MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3542020f73e24ff693b50a375bbd366e6b6ca4cd4fd93bd15403e4cc70d91756. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3542020f73e24ff693b50a375bbd366e6b6ca4cd4fd93bd15403e4cc70d91756
SHA3-384 hash: bbe3082e9c9ffad9b9a551c9cc1f0df3b77fc44453905c00eb31dc2ecb60712f52c69fcb73964b92c34d4395a625c7be
SHA1 hash: a5dc3c46688bac249e0da29b1b2da8640039d108
MD5 hash: 52b69ccf22ec2b5084fee8f4ec9188ed
humanhash: gee-orange-batman-nebraska
File name:52B69CCF22EC2B5084FEE8F4EC9188ED.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'889'954 bytes
First seen:2021-09-05 12:41:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:x4CvLUBsg2+CVzkHKOefDoizAg9JLgLu+9bY9lQgG/4Vl4kR:xlLUCg2+CVvO/uDHQt4x
Threatray 501 similar samples on MalwareBazaar
TLSH T1D03633143FC5C6B6CA512632D3141FF564AD83981E7B0DC763B5434582B88FAE2BEA2D
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://94.158.245.173/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.173/ https://threatfox.abuse.ch/ioc/215894/

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
52B69CCF22EC2B5084FEE8F4EC9188ED.exe
Verdict:
No threats detected
Analysis date:
2021-09-05 12:44:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c94ac1b2-1f96-432e-9423-7520026bfcd6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185441/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Jaik-9890304-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Launching a process
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/660c1f65-0635-4b3d-89c1-5b429dffa792
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845537
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477968 Sample: jNqtcYPpUY.exe Startdate: 05/09/2021 Architecture: WINDOWS Score: 100 75 23.35.236.56 ZAYO-6461US United States 2->75 77 45.90.58.90 GREENFLOID-ASUA Bulgaria 2->77 79 5 other IPs or domains 2->79 103 Antivirus detection for URL or domain 2->103 105 Antivirus detection for dropped file 2->105 107 Multi AV Scanner detection for dropped file 2->107 109 13 other signatures 2->109 10 jNqtcYPpUY.exe 17 2->10         started        signatures3 process4 file5 47 C:\Users\user\AppData\...\setup_install.exe, PE32 10->47 dropped 49 C:\Users\user\...\Wed17fd15fbb4ac7c543.exe, PE32 10->49 dropped 51 C:\Users\user\AppData\...\Wed17a270d1ccaf.exe, PE32 10->51 dropped 53 12 other files (5 malicious) 10->53 dropped 13 setup_install.exe 1 10->13         started        process6 dnsIp7 97 8.8.8.8 GOOGLEUS United States 13->97 99 172.67.142.91 CLOUDFLARENETUS United States 13->99 101 127.0.0.1 unknown unknown 13->101 123 Adds a directory exclusion to Windows Defender 13->123 17 cmd.exe 13->17         started        19 cmd.exe 13->19         started        21 cmd.exe 1 13->21         started        23 7 other processes 13->23 signatures8 process9 signatures10 26 Wed171c9fe18fa49b295.exe 17->26         started        31 Wed172e915f6989e2.exe 19->31         started        33 Wed170e3990005c893.exe 2 21->33         started        111 Adds a directory exclusion to Windows Defender 23->111 35 Wed176437b636da.exe 23->35         started        37 Wed17fd15fbb4ac7c543.exe 23->37         started        39 Wed17ed9cf3ab.exe 23->39         started        41 2 other processes 23->41 process11 dnsIp12 81 37.0.10.214 WKD-ASIE Netherlands 26->81 83 31.210.20.251 PLUSSERVER-ASN1DE Netherlands 26->83 93 8 other IPs or domains 26->93 55 C:\Users\...\xr_O7aCeeUkC3k9__GQWWbzf.exe, PE32 26->55 dropped 57 C:\Users\...\vIeA2zE7Hlh7L4u6NEdUe7OU.exe, PE32 26->57 dropped 59 C:\Users\...\pLDHBIb31dgzpbxS9khSH0lf.exe, PE32 26->59 dropped 67 47 other files (40 malicious) 26->67 dropped 113 Drops PE files to the document folder of the user 26->113 115 Tries to harvest and steal browser information (history, passwords, etc) 26->115 117 Disable Windows Defender real time protection (registry) 26->117 85 88.99.66.31 HETZNER-ASDE Germany 31->85 87 172.67.141.201 CLOUDFLARENETUS United States 31->87 61 C:\Users\user\AppData\Roaming\8821409.exe, PE32 31->61 dropped 63 C:\Users\user\AppData\Roaming\7449595.exe, PE32 31->63 dropped 69 3 other files (none is malicious) 31->69 dropped 119 Detected unpacking (changes PE section rights) 31->119 89 192.168.2.1 unknown unknown 33->89 121 Creates processes via WMI 33->121 43 Wed170e3990005c893.exe 33->43         started        71 2 other files (none is malicious) 35->71 dropped 91 74.114.154.18 AUTOMATTICUS Canada 37->91 65 C:\Users\user\AppData\...\Wed17ed9cf3ab.tmp, PE32 39->65 dropped file13 signatures14 process15 dnsIp16 95 104.21.79.144 CLOUDFLARENETUS United States 43->95 73 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 43->73 dropped file17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3542020f73e24ff693b50a375bbd366e6b6ca4cd4fd93bd15403e4cc70d91756/
Threat name:
Win32.Downloader.Zenlod
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 19:35:27 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gvbaed3t4jh7ne5vbi3vxpjwnzvwzjgnj7mtxukuapsmy4gzc5la._file
Verdict:
unknown
Similar samples:
022fc71a6661ab3d6efc0f7d3e560a05cceb22b31081e7cb5d882b01921d5e38
RaccoonStealer
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
RaccoonStealer
3d7ba99d7b360819146cd6223b2d668e8b1a661023f5b36932860bc84271eecd
RaccoonStealer
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
RaccoonStealer
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
RaccoonStealer
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
RaccoonStealer
96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45
RaccoonStealer
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
RaccoonStealer
ecc23ade7514bff1e172b9a02c27572a66e0d16bb68b4927198dc091abf1c982
RaccoonStealer
f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be
RaccoonStealer
+ 491 additional samples on MalwareBazaar
Result
Malware family:
vkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:vidar family:vkeylogger botnet:706 botnet:937 botnet:b8ef25fa9e346b7a31e4b6ff160623dd5fed2474 botnet:pab777 aspackv2 evasion infostealer keylogger stealer themida trojan
Link:
https://tria.ge/reports/210905-pxdcsahfb6/
Behaviour
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Themida packer
Executes dropped EXE
ASPack v2.12-2.42
Downloads MZ/PE file
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
VKeylogger
VKeylogger Payload
Vidar
Malware Config
C2 Extraction:
185.215.113.15:6043
https://lenko349.tumblr.com/
https://romkaxarit.tumblr.com/
Unpacked files
SH256 hash:
e173de6e79423d659886704dcaaf5848078ced4e14e0772e4f1e7b3931bb0862
MD5 hash:
95f9e24e7dd90ee5892743c58801db9f
SHA1 hash:
f107fcd45e57e7b71193f1f1777b8377f5d3cda1
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
e621e23cf07ea962557bce0f28940a8283135de86d3fd3d520d58115a8484982
MD5 hash:
35959e37d587e649357c57c2c5797a93
SHA1 hash:
b3f2ef17f1c45e34ea84a70285a14672034a97ae
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
4266165affda48b7a0fc19e67760e2d0ff275bf5f66d463acdf89c17362c3022
MD5 hash:
6e5515bdee2907426548266c47390abc
SHA1 hash:
105000cfd2dcd2e5f5f5f9e1f5ab4eff4626473e
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
61c5fcaa49f0d49c151aed1076625455a245150942dd292a29182d8ca1ce6bfc
MD5 hash:
b00957824ab7790185ec07c6e6face35
SHA1 hash:
1107b6a89474fe310fcdd0589a628a06eef5c264
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
c8040666dfc672d25ad082c69e3ba73dd9f012e253a6a3dbb5f24d28ff816575
MD5 hash:
4cd8a3d2d2392735aa89b8d985b479a2
SHA1 hash:
ffde7e9becc0b6ce67829fa8cb7f3d25d44a7028
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
Parent samples :
8303c9a626d7edb090bdd8f0d128fc887b7fa36b0dfc43a7f71dcb5b34b1bbab
ecc23ade7514bff1e172b9a02c27572a66e0d16bb68b4927198dc091abf1c982
f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be
022fc71a6661ab3d6efc0f7d3e560a05cceb22b31081e7cb5d882b01921d5e38
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45
3542020f73e24ff693b50a375bbd366e6b6ca4cd4fd93bd15403e4cc70d91756
9cf8a802217928175088777f3f886dde3cba71c0a5c427ed169e24581e1c7a9b
e63f3efc1462f054169998d9bdb7e5b2ca0cb78b393e978880458965472f76de
8896b158ac271c269cfea637cd9402db48676eeef02b9d694d5c9f0eaeb3dbb0
1f2a3d598734fe566de2054f3c73fd2245fc6023f0740bdbae88a076f508ebd2
18f74890fef60f1e18d5b1d0b43f100c69b430445187d672bbedf46aff687d09
74bafd56c1fb3cdebf0a63de4ffb6f16dc1d5cee38e11ab0d2bc2614538da65f
07c18e8e0f92e75367df02c4114947b038e86fcbc7c8e5a77df739deb955263a
3d898349908143bef8f7652dada13c6075f84af469349be709b1d33d2ddf6672
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
36d2e4ff908e77ed26fc9485ccd179cea6ff17c66fe1fdee45ee6e5bc52b754b
MD5 hash:
c49ef2b57cf9f9c8131e6e607911d674
SHA1 hash:
319a54901ae19e10bcd15112f27944b25e76ac8a
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
c6b27043e32354f111a6080ca0e96b8fa0a334f92b538cdfc8dc297380479d08
MD5 hash:
10c90ba5a47c8c640e814a37f5901a9e
SHA1 hash:
de2b4ac96d10e59b0abe48c660b6d74dcdbe2f50
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
606d3d9365f40fee12e9fc577ae5bf4cd42d502f4758320cdab01b53a7e0d4b8
MD5 hash:
51894ed4e7fec456b08027e2e6620386
SHA1 hash:
bbffdd90f9a5644086006734e03c15ac28db1ae9
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
9af571614d14586508e8870503af9fda6f7ffe5194dd95732eba9c074fb76674
MD5 hash:
2ca0b79755d9301591839c1c5a67368b
SHA1 hash:
99778d6a7127c447e59bb60753c8d9674b7f5069
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
3cfa09a0f2c96f5131860a4334367f80710fdd111c9ab3527e14215529033996
MD5 hash:
f04d16b1aa2f25dbddf2bd181bc5c032
SHA1 hash:
96ef51220aa7358c7e53f8e1964217a307f96059
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
367591f8a40151c4d788bbaa29e20b3dd57ce22f056b51f9f0380e4fd2275c07
MD5 hash:
4e0196b3ab0d47e4a2093ffa87c7326b
SHA1 hash:
58ba603c32b3036477b615cd46a9e834cc4645d8
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
96aebb504a87e240a46e3e6b0cdfbaf6fc1e846e22a6fc2393c45c3208184f6c
MD5 hash:
d2c1d7aae1a68dfc796d0740a341740b
SHA1 hash:
400e51592995edb266d84b0c7db1f41fdb3dc342
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
5eeb70d2d0281b1102b48bd5c160fa1199c9630ab5d12ef9077acfc300fe82aa
MD5 hash:
e856a556d404abae426029f407a89d6f
SHA1 hash:
2fb4c7890e7b1fef757a84af28ad34b4be529915
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
8c2df8b7dd3f3da28dfc8ea14abf9fc6d40dc87973de8af69c5274d3ae86affe
MD5 hash:
d3022335f0de5967538364edc6f76783
SHA1 hash:
157743b90ee241b0e721c74cc0e9f832c68a17dc
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
6009e9dc8bb0a2129ed9d499b30ba95c96e999e83fb8a9ff4e7214fd8ff6536b
MD5 hash:
75f348f8f940835f92d0b531125ae28f
SHA1 hash:
950966ebc82e9ccbee21eeb3b5d08a5fb472af9e
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
a70f6a290ef59120fad0eb7bc995e08ff59be7c9e58593f69f47621919afd548
MD5 hash:
eb57073ca9978d60d72de3e931842f59
SHA1 hash:
0bf1c2c2f72cd2b35aca7f137e70376fb740e7f8
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
bb4b2816f9fabc4a9c2150915ded2a7ad6178b8fc634cbf2c81b567eb3a11891
MD5 hash:
4e892d398f4337981c15fc0e572a9205
SHA1 hash:
dffe4e8d3365f3becd34ca1270769eed3c0c714c
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
fa8995d8fc4cef80e9f5e5a3b9f1d48422f41239c76906271c8ec4b94f376880
MD5 hash:
911da17d2d9b0c58849c6d202d1ebd1b
SHA1 hash:
c80c313e8eeae4155f7955767c71f88728b94f61
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
1d2a8df0a1c8835cc84ea56d1ebf227fac09e27889221a68548a1b7cc7dd6ad2
MD5 hash:
7086bb1de5e4e3f529b87623a9d3879f
SHA1 hash:
3fe3419881e94e01863be4cc5ad1af912b99b260
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
SH256 hash:
3542020f73e24ff693b50a375bbd366e6b6ca4cd4fd93bd15403e4cc70d91756
MD5 hash:
52b69ccf22ec2b5084fee8f4ec9188ed
SHA1 hash:
a5dc3c46688bac249e0da29b1b2da8640039d108
Link:
https://www.unpac.me/results/c6959dc8-c22a-4633-ae45-fe0a12771367/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3542020f73e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3542020f73e24ff693b50a375bbd366e6b6ca4cd4fd93bd15403e4cc70d91756

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185441/

Comments