MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57f10efc739ec361aebc5282037d8013f39991d2f87ab144dd16e3cd63ed6999. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57f10efc739ec361aebc5282037d8013f39991d2f87ab144dd16e3cd63ed6999
SHA3-384 hash: 073bebfcf5d261d6e53539712aa3f67a65ecf0ae3200418af8b2d21e9e22166a08974e4b4bb37a1af5bf841eb532ed43
SHA1 hash: a414befb2fdf6c508d4936f723f8b142828b2b16
MD5 hash: 15eb5a44613074dee64d6f25eceb66be
humanhash: bulldog-dakota-hot-nine
File name:15EB5A44613074DEE64D6F25ECEB66BE.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:3'576'342 bytes
First seen:2021-08-19 20:45:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xwCvLUBsgQPoIXHs02aorqdKmUzKDwXQXKV9fV:xNLUCgeoIXM0R3nUz8wrPfV
TLSH T175F533617BE740F6F8C3003AEF045B36A1BE97949A3404D77784965DAB38883E17B8B5
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.135.32.61/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.135.32.61/ https://threatfox.abuse.ch/ioc/192233/

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
611b30_Watch-Dogs-PC-C.zip
Verdict:
Malicious activity
Analysis date:
2021-08-17 03:42:52 UTC
Tags:
trojan evasion stealer vidar loader rat redline phishing raccoon
Link:
https://app.any.run/tasks/ec20645e-ddb1-410f-83b4-39079725315c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180798/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
DNS request
Sending a UDP request
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a window
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a file
Sending an HTTP GET request
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5544d6cd-aa40-4a21-a768-531ff6785ce7
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836065
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops PE files to the startup folder
Machine Learning detection for dropped file
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 468496 Sample: ezoEAnTLme.exe Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 162 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->162 164 Multi AV Scanner detection for domain / URL 2->164 166 Antivirus detection for URL or domain 2->166 168 13 other signatures 2->168 12 ezoEAnTLme.exe 17 2->12         started        15 rundll32.exe 2->15         started        17 svchost.exe 1 2->17         started        20 2 other processes 2->20 process3 file4 116 C:\Users\user\AppData\...\setup_install.exe, PE32 12->116 dropped 118 C:\Users\user\...\Tue02ef36b3f1289c5.exe, PE32 12->118 dropped 120 C:\Users\user\...\Tue027536c4694d45.exe, PE32 12->120 dropped 122 12 other files (7 malicious) 12->122 dropped 22 setup_install.exe 1 12->22         started        26 rundll32.exe 15->26         started        158 System process connects to network (likely due to code injection or exploit) 17->158 signatures5 process6 dnsIp7 136 127.0.0.1 unknown unknown 22->136 138 marisana.xyz 22->138 182 Performs DNS queries to domains with low reputation 22->182 184 Adds a directory exclusion to Windows Defender 22->184 28 cmd.exe 22->28         started        30 cmd.exe 22->30         started        32 cmd.exe 22->32         started        37 10 other processes 22->37 186 Writes to foreign memory regions 26->186 188 Allocates memory in foreign processes 26->188 190 Creates a thread in another existing process (thread injection) 26->190 34 svchost.exe 26->34 injected signatures8 process9 dnsIp10 40 Tue027536c4694d45.exe 28->40         started        45 Tue025ccbbdb1799f42b.exe 30->45         started        47 Tue0237249404942fe.exe 32->47         started        170 Sets debug register (to hijack the execution of another thread) 34->170 172 Modifies the context of a thread in another process (thread injection) 34->172 49 svchost.exe 34->49         started        132 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 37->132 134 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 37->134 174 Submitted sample is a known malware sample 37->174 176 Obfuscated command line found 37->176 178 Uses ping.exe to sleep 37->178 180 2 other signatures 37->180 51 Tue021b99042c7.exe 37->51         started        53 Tue022a930da16b.exe 1 14 37->53         started        55 Tue022b0c9446.exe 2 37->55         started        57 4 other processes 37->57 signatures11 process12 dnsIp13 142 cdn.discordapp.com 162.159.130.233, 443, 49717 CLOUDFLARENETUS United States 40->142 100 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 40->100 dropped 202 Antivirus detection for dropped file 40->202 204 Machine Learning detection for dropped file 40->204 59 LzmwAqmV.exe 40->59         started        206 Multi AV Scanner detection for dropped file 45->206 62 cmd.exe 45->62         started        64 dllhost.exe 45->64         started        150 2 other IPs or domains 47->150 208 Detected unpacking (changes PE section rights) 47->208 210 May check the online IP address of the machine 47->210 212 Performs DNS queries to domains with low reputation 47->212 144 google.vrthcobj.com 34.97.69.225 GOOGLEUS United States 49->144 214 Query firmware table information (likely to detect VMs) 49->214 216 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 51->216 218 Checks if the current machine is a virtual machine (disk enumeration) 51->218 66 explorer.exe 51->66 injected 152 4 other IPs or domains 53->152 102 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 53->102 dropped 104 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 53->104 dropped 220 Drops PE files to the startup folder 53->220 222 Creates processes via WMI 55->222 68 Tue022b0c9446.exe 55->68         started        146 37.0.10.185 WKD-ASIE Netherlands 57->146 148 37.0.11.8 WKD-ASIE Netherlands 57->148 154 5 other IPs or domains 57->154 file14 signatures15 process16 dnsIp17 106 C:\Users\user\AppData\Local\Temp\5.exe, PE32 59->106 dropped 108 C:\Users\user\AppData\Local\Temp\4.exe, PE32 59->108 dropped 110 C:\Users\user\AppData\Local\Temp\3.exe, PE32 59->110 dropped 114 3 other files (2 malicious) 59->114 dropped 71 2.exe 59->71         started        75 1.exe 59->75         started        77 Chrome 5.exe 59->77         started        80 cmd.exe 62->80         started        82 conhost.exe 62->82         started        84 rundll32.exe 66->84         started        130 live.goatgame.live 104.21.70.98, 443, 49713 CLOUDFLARENETUS United States 68->130 112 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 68->112 dropped 86 conhost.exe 68->86         started        file18 process19 dnsIp20 140 144.202.76.47 AS-CHOOPAUS United States 71->140 192 Antivirus detection for dropped file 71->192 194 Multi AV Scanner detection for dropped file 71->194 196 Machine Learning detection for dropped file 75->196 124 C:\Users\user\AppData\...\services64.exe, PE32+ 77->124 dropped 198 Obfuscated command line found 80->198 200 Uses ping.exe to sleep 80->200 88 Talune.exe.com 80->88         started        90 PING.EXE 80->90         started        93 findstr.exe 80->93         started        file21 signatures22 process23 dnsIp24 96 Talune.exe.com 88->96         started        156 192.168.2.3, 443, 49563, 49708 unknown unknown 90->156 126 C:\Users\user\AppData\...\Talune.exe.com, Targa 93->126 dropped file25 process26 dnsIp27 128 DrbPbUkqxjgjxlbJzPNI.DrbPbUkqxjgjxlbJzPNI 96->128 160 Tries to harvest and steal browser information (history, passwords, etc) 96->160 signatures28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57f10efc739ec361aebc5282037d8013f39991d2f87ab144dd16e3cd63ed6999/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 10:42:02 UTC
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7yq57dtt3bwdlv4kkbag7macpzzteos7b5lcrg5c3r42y7nngmq._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:cryptbot family:raccoon family:redline family:smokeloader family:socelars family:vidar family:xmrig botnet:00bdd6858c3856861f0d81937643f61ec7429443 botnet:706 botnet:pab3 aspackv2 backdoor discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210819-tk9ah98yqn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Amadey
CryptBot
CryptBot Payload
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
xmrig
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
knuxiq42.top
morumd04.top
185.215.113.15:61506
185.215.113.206/k8FppT/index.php
Unpacked files
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
67f15ef8791238c0520d74240f69f5cb13adf0ff34d32fab4942d9ef17c38789
MD5 hash:
a13744be8e3927ec25fcc06c8b33bca2
SHA1 hash:
7e71f8ca93cf7872603d0e73d36c9931cac5239c
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
SH256 hash:
1ab460eac81001bfa0da8cbadfd4fba0ad0f371742a2c725ff5cf71bdd8e2b9f
MD5 hash:
1dc95107f7dd6d1392bb8d9b53b76916
SHA1 hash:
b26f9c90ad4656d2ddf3e96da967e0f65a9623e1
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
SH256 hash:
d1ff2f8a510fb4d25dd861e4cd5196585ccdd66cd6e941941e13d634da825f32
MD5 hash:
e3ed5e6a62ece3cf158688bce4161fbf
SHA1 hash:
5a8c4dddf69e8650952b0d29987cc6edfe25fb0b
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
SH256 hash:
ab9bb888f6235eaee1ad52cd9b4d1f960ea09743ff80919d0095383f3683c583
MD5 hash:
eff546ee925781db419befdf93bd045d
SHA1 hash:
1129b509403fa589b50310f99f77c69ecc7f8314
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
SH256 hash:
80977bcc232601987d378e1036c07035a1bfe70803072bf497e1a0aead085905
MD5 hash:
bfdd6dc1d021d885606249743f63c43a
SHA1 hash:
a6468c1356edf1a28bdc90f0d7aa30188fc01d48
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
SH256 hash:
9a1f1a9f448d94c8954b8004a4ff3e8405f8b18139f95d04f8d9b40c483e1b40
MD5 hash:
ce3a49b916b81a7d349c0f8c9f283d34
SHA1 hash:
a04ea42670fcf09fffbf7f4d4ac9c8e3edfc8cf4
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
SH256 hash:
33bacd4503c7eb17dfd436ee3e4325c53e6e3bc6a974d3e5a0c8966ddb7ce412
MD5 hash:
74717343c962aa2c3794a60bbb19db21
SHA1 hash:
743906e3f246ae89d80c32eda9924e692678faef
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
SH256 hash:
cb7a6e1af1815d6297b4712937ac632c638fb6a8366a50a5dcbafb16956cbf2f
MD5 hash:
7c8b6ce9eba61338aaa415173c04ca3d
SHA1 hash:
3e2f5edddb7633a09c9342cffdd647e355cf9244
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
SH256 hash:
210dce48185655e3bdff5f978d0d3281a74a29b80f1e0028fc463b274506cd4c
MD5 hash:
27dfd3e8f90b92694f36d69b0d18c7f5
SHA1 hash:
ad7aeac31898a4394c5b962be5e304ba77b6413f
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
SH256 hash:
2c551d3c61657b1611d5241e3f62b32f48292febf7155b7e1d6a740ea135fbe0
MD5 hash:
220498709e8d6d76720b53a51615dca1
SHA1 hash:
d8424776724f25ab6716d06ca354ce5a5607b54c
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
SH256 hash:
cb546b4e601331c99cf15f4d17e57ad9b54ef0b18b08af7008d56ac457fb00b5
MD5 hash:
7bd77f40d077ff03684a0008f68221ee
SHA1 hash:
eade61c345826545ea5cf7fdb80111016d880f00
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
SH256 hash:
3a611b2eb7cad1fe84447c878bf1489ba88e0adc16d222baf57209afd95a8e89
MD5 hash:
91b728a89d12b4dfab5dc442a08d0416
SHA1 hash:
371dc346195c003b9116cd2a918336149d43f686
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
SH256 hash:
a0d6a4a9b3c7dcc421c2e6aec3dd491164c4d8385754a6279510c4b988957fb1
MD5 hash:
325af14444e1a4a94c29b8e1a7446a3f
SHA1 hash:
b31c48513f822e369fdd78e0f1385c0824f4e5ba
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
SH256 hash:
57f10efc739ec361aebc5282037d8013f39991d2f87ab144dd16e3cd63ed6999
MD5 hash:
15eb5a44613074dee64d6f25eceb66be
SHA1 hash:
a414befb2fdf6c508d4936f723f8b142828b2b16
Link:
https://www.unpac.me/results/0c7b5d24-2f60-4113-94a0-477a92372fb5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57f10efc739ec361aebc5282037d8013f39991d2f87ab144dd16e3cd63ed6999

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180798/

Comments