MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 579ef1b6904472c94949cbe7c01cd22901797bb4e8da54b6310754fd0bc9224a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 579ef1b6904472c94949cbe7c01cd22901797bb4e8da54b6310754fd0bc9224a
SHA3-384 hash: 5d220629ee27c148f8b22ea299fa48c0fbbafaf9b26c9120aeb3ab6162c380ecf3b58e041005cf8684a2d71d9563c766
SHA1 hash: 94d9f36f0d18d8740e16553c7ddd1fbd212d08c8
MD5 hash: 061172bd4751a7fdce803061e139e43c
humanhash: triple-asparagus-island-double
File name:94d9f36f0d18d8740e16553c7ddd1fbd212d08c8.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:328'192 bytes
First seen:2021-08-20 18:35:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e16577a15d2f4b952ae6a4b3a61075c7 (2 x Smoke Loader, 1 x Glupteba, 1 x RedLineStealer)
ssdeep 6144:3RMnN6muXvZx37UI5yJy7d5YljwEa4Hisrol5Q34Fj:unUmuXP37UIxd5cwvQisrIF
TLSH T15064BE30B3D0C035F5B712B455B9937C653D7EB16B24D2CBA2D52AEA5A312E4AC30B87
dhash icon 86f1ec9eb6dcf9a6 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.140.147.35/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.140.147.35/ https://threatfox.abuse.ch/ioc/192382/

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://envima.tk
Verdict:
Malicious activity
Analysis date:
2021-08-18 11:26:13 UTC
Tags:
trojan evasion rat redline stealer vidar loader opendir phishing
Link:
https://app.any.run/tasks/a483b996-5ec9-43e6-b0c0-7db0673d74c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181018/
Detection(s):
Win.Malware.Generic-9886641-0
Create hunting rule

Win.Dropper.Azorult-9886824-0
Create hunting rule

Win.Malware.Raccoon-9886737-1
Create hunting rule

Win.Dropper.StopCrypt-9886862-0
Create hunting rule

Win.Malware.Generic-9887080-0
Create hunting rule

Win.Malware.Generic-9887081-0
Create hunting rule

Win.Malware.Generic-9887168-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending an HTTP GET request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a custom TCP request
Sending a UDP request
Connection attempt to an infection source
Searching for the window
Creating a window
Reading critical registry keys
Delayed reading of the file
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Launching cmd.exe command interpreter
Query of malicious DNS domain
Stealing user critical data
Sending a TCP request to an infection source
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Cryptbot Raccoon
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836630
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample or dropped binary is a compiled AutoHotkey binary
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Autohotkey Downloader Generic
Yara detected Cryptbot
Yara detected Evader
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 469061 Sample: 6GEGqh0HIn.exe Startdate: 20/08/2021 Architecture: WINDOWS Score: 100 56 telete.in 2->56 58 iplogger.org 2->58 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 11 other signatures 2->72 9 6GEGqh0HIn.exe 25 2->9         started        signatures3 process4 dnsIp5 60 hypercustom.top 194.87.236.205, 49744, 49745, 80 MTW-ASRU Russian Federation 9->60 62 cleaner-partners.net 9->62 64 4 other IPs or domains 9->64 48 C:\Users\user\AppData\...\35512529669.exe, PE32 9->48 dropped 50 C:\Users\user\AppData\...\16727583470.exe, PE32 9->50 dropped 52 C:\Users\user\AppData\Local\...\file[1].exe, PE32 9->52 dropped 54 6 other files (none is malicious) 9->54 dropped 78 May check the online IP address of the machine 9->78 14 cmd.exe 1 9->14         started        16 cmd.exe 9->16         started        18 WerFault.exe 9 9->18         started        21 9 other processes 9->21 file6 signatures7 process8 file9 23 16727583470.exe 14->23         started        26 conhost.exe 14->26         started        28 35512529669.exe 16->28         started        30 conhost.exe 16->30         started        38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->40 dropped 42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->42 dropped 44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->44 dropped 46 5 other malicious files 21->46 dropped 32 63965442492.exe 21->32         started        34 conhost.exe 21->34         started        process10 signatures11 74 Tries to harvest and steal browser information (history, passwords, etc) 23->74 76 Sample or dropped binary is a compiled AutoHotkey binary 28->76 36 WerFault.exe 17 9 32->36         started        process12
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/579ef1b6904472c94949cbe7c01cd22901797bb4e8da54b6310754fd0bc9224a/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 08:42:05 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k6ppdnuqirzmsskjzpt4ahgsfeaxs65u5dnfjnrra5kp2c6jejfa._file
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:raccoon botnet:00bdd6858c3856861f0d81937643f61ec7429443 discovery persistence spyware stealer suricata
Link:
https://tria.ge/reports/210820-3ejqx6vqs2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
knuspj52.top
morjeo05.top
Unpacked files
SH256 hash:
e70c3933fb22a4c9cf87784419bcafabf236513ffb449cc455b45624bda31f75
MD5 hash:
212f0fb729f1e8b478374a63363d45e4
SHA1 hash:
20cf3acdf909256012a2e8c31d03e5ef87fc4f66
Link:
https://www.unpac.me/results/cf5603c1-af82-435d-8673-3639b55675e8/
SH256 hash:
579ef1b6904472c94949cbe7c01cd22901797bb4e8da54b6310754fd0bc9224a
MD5 hash:
061172bd4751a7fdce803061e139e43c
SHA1 hash:
94d9f36f0d18d8740e16553c7ddd1fbd212d08c8
Link:
https://www.unpac.me/results/cf5603c1-af82-435d-8673-3639b55675e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/579ef1b6904472c94949cbe7c01cd22901797bb4e8da54b6310754fd0bc9224a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/181018/

Comments