MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51fe7c7e0564c81aacfc4f34595cac5c3f3aaf2cf4c81f88110d152654bae326. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51fe7c7e0564c81aacfc4f34595cac5c3f3aaf2cf4c81f88110d152654bae326
SHA3-384 hash: 22d595a0edabc4365f6b0a0dad46899afaab504c40515dcc41b8982b578de9a69734f494388fc000f3368986d298fdca
SHA1 hash: d9306386332fa323a5487a829db0902521ae4be8
MD5 hash: e760fff28298cdd65236bf6928753797
humanhash: california-thirteen-crazy-alpha
File name:e760fff28298cdd65236bf6928753797.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:189'440 bytes
First seen:2021-10-28 18:31:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0907a935ef90d39af9a616560320cd24 (4 x RaccoonStealer, 1 x LimeRAT, 1 x RedLineStealer)
ssdeep 3072:7rCKw8JjNEtrYU9gggbf0074YcIyNc8eHPWrxpzbgqruXhspVggjcGkNIVqI:aKLjNaIxbbXcjNRmPuzbgwu6L7ITsq
Threatray 6'213 similar samples on MalwareBazaar
TLSH T118049EF072D88479D06339318821CAA35E6ABC61DA6055473274239E3FB2ECC99E5FDD
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c0 (70 x RedLineStealer, 59 x RaccoonStealer, 24 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
45.67.231.145:10991

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.67.231.145:10991 https://threatfox.abuse.ch/ioc/239282/
http://194.180.174.181/ https://threatfox.abuse.ch/ioc/239344/
95.217.110.27:15401 https://threatfox.abuse.ch/ioc/239345/

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201022/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.35416.2589.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22c42ca6-3221-498d-b846-05f2b6afc28d
Result
Threat name:
Raccoon RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878816
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511250 Sample: YRbcV0B6TZ.exe Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 69 nusurtal4f.net 2->69 71 netomishnetojuk.net 2->71 73 11 other IPs or domains 2->73 99 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->99 101 Multi AV Scanner detection for domain / URL 2->101 103 Found malware configuration 2->103 105 13 other signatures 2->105 11 YRbcV0B6TZ.exe 2->11         started        14 gveejjf 2->14         started        signatures3 process4 signatures5 123 Contains functionality to inject code into remote processes 11->123 125 Injects a PE file into a foreign processes 11->125 16 YRbcV0B6TZ.exe 11->16         started        127 Machine Learning detection for dropped file 14->127 19 gveejjf 14->19         started        process6 signatures7 91 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->91 93 Maps a DLL or memory area into another process 16->93 95 Checks if the current machine is a virtual machine (disk enumeration) 16->95 97 Creates a thread in another existing process (thread injection) 16->97 21 explorer.exe 12 16->21 injected process8 dnsIp9 75 216.128.137.31, 80 AS-CHOOPAUS United States 21->75 77 iyc.jelikob.ru 81.177.141.36, 443, 49812 RTCOMM-ASRU Russian Federation 21->77 79 5 other IPs or domains 21->79 51 C:\Users\user\AppData\Roaming\hreejjf, PE32 21->51 dropped 53 C:\Users\user\AppData\Roaming\gveejjf, PE32 21->53 dropped 55 C:\Users\user\AppData\Local\TempFD0.exe, PE32 21->55 dropped 57 11 other malicious files 21->57 dropped 115 System process connects to network (likely due to code injection or exploit) 21->115 117 Benign windows process drops PE files 21->117 119 Deletes itself after installation 21->119 121 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->121 26 C312.exe 1 21->26         started        30 B34A.exe 21->30         started        33 E839.exe 21->33         started        35 8 other processes 21->35 file10 signatures11 process12 dnsIp13 59 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 26->59 dropped 129 Multi AV Scanner detection for dropped file 26->129 131 DLL reload attack detected 26->131 133 Detected unpacking (changes PE section rights) 26->133 149 5 other signatures 26->149 83 45.95.235.77, 49848, 80 YURTEH-ASUA Russian Federation 30->83 61 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 30->61 dropped 63 C:\ProgramData\sqlite3.dll, PE32 30->63 dropped 135 Query firmware table information (likely to detect VMs) 30->135 137 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->137 139 Machine Learning detection for dropped file 30->139 151 2 other signatures 30->151 37 E839.exe 33->37         started        85 telegalive.top 35->85 87 194.180.174.181, 49845, 80 MIVOCLOUDMD unknown 35->87 89 4 other IPs or domains 35->89 65 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 35->65 dropped 67 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 35->67 dropped 141 Detected unpacking (creates a PE file in dynamic memory) 35->141 143 Detected unpacking (overwrites its own PE header) 35->143 145 Tries to harvest and steal browser information (history, passwords, etc) 35->145 153 3 other signatures 35->153 40 AdvancedRun.exe 1 35->40         started        43 powershell.exe 35->43         started        45 CasPol.exe 35->45         started        file14 147 System process connects to network (likely due to code injection or exploit) 85->147 signatures15 process16 dnsIp17 107 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->107 109 Maps a DLL or memory area into another process 37->109 111 Checks if the current machine is a virtual machine (disk enumeration) 37->111 113 Creates a thread in another existing process (thread injection) 37->113 81 192.168.2.1 unknown unknown 40->81 47 AdvancedRun.exe 40->47         started        49 conhost.exe 43->49         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51fe7c7e0564c81aacfc4f34595cac5c3f3aaf2cf4c81f88110d152654bae326/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 18:32:06 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kh7hy7qfmtebvlh4j42fsxfmlq7tvlzm6teb7carbuksmvf24mta._file
Verdict:
malicious
Similar samples:
24c64b6ac83952dbcc423586270744c889038b0198d046fd44f264ec92e012e9
RaccoonStealer
2e9adc33aec3681bc1eb2cc3627bc8b0922add8cc28e6dc23fcbacb0e94a428d
RaccoonStealer
5d5aa3cac3c4da5cc59b50725ace09c310ee4531dff2a6ef53db573edd5bda6f
RaccoonStealer
9d185a3e5184065f1628af9d8325e53b8503a0f7705e54b0d7afb8223eeff208
RaccoonStealer
c03c8a4852301c1c54ed27ef130d0de4cdfb98584adef3dda2a096177016a18b
RaccoonStealer
f1e4cf5b0fc8658f900febca637c9071fe7396f410015c41284768eac593ffa5
RaccoonStealer
+ 6'203 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:raccoon family:redline family:smokeloader family:vidar botnet:21321313 botnet:60e59be328fbd2ebac1839ea99411dccb00a6f49 botnet:7403871d9aeb23dd4419a46bfc8775a8e9d1f02d botnet:754 botnet:9b47742e621d3b0f1b0b79db6ed26e2c33328c05 botnet:dywa botnet:proliv botnet:safeinstaller botnet:super star backdoor collection discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/211028-w6l5lscag8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
autoit_exe
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Arkei
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://xacokuo8.top/
http://hajezey1.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
http://193.56.146.214/
https://193.56.146.214/
https://mas.to/@lilocc
93.115.20.139:28978
185.183.32.161:80
45.67.231.145:10991
185.183.32.183:55694
95.217.110.27:15401
Unpacked files
SH256 hash:
7504bf3fa2768578ecf547d7ad5ee704bb32a345726f4d6007e4905db82c873c
MD5 hash:
67832761c9fb6dcaa2caaa433aeef1e9
SHA1 hash:
1f40855c5efb001c8dff2d10e10b8c68d573d68f
Link:
https://www.unpac.me/results/58aeff6d-bed1-4274-870f-c60dc663e955/
SH256 hash:
51fe7c7e0564c81aacfc4f34595cac5c3f3aaf2cf4c81f88110d152654bae326
MD5 hash:
e760fff28298cdd65236bf6928753797
SHA1 hash:
d9306386332fa323a5487a829db0902521ae4be8
Link:
https://www.unpac.me/results/58aeff6d-bed1-4274-870f-c60dc663e955/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/51fe7c7e0564/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51fe7c7e0564c81aacfc4f34595cac5c3f3aaf2cf4c81f88110d152654bae326

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 51fe7c7e0564c81aacfc4f34595cac5c3f3aaf2cf4c81f88110d152654bae326

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1719493/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/201022/

Comments