tags:
evasion opendir trojan loader stealer rat redline ficker vidar
Link:
https://app.any.run/tasks/e85e98c9-1f75-4f6e-b28c-266423f152bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162673/
Detection(s):
SecuriteInfo.com.Variant.Bulz.486116.31721.2164.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Sending a UDP request
Connection attempt
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Deleting a recently created file
Creating a process with a hidden window
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc0831be-c51f-4d0e-aff1-4e96415ed345
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/793115
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 425510 Sample: QUjeZ56Irv.exe Startdate: 27/05/2021 Architecture: WINDOWS Score: 100 46 news-systems.xyz 2->46 48 iphonemail.xyz 2->48 50 9 other IPs or domains 2->50 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 72 9 other signatures 2->72 8 QUjeZ56Irv.exe 14 109 2->8         started        signatures3 70 May check the online IP address of the machine 46->70 process4 dnsIp5 52 arelchem.com 8->52 54 privacytools.xyz 45.139.187.152, 49726, 80 HostingvpsvilleruRU Russian Federation 8->54 56 16 other IPs or domains 8->56 38 C:\Users\...\ZTVZ4UQJW03JJ8KA0CR516OQ.exe, PE32 8->38 dropped 40 C:\Users\...\ZNZV6HA940DQNEXTBQ68DIQ3.exe, PE32 8->40 dropped 42 C:\Users\...\ZNVYGFNX82G4T7TT1JAL8XN4.exe, PE32 8->42 dropped 44 99 other malicious files 8->44 dropped 74 Drops PE files to the document folder of the user 8->74 76 May check the online IP address of the machine 8->76 78 Performs DNS queries to domains with low reputation 8->78 13 ET6LZDFFOZ6VUVXN45G1ISWP.exe 15 3 8->13         started        17 K5VBFUK33JQ32ABQYBQL5K30.exe 8->17         started        19 Y8ATFRLSZLAYIP0T514AS0Z7.exe 8->19         started        21 30 other processes 8->21 file6 signatures7 process8 dnsIp9 58 wlf.gofast24.ru 217.107.34.191 RTCOMM-ASRU Russian Federation 13->58 80 Writes to foreign memory regions 13->80 82 Allocates memory in foreign processes 13->82 84 Sample uses process hollowing technique 13->84 24 AddInProcess32.exe 13->24         started        86 Contains functionality to inject code into remote processes 17->86 88 Injects a PE file into a foreign processes 17->88 90 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->90 60 ip-api.com 208.95.112.1 TUT-ASUS United States 21->60 62 www.wws23dfwe.com 45.76.53.14 AS-CHOOPAUS United States 21->62 30 C:\Users\user\...\Java 8 Update 211.exe, PE32 21->30 dropped 32 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 21->32 dropped 34 C:\Users\user\AppData\Local\...\install.dll, PE32 21->34 dropped 36 4 other files (1 malicious) 21->36 dropped 92 Antivirus detection for dropped file 21->92 94 Multi AV Scanner detection for dropped file 21->94 96 May check the online IP address of the machine 21->96 98 3 other signatures 21->98 26 conhost.exe 21->26         started        28 conhost.exe 21->28         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34eea6a07ea67c590471581473b4a17d5ac8214e1ec94464af43fb2ce7334808/
Threat name:
ByteCode-MSIL.Spyware.Fbkatz
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 00:16:46 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gtxknid6uz6fsbdrlakhhnfbpvnmqikod3euizfpip5szzztjaea._file
Verdict:
malicious
Similar samples:
0e63f296fdc309cb1e487cd1a549d029d2a9144b8a050db274901030dc6ec0f3
RaccoonStealer
2c32dcb54c310daf509527d74de8ab4cb7b45425fa543a5df22afd1e9bd00fd5
RaccoonStealer
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
RaccoonStealer
5397b6d592556e4d65cd442190cfbcba5b3d253b0fbfcc0a16f1c6f2b48a58c4
RaccoonStealer
541ebfa6dd694728edd3cf536a13c739179edadcd880e7c28e074b60da1bcac8
RaccoonStealer
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
RaccoonStealer
9c8057521a53904ce86837434f6ca9075fea66d1c31914db6a6b49f68649191f
RaccoonStealer
b11bd18587058601cde1be46ec722f2ddc96fddd976f3a263e4d0358e8e08865
RaccoonStealer
bc5e3b9e7638a68bbb36387281fedc1bedb12d67575b9242a47c0bf0c8f3c265
RaccoonStealer
e6e11a92390d1e01775514d1a4f047f5b94471070a07bf82b6e9fe5c547d55a8
RaccoonStealer
+ 44 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline botnet:6447ddb8de9964c955881586d5d40c3797a2bae7 botnet:74452b5cbc58563477e4a9e149f2093398530bbd botnet:jasonnew infostealer stealer upx vmprotect
Link:
https://tria.ge/reports/210527-4heh2zk5gj/
Behaviour
Kills process with taskkill
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Raccoon
RedLine
RedLine Payload
Malware Config
C2 Extraction:
87.251.71.193:80
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34eea6a07ea67c590471581473b4a17d5ac8214e1ec94464af43fb2ce7334808

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_PDB_Path_Keywords
Create hunting rule
Author:Florian Roth
Description:Detects suspicious PDB paths
Reference:https://twitter.com/stvemillertime/status/1179832666285326337?s=20
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/162673/

Comments