MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d30ffd438512742fc01ca5df9c4b9d0deb9f908ef56e7dd3e284eec904f517d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d30ffd438512742fc01ca5df9c4b9d0deb9f908ef56e7dd3e284eec904f517d
SHA3-384 hash: 2376dad8e0ede51a6c27af1f198cec0d503f297930118e14487b1cc112e014ab1ed4f22d55a21366fe65452310e0e1fd
SHA1 hash: 87c57a25a1837cefe066411f61e89e4d3617707b
MD5 hash: 89807de693c5d845d463f6da8990befd
humanhash: colorado-emma-beryllium-five
File name:89807DE693C5D845D463F6DA8990BEFD.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:3'980'457 bytes
First seen:2021-06-09 20:41:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UbnFZeT8F+BmZ+DrZ3smjx/KNLTBXSX47C+kyZ9k2:Ufa8F+cAJcNLTJSqjk2
Threatray 67 similar samples on MalwareBazaar
TLSH C8063311BDC0C8B2D5B51E774C285B22553D7E211F298EEB67E49A9D89301E0BB30BB7
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
31.31.199.24:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
31.31.199.24:80 https://threatfox.abuse.ch/ioc/85494/

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3d30ffd438512742fc01ca5df9c4b9d0deb9f908ef56e7dd3e284eec904f517d
Verdict:
Malicious activity
Analysis date:
2021-06-10 06:09:49 UTC
Tags:
autoit evasion trojan stealer vidar
Link:
https://app.any.run/tasks/c2a0091c-9618-4123-857c-c907e5935c56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165713/
Detection(s):
Win.Malware.Generic-9866235-0
Create hunting rule

Win.Malware.Nymeria-9869662-0
Create hunting rule

Win.Malware.Nymeria-9869693-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Launching a process
Creating a file in the %temp% directory
Creating a file
DNS request
Sending a custom TCP request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Creating a process with a hidden window
Reading critical registry keys
Deleting a recently created file
Creating a file in the %AppData% directory
Running batch commands
Changing a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Launching a tool to kill processes
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/799845
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
DLL reload attack detected
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 432241 Sample: LVh23zF9x9.exe Startdate: 09/06/2021 Architecture: WINDOWS Score: 100 135 email.yg9.me 2->135 163 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->163 165 Multi AV Scanner detection for domain / URL 2->165 167 Found malware configuration 2->167 169 18 other signatures 2->169 9 LVh23zF9x9.exe 1 14 2->9         started        12 iexplore.exe 1 75 2->12         started        14 WinHoster.exe 2->14         started        signatures3 process4 file5 85 C:\Users\user\Desktop\pub2.exe, PE32 9->85 dropped 87 C:\Users\user\Desktop\jg3_3uag.exe, PE32 9->87 dropped 89 C:\Users\user\Desktop\KRSetp.exe, PE32 9->89 dropped 91 5 other files (2 malicious) 9->91 dropped 16 KRSetp.exe 15 8 9->16         started        21 Files.exe 3 20 9->21         started        23 IDWCH1.exe 9->23         started        27 5 other processes 9->27 25 iexplore.exe 38 12->25         started        process6 dnsIp7 111 topnewsdesign.xyz 104.21.69.75, 443, 49717 CLOUDFLARENETUS United States 16->111 113 192.168.2.1 unknown unknown 16->113 59 C:\Users\user\AppData\Roaming\8719906.exe, PE32 16->59 dropped 61 C:\Users\user\AppData\Roaming\6661096.exe, PE32 16->61 dropped 63 C:\Users\user\AppData\Roaming\4446297.exe, PE32 16->63 dropped 65 C:\Users\user\AppData\Roaming\7865648.exe, PE32 16->65 dropped 145 Detected unpacking (changes PE section rights) 16->145 147 Detected unpacking (overwrites its own PE header) 16->147 149 Performs DNS queries to domains with low reputation 16->149 29 6661096.exe 16->29         started        33 8719906.exe 16->33         started        36 4446297.exe 16->36         started        38 7865648.exe 16->38         started        115 niks.webtm.ru 92.53.96.150, 49713, 80 TIMEWEB-ASRU Russian Federation 21->115 73 2 other malicious files 21->73 dropped 151 Binary is likely a compiled AutoIt script file 21->151 153 Drops PE files to the user root directory 21->153 40 run2.exe 21->40         started        42 run.exe 21->42         started        67 C:\Users\user\AppData\Local\...\IDWCH1.tmp, PE32 23->67 dropped 44 IDWCH1.tmp 23->44         started        117 iplogger.org 88.99.66.31, 443, 49715, 49716 HETZNER-ASDE Germany 25->117 119 101.36.107.74, 49718, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 27->119 121 ip-api.com 208.95.112.1, 49726, 80 TUT-ASUS United States 27->121 123 5 other IPs or domains 27->123 69 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 27->69 dropped 71 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 27->71 dropped 75 5 other files (none is malicious) 27->75 dropped 155 DLL reload attack detected 27->155 157 Drops PE files to the document folder of the user 27->157 159 Renames NTDLL to bypass HIPS 27->159 161 Checks if the current machine is a virtual machine (disk enumeration) 27->161 46 jfiag3g_gg.exe 27->46         started        48 5 other processes 27->48 file8 signatures9 process10 dnsIp11 93 C:\Users\user\AppData\...\WinHoster.exe, PE32 29->93 dropped 173 Creates multiple autostart registry keys 29->173 50 WinHoster.exe 29->50         started        125 videoconvert-download12.xyz 172.67.192.171, 443, 49728 CLOUDFLARENETUS United States 33->125 105 7 other files (none is malicious) 33->105 dropped 175 Performs DNS queries to domains with low reputation 33->175 52 WerFault.exe 33->52         started        127 gameshome.xyz 172.67.163.99, 443, 49733 CLOUDFLARENETUS United States 36->127 107 7 other files (none is malicious) 36->107 dropped 129 159.69.20.131, 49732, 80 HETZNER-ASDE Germany 40->129 131 bandakere.tumblr.com 74.114.154.22, 443, 49729 AUTOMATTICUS Canada 40->131 95 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 40->95 dropped 109 11 other files (none is malicious) 40->109 dropped 177 Detected unpacking (changes PE section rights) 40->177 179 Detected unpacking (overwrites its own PE header) 40->179 181 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->181 183 Tries to steal Crypto Currency Wallets 40->183 133 limesfile.com 198.54.126.101, 49730, 80 NAMECHEAP-NETUS United States 44->133 97 C:\Users\user\...\8__________________67.exe, PE32 44->97 dropped 99 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 44->99 dropped 101 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 44->101 dropped 103 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->103 dropped 55 8__________________67.exe 44->55         started        185 Tries to harvest and steal browser information (history, passwords, etc) 46->185 187 Creates a thread in another existing process (thread injection) 48->187 file12 signatures13 process14 dnsIp15 137 104.42.151.234 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 52->137 139 198.54.116.159 NAMECHEAP-NETUS United States 55->139 141 93.184.221.240, 49679, 49680, 80 EDGECASTUS European Union 55->141 143 2 other IPs or domains 55->143 77 C:\Program Files (x86)\...\ZHukaxeqeva.exe, PE32 55->77 dropped 79 C:\...\ZHukaxeqeva.exe.config, XML 55->79 dropped 81 C:\Users\user\AppData\...\ZHokyfodexy.exe, PE32 55->81 dropped 83 2 other files (none is malicious) 55->83 dropped 171 Creates multiple autostart registry keys 55->171 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d30ffd438512742fc01ca5df9c4b9d0deb9f908ef56e7dd3e284eec904f517d/
Threat name:
Win32.Trojan.CookiesStealer
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 22:41:09 UTC
AV detection:
28 of 46 (60.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=huyp7vbyketuf7abzjo7trfz2dplt6ii55lopxj6fbhozecpkf6q._file
Verdict:
malicious
Similar samples:
286ac923f7619b720847b3820652ca94b3b09ee4885e581ced04e8f1395713b9
RaccoonStealer
2c32dcb54c310daf509527d74de8ab4cb7b45425fa543a5df22afd1e9bd00fd5
RaccoonStealer
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
RaccoonStealer
541ebfa6dd694728edd3cf536a13c739179edadcd880e7c28e074b60da1bcac8
RaccoonStealer
b11bd18587058601cde1be46ec722f2ddc96fddd976f3a263e4d0358e8e08865
RaccoonStealer
b412a43bbd6598818a0fe157f513fc8d74e67430b53b8f29eaefdceb57e7b80b
RaccoonStealer
e6e11a92390d1e01775514d1a4f047f5b94471070a07bf82b6e9fe5c547d55a8
RaccoonStealer
e99107f51a615207824a28411b0355fba67cbda8dbd24d450a84cbe40aa8faf5
RaccoonStealer
ecf100d294f5b6b63ebc4e1430f6a07b07e3899b0c447a536d7c53c51d711549
RaccoonStealer
ffecd6261932159067dd93f5c1df26f8da517f37ded13d122db853c1c84e7924
RaccoonStealer
+ 57 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:elysiumstealer family:plugx family:raccoon family:redline family:smokeloader family:vidar botnet:jamnn1 backdoor discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210609-trjxtvvp2a/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
autoit_exe
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
ElysiumStealer
PlugX
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
94.103.93.224:44317
Unpacked files
SH256 hash:
e77cdc6d91da7a5293f4b9ec11524dd8302c63b44d3aa2eaa5ea6691e5216237
MD5 hash:
2724973fee4e3d0f9e3da19e32be212c
SHA1 hash:
632e40eece8d06f9d8bcb88488ecfe34b608ead3
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
SH256 hash:
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
MD5 hash:
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1 hash:
b968c57a14ddada4128356f6e39fb66c6d864d3f
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
SH256 hash:
55361941ab12c7edd987c706d25423d868f756fab1028d99eeffacdabf3da4ca
MD5 hash:
4de4b7bc0a92902422c4204fcfa58150
SHA1 hash:
587e0299ea32cc836281998941daa60f471e3480
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
SH256 hash:
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
MD5 hash:
7165e9d7456520d1f1644aa26da7c423
SHA1 hash:
177f9116229a021e24f80c4059999c4c52f9e830
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
SH256 hash:
1bb1e726362311c789fdfd464f12e72c279fb3ad639d27338171d16e73360e7c
MD5 hash:
428557b1005fd154585af2e3c721e402
SHA1 hash:
3fc4303735f8355f787f3181d69450423627b5c9
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
SH256 hash:
1024eae8126b80a5dbbe0572bfe1963ea4c740bc74a506cbc44de0c47c866212
MD5 hash:
a8105e9a22e3843e4f1b74ca0e35bef7
SHA1 hash:
221dda53eeca1acebadc778f95004fa8c6b5a545
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
SH256 hash:
facb4f880479457c1bc615da0878a446e74c5318cec1895e550798b0909f206d
MD5 hash:
0f29b22aeb6242331d1c4e4bbf4e3815
SHA1 hash:
bc17e1dafb418d955d422115be3a184d96bff3f7
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
SH256 hash:
12b2a34db1f822c089218f1b46c1870462a0afb65ff0364e0f0ba043e93c1e5a
MD5 hash:
a7732204d9c883a4373c8b615c97de43
SHA1 hash:
017de30fc0647908eb8dd532982ce6644fb13e59
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
SH256 hash:
d098a95a9dc0c8aa6360daff26652362275d381eae3faa2c0150729b286d541e
MD5 hash:
78f204288883b22af12583a313911109
SHA1 hash:
eb857baaba4487e35ce118a7a50dc3b90068b328
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
SH256 hash:
1badef9c89d708a864b0f9fc7cc036601e3f9ea88ea50545647a5c76e59a5e65
MD5 hash:
0c969ac813005e77997ea50a2451d3f5
SHA1 hash:
d2330287caa11e8979fb2c6454aa844fe8edb88a
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
SH256 hash:
540ba80e8ab055cebda922aeed54b3073820423e9520e3b0f3e566db3a450991
MD5 hash:
76e9b622863c7a5f421214aff86f3deb
SHA1 hash:
59ce2dffeca4fdaa3dd4b5692d3bb54be2d8e73d
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
SH256 hash:
49ad1d04a242756bea3cb7ef1285a1c2355326901ef480ccc9b41ed8b923aa4c
MD5 hash:
790565c1e8b6b638a01c90346c3f7330
SHA1 hash:
81658e0815a68da0083a913d47a8abbc9f97df27
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
Parent samples :
3d30ffd438512742fc01ca5df9c4b9d0deb9f908ef56e7dd3e284eec904f517d
738108e1651deb6c04e05a4a2680819283433189eff93426a56e834381b5e4b5
SH256 hash:
2f4afd6047ca4e223840b35c9ab02540fd191528abbd57e03f5cbaf7d7187cd6
MD5 hash:
6a36bb069c4d59c43f3865e514dcc98a
SHA1 hash:
f079d08b95bdd9c87bce4fd0c7f7f63d89a923d2
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
SH256 hash:
fb81b225de60ba410d8203df659fd18600666f385b558c1ff275ff253a9d2674
MD5 hash:
f280b3cffaab39b31242a4982f900e25
SHA1 hash:
ca0f336372e1d13902b227c38ac75ccacedc5743
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
SH256 hash:
3d30ffd438512742fc01ca5df9c4b9d0deb9f908ef56e7dd3e284eec904f517d
MD5 hash:
89807de693c5d845d463f6da8990befd
SHA1 hash:
87c57a25a1837cefe066411f61e89e4d3617707b
Link:
https://www.unpac.me/results/cb5d4c44-9adc-4fcc-8bc1-38341d7defad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d30ffd438512742fc01ca5df9c4b9d0deb9f908ef56e7dd3e284eec904f517d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165713/

Comments