MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d7e732c1981cc7d29cb21e30ab8d203ccd45ae3ad7b609bfd50449c987b6bbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA File information Comments

SHA256 hash:	4d7e732c1981cc7d29cb21e30ab8d203ccd45ae3ad7b609bfd50449c987b6bbc
SHA3-384 hash:	6ba47f8779b0f94825bfdfed3c19956c4566a2f5c08e261148c0ffb14c27be313de5e8e1e397cbbfab90c785d48dbf25
SHA1 hash:	ebf528a26ee09df07538bb2d06e9cc4a6053feea
MD5 hash:	c1677042cb0c0ffce61c6c5d680db952
humanhash:	finch-fifteen-mirror-failed
File name:	c1677042cb0c0ffce61c6c5d680db952.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	302'592 bytes
First seen:	2021-09-01 10:45:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4dfee2d5d789a471aa176a087571f5a4 (5 x RaccoonStealer)
ssdeep	6144:5Npti0LBmXpCO5grki5XEge1IanX59EPCmK:tti09mgO6rk+XTeSaX59Y
Threatray	1'413 similar samples on MalwareBazaar
TLSH	T18B54AE0B3290C83BD19506394C61FBFC5A26FC695D62C28B37D1375F6EF12A29B12356
dhash icon	fcfcd4d4d4dcd8c0 (52 x RaccoonStealer, 28 x RedLineStealer, 6 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://45.142.215.144/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://45.142.215.144/	https://threatfox.abuse.ch/ioc/204183/

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c1677042cb0c0ffce61c6c5d680db952.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-01 10:47:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e2d0131e-ca1a-47cd-a798-3aef99a19464

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/184437/

Detection(s):

Win.Packed.Filerepmalware-9890038-0

Win.Packed.Fragtor-9890049-0

Win.Packed.Fragtor-9890050-0

Win.Packed.Generic-9890077-0

Win.Packed.Fragtor-9890080-0

Win.Packed.Generic-9890092-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Connection attempt

Sending an HTTP POST request

Launching a process

Searching for the window

Sending a UDP request

Reading critical registry keys

Creating a process from a recently created file

Setting browser functions hooks

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Deleting of the original file

Enabling autorun by creating a file

Unauthorized injection to a browser process

Unauthorized injection to a system process

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/47178f15-85e0-4d68-b03d-58f541f19d70

Result

Threat name:

Raccoon SmokeLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/843260

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Performs DNS queries to domains with low reputation

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected Raccoon Stealer

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4d7e732c1981cc7d29cb21e30ab8d203ccd45ae3ad7b609bfd50449c987b6bbc/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-09-01 10:46:05 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jv7hglazqhgh2kolehrqvogsapgniwxdvv5wbg75kbcjzgd3no6a._file

Verdict:

suspicious

RaccoonStealer

5152274dbe1cc44da156f29d1ff2858e583237bdc24ced137265cd3668ba851e

RaccoonStealer

608248c1ef7bab54f8a7aeffaf618187a6f20d3bc829a6c6de625e2a2a376f2b

RaccoonStealer

67ebaa4e613b155a8584614552de369a48d854f8b38e9c6f6319d71f287ea0f9

RaccoonStealer

68e731d3431bc9223c2ff57b2d319194c4a6b8027e15c75f16b841bc78499172

RaccoonStealer

9dad1f618e1ebf28e43f4af049feb9d75a03b139a63bdd1901f51497fd4ed50b

RaccoonStealer

a19317b14abc6d4c1294aaaeab29d0ada023dffa37025c839671c193a74fd519

RaccoonStealer

ca12d3f00e654a8c51e15c6eaed8330721e48f398f877fc0ed68a983d3191a37

RaccoonStealer

cfcb21c8c129c8c2c525ecfac8bd883260eda6038e3991210765e582007451dd

RaccoonStealer

+ 1'403 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:raccoon family:smokeloader botnet:fe582536ec580228180f270f7cb80a867860e010 backdoor discovery spyware stealer suricata trojan

Link:

https://tria.ge/reports/210901-jaab51e52a/

Behaviour

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Raccoon

SmokeLoader

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

Malware Config

C2 Extraction:

http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/