MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 560d1e1c846bb66402c793a3e44991b637d82d1ce3ef6c89e443b9b2602b6e3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 560d1e1c846bb66402c793a3e44991b637d82d1ce3ef6c89e443b9b2602b6e3b
SHA3-384 hash: 8175cd2b5927e5bdfbc4572c3ba51ea94881c84869227b8a938eb0ab893f5a4d235fbc62156648bf94d7f2d0d95331d2
SHA1 hash: cd3518495e662b758e3b72b6bfc409a4fdfcc0df
MD5 hash: e369a4ae59ce3b82b5ed8054f0597341
humanhash: indigo-magazine-earth-potato
File name:e369a4ae59ce3b82b5ed8054f0597341
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:31'744 bytes
First seen:2021-09-04 10:55:23 UTC
Last seen:2021-09-04 14:13:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:zqsy0fTaccrlrZZ6pi1kBl1ckdLuBph9S8t5Azi:usy8TcRrZZ6EkBlCFV9SG
Threatray 1'530 similar samples on MalwareBazaar
TLSH T157E2D04B5201C7F8C3C00CBA4EF6596C933579C957A61AC6C23934BB21D6F9E72950BC
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
397
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e369a4ae59ce3b82b5ed8054f0597341
Verdict:
Suspicious activity
Analysis date:
2021-09-04 10:56:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0864fd7f-051f-400d-b88f-9af82efb33c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185293/
Detection(s):
SecuriteInfo.com.Variant.Ser.Razy.7042.7413.9537.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Connection attempt to an infection source
Searching for analyzing tools
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Deleting a recently created file
Reading critical registry keys
Query of malicious DNS domain
Stealing user critical data
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fee89cd3-9376-42b9-b939-8d52125495b8
Result
Threat name:
Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845234
Signature
Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477661 Sample: nCZxXo7Dg7 Startdate: 04/09/2021 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Antivirus / Scanner detection for submitted sample 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 10 other signatures 2->75 8 nCZxXo7Dg7.exe 2->8         started        11 wihvewb 2->11         started        process3 signatures4 95 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->95 97 Maps a DLL or memory area into another process 8->97 99 Checks if the current machine is a virtual machine (disk enumeration) 8->99 13 explorer.exe 11 8->13 injected 101 Creates a thread in another existing process (thread injection) 11->101 process5 dnsIp6 63 fioajfoiarjfoi1.xyz 94.140.112.59, 49715, 80 TELEMACHBroadbandAccessCarrierServicesSI Latvia 13->63 65 eruiopijhgnn4.xyz 185.195.27.138, 49716, 49717, 49718 SUPERSERVERSDATACENTERRU Russian Federation 13->65 67 5 other IPs or domains 13->67 43 C:\Users\user\AppData\Roaming\wihvewb, PE32 13->43 dropped 45 C:\Users\user\AppData\Local\Temp\6460.exe, PE32 13->45 dropped 47 C:\Users\user\AppData\Local\Temp\5A9B.exe, PE32 13->47 dropped 49 3 other files (2 malicious) 13->49 dropped 103 System process connects to network (likely due to code injection or exploit) 13->103 105 Benign windows process drops PE files 13->105 107 Performs DNS queries to domains with low reputation 13->107 109 2 other signatures 13->109 18 5A9B.exe 15 34 13->18         started        23 2980.exe 80 13->23         started        25 6460.exe 14 32 13->25         started        27 22A9.exe 13->27         started        file7 signatures8 process9 dnsIp10 51 api.ip.sb 18->51 53 45.67.231.145, 10991, 49759 SERVERIUS-ASNL Moldova Republic of 18->53 33 C:\Users\user\AppData\Local\...\5A9B.exe.log, ASCII 18->33 dropped 77 Detected unpacking (changes PE section rights) 18->77 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->79 81 Query firmware table information (likely to detect VMs) 18->81 93 3 other signatures 18->93 29 conhost.exe 18->29         started        55 telete.in 195.201.225.248, 443, 49729 HETZNER-ASDE Germany 23->55 57 94.158.245.24, 49730, 80 MIVOCLOUDMD Moldova Republic of 23->57 35 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 23->35 dropped 37 C:\Users\user\AppData\...\vcruntime140.dll, PE32 23->37 dropped 39 C:\Users\user\AppData\...\ucrtbase.dll, PE32 23->39 dropped 41 56 other files (none is malicious) 23->41 dropped 83 Tries to steal Mail credentials (via file access) 23->83 85 Contains functionality to steal Internet Explorer form passwords 23->85 59 77.232.38.196, 49760, 59743 EUT-ASEUTIPNetworkRU Russian Federation 25->59 61 api.ip.sb 25->61 87 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->87 89 Tries to harvest and steal browser information (history, passwords, etc) 25->89 91 Tries to steal Crypto Currency Wallets 25->91 31 conhost.exe 25->31         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/560d1e1c846bb66402c793a3e44991b637d82d1ce3ef6c89e443b9b2602b6e3b/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 21:41:56 UTC
File Type:
PE (Exe)
AV detection:
33 of 43 (76.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kygr4heeno3giawhsor6ismrwy35qli44pxwzcpeio43eyblny5q._file
Verdict:
suspicious
Similar samples:
1f445aea75db35206f00610e21e04bcae95c26155f9fccb3dbbb7b8601ba1404
RaccoonStealer
372e3f20168cb6280781e04db5b47a84c3496bde190343f4cb54a7e80c4a0c6e
RaccoonStealer
46836190326258f65c9dbc1930b01e9d3de04996a1a2c79e39a36c281d79fe0a
RaccoonStealer
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
RaccoonStealer
9fc2a95067df754bbafd860e8a3d5b5881ae097fe107aeff86d4945830fcbba7
RaccoonStealer
af350212764e6304bf417e81cf0009b494119670e4bc1b187cd79cf4c487c7b6
RaccoonStealer
d5190d776d8ebd2487a2ec675d8af26ba4c0ba53778ba008621abad0aba0ea69
RaccoonStealer
e11501c9e16a2f69751da6f5d8d2e5ff3023eea48baf5008a197e20a2ffd66be
RaccoonStealer
eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6
RaccoonStealer
ff63f7880fd91b696a191c136501c9747203976afeb07268e76f9a7f647c09b2
RaccoonStealer
+ 1'520 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:fe582536ec580228180f270f7cb80a867860e010 botnet:ytoobe backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210904-m1n8caebc4/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://fioajfoiarjfoi1.xyz/
http://rdukhnihioh2.xyz/
http://sdfghjklemm3.xyz/
http://eruiopijhgnn4.xyz/
http://igbyugfwbwb5.xyz/
http://shfuhfuwhhc6.xyz/
http://ersyglhjkuij7.xyz/
http://ygyguguuju8.store/
http://resbkjpokfct9.store/
http://sdfygfygu10.store/
http://hbibhibihnj11.store/
http://vfwlkjhbghg12.store/
http://poiuytrcvb13.store/
http://xsedfgtbh14.store/
http://iknhyghggh15.store/
http://wnlonevkiju16.site/
http://gfyufuhhihioh17.site/
http://nsgiuwrevi18.site/
http://oiureveiuv19.site/
http://ovrnevnriuen20.site/
http://apowkfeeifin21.site/
http://mewmofinoine22.site/
http://iefhuiehruiu23.site/
http://vjrnnvinerovn24.club/
http://roimvnnvwniov25.club/
http://fwenmfioewnjo26.club/
http://ewoijioewoif27.club/
http://fwjenfuihew28.club/
http://fwkejnfuiewn29.club/
http://fwkjenfuewnh30.club/
77.232.38.196:59743
Unpacked files
SH256 hash:
560d1e1c846bb66402c793a3e44991b637d82d1ce3ef6c89e443b9b2602b6e3b
MD5 hash:
e369a4ae59ce3b82b5ed8054f0597341
SHA1 hash:
cd3518495e662b758e3b72b6bfc409a4fdfcc0df
Link:
https://www.unpac.me/results/6d711066-2b1b-4de3-b285-6ad62a4f87dd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/560d1e1c846b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.46
Link:
https://yomi.yoroi.company/submissions/560d1e1c846bb66402c793a3e44991b637d82d1ce3ef6c89e443b9b2602b6e3b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 560d1e1c846bb66402c793a3e44991b637d82d1ce3ef6c89e443b9b2602b6e3b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1591345/
Cape
Cape
https://www.capesandbox.com/analysis/185293/

Comments


Avatar
zbet commented on 2021-09-04 10:55:24 UTC

url : hxxp://igbyugfwbwb5.xyz/reestr.exe