MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f25ab5c61c7b060728eeded0f2d49bafb5524a9d398bdc05989a108b2d0799a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f25ab5c61c7b060728eeded0f2d49bafb5524a9d398bdc05989a108b2d0799a
SHA3-384 hash: 2c7584f4fdba42927dd2b03c0ec314be76c6a4586dc197820168b6419a65c699ffe259a0c12be3fdbfd346bc1ddda451
SHA1 hash: fdbd8f92e87e6f945f91e70c6a4eb2f653b40dfd
MD5 hash: 85b2f169906484c8ea5bc86019ec3474
humanhash: venus-crazy-beryllium-wisconsin
File name:85b2f169906484c8ea5bc86019ec3474.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:211'968 bytes
First seen:2021-08-31 00:17:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1bd9ec7a4dcb0a443d99b482d9f2b78b (9 x RaccoonStealer, 2 x RedLineStealer, 1 x CoinMiner)
ssdeep 3072:/S+bL6zgyWIl6PRLobU+GcaEeOgfLdcGyaN3xjmHd7cxatBgGgS/lPYxAxAU:q+bL6MyWRPRsWcaEmy+xgFVg8FY6xA
Threatray 4'241 similar samples on MalwareBazaar
TLSH T1B824AC1032A0F46EE45557308E9DC6A3463AAC719960C367329B2F5E1F31290BF56FFA
dhash icon fcfcf4d4d4dcd8c0 (21 x RaccoonStealer, 13 x RedLineStealer, 4 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://5.181.156.120/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.120/ https://threatfox.abuse.ch/ioc/203162/

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
85b2f169906484c8ea5bc86019ec3474.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-31 00:18:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d3290e6e-98b8-422e-af7d-db379f6049ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183920/
Detection(s):
Win.Packed.Generic-9889505-0
Create hunting rule

Win.Packed.Generic-9889576-0
Create hunting rule

Win.Packed.Generic-9889668-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Searching for the window
Sending a custom TCP request
Reading critical registry keys
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Replacing files
Changing a file
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Setting browser functions hooks
Unauthorized injection to a system process
Stealing user critical data
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a browser process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aea2bf9c-92b6-4685-b43f-2e9efde37b93
Result
Threat name:
RedLine SmokeLoader Tofsee Vidar Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842119
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 474547 Sample: 5E49LlMZud.exe Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 87 www.instagram.com 2->87 89 41.52.17.84.dnsbl.sorbs.net 2->89 91 15 other IPs or domains 2->91 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus detection for dropped file 2->127 129 Multi AV Scanner detection for submitted file 2->129 135 14 other signatures 2->135 11 5E49LlMZud.exe 2->11         started        14 zlgdkjjx.exe 2->14         started        16 hfajtau 2->16         started        18 10 other processes 2->18 signatures3 131 Tries to resolve many domain names, but no domain seems valid 87->131 133 System process connects to network (likely due to code injection or exploit) 89->133 process4 dnsIp5 171 Detected unpacking (changes PE section rights) 11->171 21 5E49LlMZud.exe 11->21         started        173 Writes to foreign memory regions 14->173 175 Allocates memory in foreign processes 14->175 177 Injects a PE file into a foreign processes 14->177 24 svchost.exe 14->24         started        179 Multi AV Scanner detection for dropped file 16->179 181 Machine Learning detection for dropped file 16->181 28 hfajtau 16->28         started        93 127.0.0.1 unknown unknown 18->93 95 192.168.2.1 unknown unknown 18->95 183 Changes security center settings (notifications, updates, antivirus, firewall) 18->183 signatures6 process7 dnsIp8 137 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->137 139 Maps a DLL or memory area into another process 21->139 141 Checks if the current machine is a virtual machine (disk enumeration) 21->141 30 explorer.exe 12 21->30 injected 103 hanmail.net 24->103 105 41.52.17.84.dnsbl.sorbs.net 24->105 107 22 other IPs or domains 24->107 75 C:\Windows\SysWOW64\...\systemprofile:.repos, DOS 24->75 dropped 143 System process connects to network (likely due to code injection or exploit) 24->143 145 Creates files in alternative data streams (ADS) 24->145 147 Injects a PE file into a foreign processes 24->147 149 Creates a thread in another existing process (thread injection) 28->149 file9 signatures10 process11 dnsIp12 109 readinglistforaugust8.xyz 30->109 111 readinglistforaugust7.xyz 30->111 113 9 other IPs or domains 30->113 79 C:\Users\user\AppData\Roaming\hfajtau, PE32 30->79 dropped 81 C:\Users\user\AppData\Local\Temp\7DAA.exe, PE32 30->81 dropped 83 C:\Users\user\AppData\Local\Temp\7349.exe, PE32 30->83 dropped 85 3 other malicious files 30->85 dropped 115 System process connects to network (likely due to code injection or exploit) 30->115 117 Benign windows process drops PE files 30->117 119 Performs DNS queries to domains with low reputation 30->119 123 4 other signatures 30->123 35 7349.exe 127 30->35         started        40 6696.exe 2 30->40         started        42 explorer.exe 30->42         started        44 3 other processes 30->44 file13 121 Tries to resolve many domain names, but no domain seems valid 111->121 signatures14 process15 dnsIp16 97 159.69.246.184, 49708, 80 HETZNER-ASDE Germany 35->97 69 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 35->69 dropped 71 C:\ProgramData\sqlite3.dll, PE32 35->71 dropped 151 Multi AV Scanner detection for dropped file 35->151 153 Detected unpacking (changes PE section rights) 35->153 155 Machine Learning detection for dropped file 35->155 169 3 other signatures 35->169 73 C:\Users\user\AppData\Local\...\zlgdkjjx.exe, PE32 40->73 dropped 157 Uses netsh to modify the Windows network and firewall settings 40->157 159 Modifies the windows firewall 40->159 46 cmd.exe 40->46         started        49 cmd.exe 2 40->49         started        51 sc.exe 40->51         started        55 3 other processes 40->55 99 readinglistforaugust8.xyz 42->99 161 System process connects to network (likely due to code injection or exploit) 42->161 163 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->163 165 Tries to steal Mail credentials (via file access) 42->165 167 Performs DNS queries to domains with low reputation 42->167 101 18.118.197.22, 49789, 51195 MIT-GATEWAYSUS United States 44->101 53 conhost.exe 44->53         started        file17 signatures18 process19 file20 77 C:\Windows\SysWOW64\...\zlgdkjjx.exe (copy), PE32 46->77 dropped 57 conhost.exe 46->57         started        59 conhost.exe 49->59         started        61 conhost.exe 51->61         started        63 conhost.exe 55->63         started        65 conhost.exe 55->65         started        67 conhost.exe 55->67         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f25ab5c61c7b060728eeded0f2d49bafb5524a9d398bdc05989a108b2d0799a/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 22:50:32 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j4s2wxdby6yga4uo5xwq6lkjxl5vkjfj2oml3qczrgqqrmwqpgna._file
Verdict:
suspicious
Similar samples:
3f3fecd695146b28e051593aabcd535dc366932c08bf0011ae997ad6b7e39147
RaccoonStealer
5c755d14199295a752594d0bb2a4c6bd7ede35ea7c078499fc7fff96451b2530
RaccoonStealer
60ab0131b6fa420a6a8039b60ac948db87033e9a8db69b16344e3d9222859556
RaccoonStealer
831c4dbfc88b4a10504a77ce20c663633e07e4f2bab5cd94eb27ba56e5427572
RaccoonStealer
94eb2ab912a0fc0fb09538da52e4c36a50a1ea22cf6dfefe0b245f1687b8fe8f
RaccoonStealer
c55df5e9d0ea176321a29f8957c7a43188796ae0fc0ffe1ae94ad6092d30ba77
RaccoonStealer
c87fe4ff57a5464c0155bd1a8a924a2d77a79fdf87cba206e9ef5ac0d0f848cf
RaccoonStealer
ecc608dedd0b55df6c75aeffcd51e11f3fd50d7422e4a1b26d4515a18419b9c4
RaccoonStealer
f4e1fc78ba0a65bde5687a67eb89e20166e062356b77227c9e0211060bd14dc8
RaccoonStealer
f74c97d626730018ba9a8dd5e6fb806bfcc42d15a8b20ef328cc5f0d6a052ccc
RaccoonStealer
+ 4'231 additional samples on MalwareBazaar
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:tofsee botnet:work backdoor discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/210831-xw56rqey3x/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Drops file in System32 directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Malware Config
C2 Extraction:
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
18.118.197.22:51195
Unpacked files
SH256 hash:
0a9a7acf77fe4f890fe2acf761fa7f369418bb1f733504acd0792f589ccc7b15
MD5 hash:
ad94a86355be2ad9348b88e8972e8320
SHA1 hash:
8c7ff71739a5194efc5c7bee9c37ad92a9e72646
Link:
https://www.unpac.me/results/49ca19d9-47ea-4d16-9dd2-739504d6c307/
SH256 hash:
4f25ab5c61c7b060728eeded0f2d49bafb5524a9d398bdc05989a108b2d0799a
MD5 hash:
85b2f169906484c8ea5bc86019ec3474
SHA1 hash:
fdbd8f92e87e6f945f91e70c6a4eb2f653b40dfd
Link:
https://www.unpac.me/results/49ca19d9-47ea-4d16-9dd2-739504d6c307/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4f25ab5c61c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f25ab5c61c7b060728eeded0f2d49bafb5524a9d398bdc05989a108b2d0799a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 4f25ab5c61c7b060728eeded0f2d49bafb5524a9d398bdc05989a108b2d0799a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1558724/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/183920/

Comments