MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4170bbfd45d3db9b8337b1259e3bdc33840201b6c8ba1f69efa65ac41020445f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4170bbfd45d3db9b8337b1259e3bdc33840201b6c8ba1f69efa65ac41020445f
SHA3-384 hash: 586e141488ce7ad7b5165de14ac81acb25096dc295967b2bd81feadf7a2094ca3d9b763aadf52dc32e0a1cd5ccf97fc2
SHA1 hash: 830d567fc9217e49a7066fdf0e8fe68fc757c3fe
MD5 hash: 573bc9bb0f24ff5046e164f2139777f6
humanhash: october-jig-double-yankee
File name:573bc9bb0f24ff5046e164f2139777f6.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:180'736 bytes
First seen:2021-08-26 12:36:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 915c33ea178f4e014c52a0e08d0a2d56 (11 x RaccoonStealer, 1 x DanaBot, 1 x RedLineStealer)
ssdeep 3072:BxHN34Oql/K1+rQ5BSwAINelRHwhZoWC9sI5/DuT61m:B5NInhrMGICHwhZU9sI5/
Threatray 3'955 similar samples on MalwareBazaar
TLSH T16A04CE3075B0C17AF8C61970C869DBA02A3BF8F35A64855B3784576F3E312C0562EAE7
dhash icon 4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.47.239/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.47.239/ https://threatfox.abuse.ch/ioc/195888/

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
573bc9bb0f24ff5046e164f2139777f6.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-26 12:45:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ff7641f6-20bb-4df9-84f9-1b18879540be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182625/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.32451.25704.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a custom TCP request
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Connection attempt to an infection source
Launching a process
Searching for the window
Reading critical registry keys
Setting browser functions hooks
Query of malicious DNS domain
Unauthorized injection to a system process
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Unauthorized injection to a browser process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1aa4bc8-0554-410c-9c8f-8a348e5b8148
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839921
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 472352 Sample: HBHNYsrx3p.exe Startdate: 26/08/2021 Architecture: WINDOWS Score: 100 79 geoiptool.com 2->79 81 z-p42-instagram.c10r.facebook.com 2->81 83 33 other IPs or domains 2->83 113 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 Antivirus detection for URL or domain 2->117 121 21 other signatures 2->121 10 HBHNYsrx3p.exe 2->10         started        13 cghtgdi 2->13         started        15 svchost.exe 60 2->15         started        17 10 other processes 2->17 signatures3 119 May check the online IP address of the machine 79->119 process4 dnsIp5 131 Detected unpacking (changes PE section rights) 10->131 133 Contains functionality to inject code into remote processes 10->133 135 Injects a PE file into a foreign processes 10->135 20 HBHNYsrx3p.exe 10->20         started        23 cghtgdi 13->23         started        137 Injects code into the Windows Explorer (explorer.exe) 15->137 25 WerFault.exe 15->25         started        75 127.0.0.1 unknown unknown 17->75 77 192.168.2.1 unknown unknown 17->77 139 Changes security center settings (notifications, updates, antivirus, firewall) 17->139 signatures6 process7 signatures8 123 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->123 125 Maps a DLL or memory area into another process 20->125 127 Checks if the current machine is a virtual machine (disk enumeration) 20->127 27 explorer.exe 24 20->27 injected 129 Creates a thread in another existing process (thread injection) 23->129 process9 dnsIp10 85 185.49.70.90, 2080, 49714 LEASEWEB-DE-FRA-10DE United Kingdom 27->85 87 readinglistforaugust2.xyz 95.213.224.6, 49706, 80 SELECTELRU Russian Federation 27->87 89 4 other IPs or domains 27->89 59 C:\Users\user\AppData\Roaming\cghtgdi, PE32 27->59 dropped 61 C:\Users\user\AppData\Local\Temp\BD66.exe, PE32 27->61 dropped 63 C:\Users\user\AppData\Local\Temp\B278.exe, PE32 27->63 dropped 65 9 other malicious files 27->65 dropped 141 System process connects to network (likely due to code injection or exploit) 27->141 143 Benign windows process drops PE files 27->143 145 Performs DNS queries to domains with low reputation 27->145 147 4 other signatures 27->147 32 3C27.exe 27->32         started        37 BD66.exe 3 27->37         started        39 2D42.exe 27->39         started        41 5 other processes 27->41 file11 signatures12 process13 dnsIp14 67 geoiptool.com 32->67 69 www.geodatatool.com 158.69.65.151, 443, 49710, 49711 OVHFR Canada 32->69 51 C:\Users\user\AppData\...\explorer.exe, PE32 32->51 dropped 91 Multi AV Scanner detection for dropped file 32->91 93 May check the online IP address of the machine 32->93 95 Machine Learning detection for dropped file 32->95 111 5 other signatures 32->111 97 Query firmware table information (likely to detect VMs) 37->97 99 Hides threads from debuggers 37->99 101 Tries to detect sandboxes / dynamic malware analysis system (registry check) 37->101 43 conhost.exe 37->43         started        45 conhost.exe 39->45         started        71 185.163.47.239, 59054, 80 MIVOCLOUDMD Moldova Republic of 41->71 73 telete.in 195.201.225.248, 443, 49727 HETZNER-ASDE Germany 41->73 53 unknown (copy), SQLite 41->53 dropped 55 C:\Users\user\AppData\Local\...\jqozeznb.exe, PE32 41->55 dropped 57 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 41->57 dropped 103 Detected unpacking (changes PE section rights) 41->103 105 Tries to detect sandboxes and other dynamic analysis tools (window names) 41->105 107 Tries to harvest and steal browser information (history, passwords, etc) 41->107 109 Injects a PE file into a foreign processes 41->109 47 WerFault.exe 41->47         started        49 conhost.exe 41->49         started        file15 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4170bbfd45d3db9b8337b1259e3bdc33840201b6c8ba1f69efa65ac41020445f/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 12:37:09 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifylx7kf2pnzxazxwesz4o64gocaeanwzc5b62ppuznmiebairpq._file
Verdict:
suspicious
Similar samples:
236ab7da9937a781cba35cddaf2fe23ee1cfab4478f921cd73908ecf200be287
RaccoonStealer
3f3fecd695146b28e051593aabcd535dc366932c08bf0011ae997ad6b7e39147
RaccoonStealer
5c755d14199295a752594d0bb2a4c6bd7ede35ea7c078499fc7fff96451b2530
RaccoonStealer
60ab0131b6fa420a6a8039b60ac948db87033e9a8db69b16344e3d9222859556
RaccoonStealer
831c4dbfc88b4a10504a77ce20c663633e07e4f2bab5cd94eb27ba56e5427572
RaccoonStealer
b302fcb42934760527ba26528d13aaa8e2cc3150b8055485e5c27f24edaf2892
RaccoonStealer
c55df5e9d0ea176321a29f8957c7a43188796ae0fc0ffe1ae94ad6092d30ba77
RaccoonStealer
c87fe4ff57a5464c0155bd1a8a924a2d77a79fdf87cba206e9ef5ac0d0f848cf
RaccoonStealer
f74c97d626730018ba9a8dd5e6fb806bfcc42d15a8b20ef328cc5f0d6a052ccc
RaccoonStealer
faf49f9b1d785e077bd17c37eddec80c57d3ffc843a745e6854c9b7a6812b7e0
RaccoonStealer
+ 3'945 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:smokeloader botnet:fe582536ec580228180f270f7cb80a867860e010 backdoor discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/210826-s2g6ppasqa/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
Unpacked files
SH256 hash:
0a9a7acf77fe4f890fe2acf761fa7f369418bb1f733504acd0792f589ccc7b15
MD5 hash:
ad94a86355be2ad9348b88e8972e8320
SHA1 hash:
8c7ff71739a5194efc5c7bee9c37ad92a9e72646
Link:
https://www.unpac.me/results/17af182b-0085-485e-b8dd-323fed4cff86/
SH256 hash:
4170bbfd45d3db9b8337b1259e3bdc33840201b6c8ba1f69efa65ac41020445f
MD5 hash:
573bc9bb0f24ff5046e164f2139777f6
SHA1 hash:
830d567fc9217e49a7066fdf0e8fe68fc757c3fe
Link:
https://www.unpac.me/results/17af182b-0085-485e-b8dd-323fed4cff86/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4170bbfd45d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4170bbfd45d3db9b8337b1259e3bdc33840201b6c8ba1f69efa65ac41020445f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182625/

Comments