MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d04f5f44c21f9ccda28433bddea30ce2fba7a548d7d40a46332e0d2b70079d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d04f5f44c21f9ccda28433bddea30ce2fba7a548d7d40a46332e0d2b70079d0
SHA3-384 hash: 5bf3891bc01ca186c69c3961a205a977668f99b71f3890004a5576b8d1ad0e442d7751a4605357e95217d2255113b7b6
SHA1 hash: c5f51069a3f9270d79bacff246b0ca86887b98c6
MD5 hash: 28253286098972f1fe91412ef99a759a
humanhash: bacon-fifteen-pip-louisiana
File name:28253286098972F1FE91412EF99A759A.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:6'228'992 bytes
First seen:2021-08-19 20:40:55 UTC
Last seen:2021-08-19 21:19:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 98304:RohD0nge1EtzppRfNAlG9H3bZGjiwwRk7v:RohrgEpBNAlwH3siwwab
Threatray 1'378 similar samples on MalwareBazaar
TLSH T18E5634301226DBCF66774FB9A5EF3FAB86D52FF62D022F184C1956A53532281862107F
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.135.32.61/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.135.32.61/ https://threatfox.abuse.ch/ioc/192233/

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2021-08-17 14:39:11 UTC
Tags:
evasion trojan rat redline opendir stealer vidar
Link:
https://app.any.run/tasks/f83c17e4-c255-4852-a2dc-06639eacdb96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180797/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.14383.15202.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Connection attempt to an infection source
Creating a file
Sending an HTTP GET request
Creating a window
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a service
Changing a file
Launching a process
Creating a file in the %AppData% directory
Reading critical registry keys
Deleting a recently created file
Delayed reading of the file
Launching the process to change the firewall settings
Creating a file in the %AppData% subdirectories
Creating a file in the Windows subdirectories
Sending an HTTP POST request
Moving a recently created file
Replacing files
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Launching a tool to kill processes
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f6e5f2a-c019-4871-b2a0-15a56ecf96b7
Result
Threat name:
Glupteba Metasploit Socelars Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836064
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Creates an autostart registry key pointing to binary in C:\Windows
Creates processes via WMI
Detected unpacking (changes PE section rights)
DNS related to crypt mining pools
Found strings related to Crypto-Mining
Found Tor onion address
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
May modify the system service descriptor table (often done to hook functions)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Glupteba
Yara detected Metasploit Payload
Yara detected Socelars
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 468495 Sample: vh12mmuxpj.exe Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 107 google.vrthcobj.com 2->107 137 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->137 139 Sigma detected: Xmrig 2->139 141 Malicious sample detected (through community Yara rule) 2->141 143 15 other signatures 2->143 10 vh12mmuxpj.exe 8 2->10         started        13 svchost.exe 2->13         started        16 services64.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 file5 95 C:\Users\user\AppData\Local\Temp\5.exe, PE32 10->95 dropped 97 C:\Users\user\AppData\Local\Temp\4.exe, PE32 10->97 dropped 99 C:\Users\user\AppData\Local\Temp\3.exe, PE32 10->99 dropped 105 3 other files (2 malicious) 10->105 dropped 20 Chrome 5.exe 5 10->20         started        23 1.exe 15 3 10->23         started        27 3.exe 14 5 10->27         started        37 4 other processes 10->37 173 Changes security center settings (notifications, updates, antivirus, firewall) 13->173 101 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 16->101 dropped 103 C:\Users\user\AppData\...\sihost64.exe, PE32+ 16->103 dropped 29 cmd.exe 16->29         started        31 WerFault.exe 18->31         started        33 WerFault.exe 18->33         started        35 WerFault.exe 18->35         started        signatures6 process7 dnsIp8 81 C:\Users\user\AppData\...\services64.exe, PE32+ 20->81 dropped 39 services64.exe 20->39         started        43 cmd.exe 1 20->43         started        109 192.168.2.1 unknown unknown 23->109 111 payments-online.xyz 23->111 145 Multi AV Scanner detection for dropped file 23->145 147 Detected unpacking (changes PE section rights) 23->147 149 May check the online IP address of the machine 23->149 151 Performs DNS queries to domains with low reputation 23->151 113 testmeinfo.info 104.21.38.197, 443, 49702 CLOUDFLARENETUS United States 27->113 115 qwertys.info 172.67.194.30, 443, 49701 CLOUDFLARENETUS United States 27->115 83 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 27->83 dropped 45 LzmwAqmV.exe 27->45         started        47 conhost.exe 29->47         started        117 194.87.236.205 MTW-ASRU Russian Federation 37->117 119 45.130.151.13 MARKTELRU Russian Federation 37->119 121 3 other IPs or domains 37->121 85 C:\Users\user\AppData\...\rollerkind2[1].exe, PE32 37->85 dropped 87 C:\Users\user\AppData\...\rollerkind2[1].exe, PE32 37->87 dropped 89 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 37->89 dropped 91 7 other files (none is malicious) 37->91 dropped 153 Creates processes via WMI 37->153 49 5.exe 37->49         started        52 conhost.exe 37->52         started        54 WerFault.exe 37->54         started        56 2 other processes 37->56 file9 signatures10 process11 dnsIp12 123 sanctam.net 185.65.135.248, 49709, 58899 ESAB-ASSE Sweden 39->123 125 bitbucket.org 104.192.141.1, 443, 49710 AMAZON-02US United States 39->125 155 Injects code into the Windows Explorer (explorer.exe) 39->155 157 Writes to foreign memory regions 39->157 159 Allocates memory in foreign processes 39->159 165 3 other signatures 39->165 58 explorer.exe 39->58         started        62 cmd.exe 39->62         started        64 sihost64.exe 39->64         started        161 Uses schtasks.exe or at.exe to add and modify task schedules 43->161 66 conhost.exe 43->66         started        68 schtasks.exe 1 43->68         started        163 Detected unpacking (changes PE section rights) 45->163 70 LzmwAqmV.exe 45->70         started        127 live.goatgame.live 104.21.70.98, 443, 49708 CLOUDFLARENETUS United States 49->127 79 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 49->79 dropped 73 conhost.exe 49->73         started        file13 signatures14 process15 dnsIp16 129 46.105.31.147, 14433, 49717 OVHFR France 58->129 131 51.255.34.79, 14433, 49715 OVHFR France 58->131 135 3 other IPs or domains 58->135 167 System process connects to network (likely due to code injection or exploit) 58->167 169 Query firmware table information (likely to detect VMs) 58->169 75 conhost.exe 62->75         started        77 schtasks.exe 62->77         started        133 104.21.44.138 CLOUDFLARENETUS United States 70->133 93 C:\Windows\rss\csrss.exe, PE32 70->93 dropped 171 Creates an autostart registry key pointing to binary in C:\Windows 70->171 file17 signatures18 process19
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4d04f5f44c21f9ccda28433bddea30ce2fba7a548d7d40a46332e0d2b70079d0/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 01:04:14 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jucpl5cmeh44zwriim5532rqzyx3u6surv6ubjddglqnfnyaphia._file
Verdict:
malicious
Similar samples:
03eb4a70bc788ed9cd096d77502ef2f5788e4f3930c3bf5924cead278dc6872d
RaccoonStealer
2340f7976585cd113520b33eb51c6b57e37c6bad2fba29a48b8c7e8e784a2491
RaccoonStealer
283473a88217ba51d59c416ec4df9a019df2954d592dafbd60ac9b6df58abd96
RaccoonStealer
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
RaccoonStealer
ca30c496c6e9e5f4bec63c03c70fbdb84327121bc2fdd5c8c086e76b0b6dcb1f
RaccoonStealer
f43b25a5501033f574f0467cdf7534f50cdbec94c3d8a173a80ee9f54fce55eb
RaccoonStealer
+ 1'368 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:danabot family:glupteba family:metasploit family:raccoon family:socelars family:xmrig botnet:00bdd6858c3856861f0d81937643f61ec7429443 backdoor banker discovery dropper loader miner persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210819-mdgevnxbrx/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
xmrig
CryptBot
CryptBot Payload
Danabot
Danabot Loader Component
Glupteba
Glupteba Payload
MetaSploit
Process spawned unexpected child process
Raccoon
Socelars
Malware Config
C2 Extraction:
knuxiq42.top
morumd04.top
Unpacked files
SH256 hash:
4d04f5f44c21f9ccda28433bddea30ce2fba7a548d7d40a46332e0d2b70079d0
MD5 hash:
28253286098972f1fe91412ef99a759a
SHA1 hash:
c5f51069a3f9270d79bacff246b0ca86887b98c6
Link:
https://www.unpac.me/results/6eb29a63-bd2f-4516-a1ec-47a5c422da6e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d04f5f44c21f9ccda28433bddea30ce2fba7a548d7d40a46332e0d2b70079d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CoinMiner02
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MAL_XMR_Miner_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects Monero Crypto Coin Miner
Reference:https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180797/

Comments