MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44afe27cba5bc69958b37c9315d8de1c24324415883bbd7e368f9cc744639ed0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44afe27cba5bc69958b37c9315d8de1c24324415883bbd7e368f9cc744639ed0
SHA3-384 hash: 426d1639692f960dff10bce2dbc4accc205e05ed4791406425468357cde254212aa1b1dc2f9abce1d78a38acd11e8150
SHA1 hash: 87c250fcb6cefdf95be0312b03b1b7731ec2fb04
MD5 hash: f3e98675c732830a93b39475b1a1d2da
humanhash: snake-asparagus-earth-minnesota
File name:87c250fcb6cefdf95be0312b03b1b7731ec2fb04.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'919'936 bytes
First seen:2021-09-03 06:45:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 49152:DLup5/3jzTRhOa5mBY+yqTF2Q7o2Dp8SlYtmMhyLowIC6S:DLuHHT4YZqTvJWtmCyLowIC6S
Threatray 433 similar samples on MalwareBazaar
TLSH T13BD5696035D2942FF4730B73CBE9B3A9CEADD4F22F1265E8650096708C52EE76F91249
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://5.181.156.221/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.221/ https://threatfox.abuse.ch/ioc/213378/

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2021-08-28 04:02:42 UTC
Tags:
evasion trojan stealer vidar
Link:
https://app.any.run/tasks/8225b81f-8cbb-4aa7-90a8-984fdb5e730e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185032/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Creating a process with a hidden window
Reading critical registry keys
Launching a process
Creating a window
Deleting a recently created file
Replacing files
Running batch commands
Searching for the window
Creating a file in the %AppData% directory
Changing a file
Sending an HTTP POST request
Possible injection to a system process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching a tool to kill processes
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8dacfb1c-f767-4cf8-9eea-c844d27df499
Result
Threat name:
Cookie Stealer Glupteba Metasploit Socel
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844561
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates processes via WMI
Detected unpacking (changes PE section rights)
Found strings related to Crypto-Mining
Found Tor onion address
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
May modify the system service descriptor table (often done to hook functions)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
Sigma detected: Xmrig
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Cookie Stealer
Yara detected Glupteba
Yara detected Metasploit Payload
Yara detected Socelars
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 476991 Sample: qu57kPofXM.exe Startdate: 03/09/2021 Architecture: WINDOWS Score: 100 85 46.105.31.147 OVHFR France 2->85 87 51.255.34.79 OVHFR France 2->87 89 4 other IPs or domains 2->89 115 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->115 117 Sigma detected: Xmrig 2->117 119 Malicious sample detected (through community Yara rule) 2->119 121 17 other signatures 2->121 9 qu57kPofXM.exe 10 2->9         started        12 svchost.exe 2->12         started        15 services64.exe 2->15         started        signatures3 process4 file5 71 C:\Users\user\AppData\Local\...\BearVpn 3.exe, PE32 9->71 dropped 73 C:\Users\user\AppData\Local\Temp\6.exe, PE32+ 9->73 dropped 75 C:\Users\user\AppData\Local\Temp\5.exe, PE32 9->75 dropped 77 6 other files (3 malicious) 9->77 dropped 17 Chrome 5.exe 5 9->17         started        20 1.exe 15 3 9->20         started        24 4.exe 22 9->24         started        30 5 other processes 9->30 131 System process connects to network (likely due to code injection or exploit) 12->131 26 WerFault.exe 12->26         started        28 WerFault.exe 12->28         started        133 Contains functionality to inject code into remote processes 15->133 signatures6 process7 dnsIp8 49 C:\Users\user\AppData\...\services64.exe, PE32+ 17->49 dropped 32 services64.exe 17->32         started        37 cmd.exe 1 17->37         started        91 payments-online.xyz 20->91 123 Detected unpacking (changes PE section rights) 20->123 125 May check the online IP address of the machine 20->125 127 Performs DNS queries to domains with low reputation 20->127 93 135.181.29.254 HETZNER-ASDE Germany 24->93 95 194.145.227.161 CLOUDPITDE Ukraine 24->95 51 C:\Users\user\AppData\Local\...\null[1], PE32 24->51 dropped 53 C:\Users\user\AppData\Local\...\null[1], PE32 24->53 dropped 55 C:\Users\user\AppData\...\96125006750.exe, PE32 24->55 dropped 63 3 other files (none is malicious) 24->63 dropped 97 ip-api.com 208.95.112.1, 49726, 80 TUT-ASUS United States 30->97 99 iplogger.org 88.99.66.31, 443, 49719, 49723 HETZNER-ASDE Germany 30->99 101 6 other IPs or domains 30->101 57 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 30->57 dropped 59 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 30->59 dropped 61 C:\Users\user\AppData\...\aaa_v010[1].dll, DOS 30->61 dropped 129 Creates processes via WMI 30->129 39 LzmwAqmV.exe 30->39         started        41 5.exe 30->41         started        43 conhost.exe 30->43         started        file9 signatures10 process11 dnsIp12 79 sanctam.net 185.65.135.234, 49728, 58899 ESAB-ASSE Sweden 32->79 81 bitbucket.org 104.192.141.1, 443, 49729 AMAZON-02US United States 32->81 65 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 32->65 dropped 67 C:\Users\user\AppData\...\sihost64.exe, PE32+ 32->67 dropped 103 Injects code into the Windows Explorer (explorer.exe) 32->103 105 Writes to foreign memory regions 32->105 107 Allocates memory in foreign processes 32->107 113 3 other signatures 32->113 109 Uses schtasks.exe or at.exe to add and modify task schedules 37->109 45 conhost.exe 37->45         started        47 schtasks.exe 37->47         started        111 Detected unpacking (changes PE section rights) 39->111 83 live.goatgame.live 172.67.222.125, 443, 49727 CLOUDFLARENETUS United States 41->83 69 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 41->69 dropped file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44afe27cba5bc69958b37c9315d8de1c24324415883bbd7e368f9cc744639ed0/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 23:50:28 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=isx6e7f2lpdjswftpsjrlwg6dqsderavra5327rwr6omorddt3ia._file
Verdict:
malicious
Similar samples:
03eb4a70bc788ed9cd096d77502ef2f5788e4f3930c3bf5924cead278dc6872d
RaccoonStealer
283473a88217ba51d59c416ec4df9a019df2954d592dafbd60ac9b6df58abd96
RaccoonStealer
5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc
RaccoonStealer
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
RaccoonStealer
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
RaccoonStealer
ca30c496c6e9e5f4bec63c03c70fbdb84327121bc2fdd5c8c086e76b0b6dcb1f
RaccoonStealer
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
RaccoonStealer
+ 423 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:socelars family:xmrig botnet:56be4efb71b0a38de783d05b401b05f1bc805bb2 backdoor discovery dropper loader miner spyware stealer trojan
Link:
https://tria.ge/reports/210903-hjmwqscfd9/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
XMRig Miner Payload
Glupteba
Glupteba Payload
MetaSploit
Process spawned unexpected child process
Raccoon
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Unpacked files
SH256 hash:
44afe27cba5bc69958b37c9315d8de1c24324415883bbd7e368f9cc744639ed0
MD5 hash:
f3e98675c732830a93b39475b1a1d2da
SHA1 hash:
87c250fcb6cefdf95be0312b03b1b7731ec2fb04
Link:
https://www.unpac.me/results/593ad3bf-64cd-4ae5-a2cf-af349a308a94/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/44afe27cba5b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44afe27cba5bc69958b37c9315d8de1c24324415883bbd7e368f9cc744639ed0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185032/

Comments