MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 498421bc4c78ba9bf7c9d669bd9958cf2c0c1cc89e94288800fe004400821ef3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 6 YARA File information Comments 1

SHA256 hash: 498421bc4c78ba9bf7c9d669bd9958cf2c0c1cc89e94288800fe004400821ef3
SHA3-384 hash: 8e016eca38ba89948abdff9368bdd35f4003d6946676297480bfb0f622eaab6f82eba3b85b5d840ee3a7c245ff08f50a
SHA1 hash: 5241d6fd4013ec8251df46e231665471a8ca70db
MD5 hash: aea21ab88cca720a34ec1c9c4794f82a
humanhash: finch-delta-hot-stream
File name:aea21ab88cca720a34ec1c9c4794f82a
Download: download sample
Signature RaccoonStealer
File size:767'327 bytes
First seen:2022-01-14 16:58:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (8 x RedLineStealer, 5 x Adware.InstallCore, 5 x ArkeiStealer)
ssdeep 12288:VQi3rNSH1v6m6URA3PhOop1hf39Wkv8xwJYyHDZ:VQi7NSH1ChhvpdUMYY
Threatray 338 similar samples on MalwareBazaar
TLSH T113F45832D84C73A1FA5B8D308C22BE284B3B79F41B66D111B57B761DC7BF1487126A92
File icon (PE):PE icon
dhash icon b4aa8eb2f0b286a0 (1 x RaccoonStealer)
Reporter @zbetcheckin
Tags:32 exe RaccoonStealer trojan

Intelligence


File Origin
# of uploads :
1
# of downloads :
261
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aea21ab88cca720a34ec1c9c4794f82a
Verdict:
Suspicious activity
Analysis date:
2022-01-14 17:00:04 UTC
Tags:
installer

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
–°reating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Searching for synchronization primitives
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Adding an access-denied ACE
Launching a process
Searching for the browser window
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Setting a single autorun event
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many IPs within the same subnet mask (likely port scanning)
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553343 Sample: 1nJGU59JPU Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 104 yonhelioliskor.com 2->104 106 www.profitabletrustednetwork.com 2->106 108 62 other IPs or domains 2->108 156 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->156 158 Antivirus detection for URL or domain 2->158 160 Antivirus detection for dropped file 2->160 162 8 other signatures 2->162 11 1nJGU59JPU.exe 2 2->11         started        15 ZHunuhebaqu.exe 2->15         started        18 ZHunuhebaqu.exe 2->18         started        signatures3 process4 dnsIp5 82 C:\Users\user\AppData\...\1nJGU59JPU.tmp, PE32 11->82 dropped 164 Obfuscated command line found 11->164 20 1nJGU59JPU.tmp 3 19 11->20         started        150 s3.fr-par.scw.cloud 51.159.62.6, 443, 49768 OnlineSASFR France 15->150 152 google.com 15->152 154 delice.s3.fr-par.scw.cloud 15->154 84 C:\Program Files (x86)\...\Windows Update.exe, PE32 15->84 dropped 86 C:\...\Windows Update.exe.config, XML 15->86 dropped 24 Windows Update.exe 15->24         started        file6 signatures7 process8 dnsIp9 120 s3.pl-waw.scw.cloud 151.115.10.1, 49753, 80 OnlineSASFR United Kingdom 20->120 122 192.168.2.1 unknown unknown 20->122 124 onepiece.s3.pl-waw.scw.cloud 20->124 64 C:\Users\user\AppData\...\7((_8888YTR(.exe, PE32 20->64 dropped 66 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 20->66 dropped 68 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 20->68 dropped 70 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->70 dropped 26 7((_8888YTR(.exe 20 20 20->26         started        126 s3.nl-ams.scw.cloud 24->126 128 korolova.s3.nl-ams.scw.cloud 24->128 130 connectini.net 24->130 72 C:\Users\user\AppData\...\TOHWVYYPNL.exe, PE32 24->72 dropped file10 process11 dnsIp12 138 360devtracking.com 37.230.138.66, 49761, 50039, 80 ROCKETTELECOM-ASRU Russian Federation 26->138 140 s3.nl-ams.scw.cloud 163.172.208.8, 443, 49755, 49756 OnlineSASFR United Kingdom 26->140 142 3 other IPs or domains 26->142 88 C:\Program Files\...\irecord.exe, PE32 26->88 dropped 90 C:\Program Files (x86)\...\ZHunuhebaqu.exe, PE32 26->90 dropped 92 C:\Program Files\...\irecord.exe.config, XML 26->92 dropped 94 3 other files (1 malicious) 26->94 dropped 166 Drops executable to a common third party application directory 26->166 31 irecord.exe 26->31         started        34 Vahutuqeke.exe 14 17 26->34         started        37 Kixysyshysy.exe 14 4 26->37         started        file13 signatures14 process15 dnsIp16 96 C:\Users\user\AppData\Local\...\irecord.tmp, PE32 31->96 dropped 39 irecord.tmp 31->39         started        110 www.google.com 142.250.185.164, 443, 49759, 49882 GOOGLEUS United States 34->110 112 connectini.net 34->112 42 chrome.exe 34->42         started        45 chrome.exe 34->45         started        47 chrome.exe 34->47         started        49 26 other processes 34->49 114 www-google-analytics.l.google.com 142.250.186.110, 443, 49962, 49963 GOOGLEUS United States 37->114 116 source3.boys4dayz.com 172.67.148.61 CLOUDFLARENETUS United States 37->116 118 3 other IPs or domains 37->118 98 C:\Users\user\AppData\Local\...\installer.exe, PE32 37->98 dropped 100 C:\Users\user\AppData\...\autosubplayer.exe, PE32 37->100 dropped 102 C:\Users\user\AppData\Local\...\random.exe, PE32 37->102 dropped file17 process18 dnsIp19 74 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 39->74 dropped 76 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->76 dropped 78 C:\...\unins000.exe (copy), PE32 39->78 dropped 80 23 other files (none is malicious) 39->80 dropped 51 I-Record.exe 39->51         started        144 192.168.2.3, 443, 49676, 49678 unknown unknown 42->144 146 239.255.255.250 unknown Reserved 42->146 148 www.google.com 42->148 53 chrome.exe 42->53         started        56 chrome.exe 45->56         started        58 chrome.exe 47->58         started        60 chrome.exe 49->60         started        62 chrome.exe 49->62         started        file20 process21 dnsIp22 132 mc.yandex.ru 93.158.134.119, 443, 49818, 49827 YANDEXRU Russian Federation 53->132 134 spdc-global.pbp.gysm.yahoodns.net 212.82.100.181 YAHOO-IRDGB United Kingdom 53->134 136 112 other IPs or domains 53->136
Threat name:
Win32.Downloader.Chebka
Status:
Malicious
First seen:
2022-01-11 04:03:00 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
20 of 28 (71.43%)
Threat level:
  3/5
Result
Malware family:
smokeloader
Score:
  10/10
Tags:
family:smokeloader backdoor discovery evasion persistence trojan
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Checks for common network interception software
NirSoft WebBrowserPassView
Nirsoft
Process spawned unexpected child process
SmokeLoader
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
SH256 hash:
31dc734ebdb5e8df17e8416c38153dad9fa9e67b399082405fb1e79fdf09367b
MD5 hash:
134e6c5c51acf144777c017f9894d701
SHA1 hash:
0d2aec13b06a9239cf6116d419daeed0e7de1672
SH256 hash:
498421bc4c78ba9bf7c9d669bd9958cf2c0c1cc89e94288800fe004400821ef3
MD5 hash:
aea21ab88cca720a34ec1c9c4794f82a
SHA1 hash:
5241d6fd4013ec8251df46e231665471a8ca70db

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
116.202.24.62:9295 https://threatfox.abuse.ch/ioc/295246
95.143.177.76:34098 https://threatfox.abuse.ch/ioc/295247
185.215.113.64:25828 https://threatfox.abuse.ch/ioc/295248
207.32.218.86:38565 https://threatfox.abuse.ch/ioc/295284
207.32.219.80:39824 https://threatfox.abuse.ch/ioc/295285
78.46.137.240:21314 https://threatfox.abuse.ch/ioc/295286

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 498421bc4c78ba9bf7c9d669bd9958cf2c0c1cc89e94288800fe004400821ef3

(this sample)

  
Delivery method
Distributed via web download

Comments



Avatar
zbet commented on 2022-01-14 16:58:02 UTC

url : hxxp://ezzouhour.s3.eu-west-1.amazonaws.com/recMe/irec7.exe