MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ad7bfb790fc652df60360024af60578790930bb78489aabf352eae3fff103fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ad7bfb790fc652df60360024af60578790930bb78489aabf352eae3fff103fb
SHA3-384 hash: fea8b96e2755abb8dc71a8dab5b57877767487c1ee89e9bb2a3d2dae98bf11931084da0f487dc2b6afc9104430d7f3b7
SHA1 hash: ceda27c0b8d08c34d131575557a5ba20e797bbd4
MD5 hash: 788045d291dccd0c7bdf32e1d8e2ae51
humanhash: october-green-wyoming-hot
File name:788045D291DCCD0C7BDF32E1D8E2AE51.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'426'981 bytes
First seen:2021-08-20 01:06:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:x2CvLUBsgj5x9GaxH9s8sKvdz0WV43wEdYUwGM:x/LUCgjb9lxHiCh0Wq3oz
Threatray 1'512 similar samples on MalwareBazaar
TLSH T1552633023BDA80F7E593513AED189B32A17CCF954D7540937B809D29BB358EAC133AB5
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.140.147.35/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.140.147.35/ https://threatfox.abuse.ch/ioc/192382/

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180814/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Sending a UDP request
Creating a window
Creating a process with a hidden window
Creating a file
Launching cmd.exe command interpreter
Sending an HTTP GET request
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3703313d-998b-4fa3-90b8-ee1a1b8270e8
Result
Threat name:
Cookie Stealer Cryptbot RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836119
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops PE files to the startup folder
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Cookie Stealer
Yara detected Cryptbot
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 468550 Sample: TBXf6Hvodn.exe Startdate: 20/08/2021 Architecture: WINDOWS Score: 100 89 192.168.2.3, 443, 49563, 49690 unknown unknown 2->89 91 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->91 93 3 other IPs or domains 2->93 117 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->117 119 Multi AV Scanner detection for domain / URL 2->119 121 Antivirus detection for URL or domain 2->121 123 14 other signatures 2->123 12 TBXf6Hvodn.exe 18 2->12         started        15 rundll32.exe 2->15         started        17 svchost.exe 1 2->17         started        signatures3 process4 file5 81 C:\Users\user\AppData\...\setup_install.exe, PE32 12->81 dropped 83 C:\Users\user\AppData\Local\...\libcurl.dll, PE32 12->83 dropped 85 C:\Users\user\...\Mon20e066a4a15d1287.exe, PE32 12->85 dropped 87 13 other files (9 malicious) 12->87 dropped 20 setup_install.exe 1 12->20         started        24 rundll32.exe 15->24         started        115 System process connects to network (likely due to code injection or exploit) 17->115 signatures6 process7 dnsIp8 109 127.0.0.1 unknown unknown 20->109 111 marisana.xyz 20->111 125 Performs DNS queries to domains with low reputation 20->125 127 Adds a directory exclusion to Windows Defender 20->127 26 cmd.exe 1 20->26         started        28 cmd.exe 20->28         started        30 cmd.exe 1 20->30         started        33 8 other processes 20->33 129 Contains functionality to infect the boot sector 24->129 131 Contains functionality to inject threads in other processes 24->131 133 Contains functionality to inject code into remote processes 24->133 135 5 other signatures 24->135 signatures9 process10 signatures11 35 Mon20bd1069e0a1.exe 1 14 26->35         started        40 Mon20bd52299e9f784e5.exe 28->40         started        159 Submitted sample is a known malware sample 30->159 161 Obfuscated command line found 30->161 163 Uses ping.exe to sleep 30->163 165 2 other signatures 30->165 42 powershell.exe 26 30->42         started        44 Mon2008ca219fb.exe 33->44         started        46 Mon20e066a4a15d1287.exe 33->46         started        48 Mon20b1a4b518b89f.exe 33->48         started        50 4 other processes 33->50 process12 dnsIp13 95 ip-api.com 208.95.112.1, 49711, 80 TUT-ASUS United States 35->95 103 3 other IPs or domains 35->103 71 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 35->71 dropped 73 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 35->73 dropped 137 Multi AV Scanner detection for dropped file 35->137 139 May check the online IP address of the machine 35->139 141 Contains functionality to steal Chrome passwords or cookies 35->141 157 2 other signatures 35->157 105 2 other IPs or domains 40->105 143 Detected unpacking (changes PE section rights) 40->143 145 Performs DNS queries to domains with low reputation 40->145 147 Machine Learning detection for dropped file 40->147 97 cdn.discordapp.com 162.159.129.233, 443, 49716 CLOUDFLARENETUS United States 44->97 75 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 44->75 dropped 77 C:\Users\user\...\Mon2008ca219fb.exe.log, ASCII 44->77 dropped 149 Antivirus detection for dropped file 44->149 52 cmd.exe 46->52         started        54 dllhost.exe 46->54         started        151 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 48->151 153 Checks if the current machine is a virtual machine (disk enumeration) 48->153 56 explorer.exe 48->56 injected 99 37.0.10.185 WKD-ASIE Netherlands 50->99 101 37.0.11.8 WKD-ASIE Netherlands 50->101 107 5 other IPs or domains 50->107 155 Creates processes via WMI 50->155 58 Mon201e749cce13219c.exe 50->58         started        file14 signatures15 process16 dnsIp17 62 cmd.exe 52->62         started        65 conhost.exe 52->65         started        113 live.goatgame.live 172.67.222.125, 443, 49712 CLOUDFLARENETUS United States 58->113 79 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 58->79 dropped 67 conhost.exe 58->67         started        file18 process19 signatures20 167 Obfuscated command line found 62->167 169 Uses ping.exe to sleep 62->169 69 findstr.exe 62->69         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ad7bfb790fc652df60360024af60578790930bb78489aabf352eae3fff103fb/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 00:38:06 UTC
AV detection:
33 of 46 (71.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lll37n4q7rss35qdmabev5qfpb4qsmf3pbejvk7tklvoh77rap5q._file
Verdict:
malicious
Similar samples:
03eb4a70bc788ed9cd096d77502ef2f5788e4f3930c3bf5924cead278dc6872d
RaccoonStealer
283473a88217ba51d59c416ec4df9a019df2954d592dafbd60ac9b6df58abd96
RaccoonStealer
5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc
RaccoonStealer
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
RaccoonStealer
a526e9dae9298bbd03ca2a8fc8a45809eac1543bbec4680182493c551d65f731
RaccoonStealer
aaa3cda8d3f4bc7ff94a3e4f0fd37aced9d484b663bc15f198e6e25482f60443
RaccoonStealer
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
RaccoonStealer
+ 1'502 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:raccoon family:redline family:smokeloader family:socelars family:vidar family:xmrig botnet:00bdd6858c3856861f0d81937643f61ec7429443 botnet:706 botnet:pab3 aspackv2 backdoor bootkit discovery evasion infostealer miner persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210820-mngcnmgbv2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
xmrig
CryptBot
CryptBot Payload
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
Malware Config
C2 Extraction:
193.38.55.35:16777
185.215.113.15:61506
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
knuxiq42.top
morumd04.top
https://lenak513.tumblr.com/
Unpacked files
SH256 hash:
67f15ef8791238c0520d74240f69f5cb13adf0ff34d32fab4942d9ef17c38789
MD5 hash:
a13744be8e3927ec25fcc06c8b33bca2
SHA1 hash:
7e71f8ca93cf7872603d0e73d36c9931cac5239c
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
SH256 hash:
1ab460eac81001bfa0da8cbadfd4fba0ad0f371742a2c725ff5cf71bdd8e2b9f
MD5 hash:
1dc95107f7dd6d1392bb8d9b53b76916
SHA1 hash:
b26f9c90ad4656d2ddf3e96da967e0f65a9623e1
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
SH256 hash:
d1ff2f8a510fb4d25dd861e4cd5196585ccdd66cd6e941941e13d634da825f32
MD5 hash:
e3ed5e6a62ece3cf158688bce4161fbf
SHA1 hash:
5a8c4dddf69e8650952b0d29987cc6edfe25fb0b
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
SH256 hash:
ab9bb888f6235eaee1ad52cd9b4d1f960ea09743ff80919d0095383f3683c583
MD5 hash:
eff546ee925781db419befdf93bd045d
SHA1 hash:
1129b509403fa589b50310f99f77c69ecc7f8314
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
SH256 hash:
80977bcc232601987d378e1036c07035a1bfe70803072bf497e1a0aead085905
MD5 hash:
bfdd6dc1d021d885606249743f63c43a
SHA1 hash:
a6468c1356edf1a28bdc90f0d7aa30188fc01d48
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
SH256 hash:
9a1f1a9f448d94c8954b8004a4ff3e8405f8b18139f95d04f8d9b40c483e1b40
MD5 hash:
ce3a49b916b81a7d349c0f8c9f283d34
SHA1 hash:
a04ea42670fcf09fffbf7f4d4ac9c8e3edfc8cf4
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
SH256 hash:
b9e1ceb161c6a6d69a686af6330ff9ed6e0813641b329cf0f7272ab1dc9c3332
MD5 hash:
7bca128f348b5a4ff0ea7466041226fa
SHA1 hash:
8ca8749e8940e1f61146247fd492936abcf41100
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
SH256 hash:
e486b749b903c91f93d4b2887ccbad4cb76be59f4f4f73c30ae20984c07cb187
MD5 hash:
5d54d12d833bd9b3913e3cc42bd54ecd
SHA1 hash:
67596545e93909c392f9864d76780d7eac2d5f56
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
SH256 hash:
c510b49b937fabff096a044f3929509dd59ea1c55ebc4121eccb2baf567203f3
MD5 hash:
328cb41ac6b0a7dbe44ac13c2ca02173
SHA1 hash:
7dd106d84de57a34b3fd45d05cdc169c320cf710
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
SH256 hash:
36a7abf6f6541001e864549eff4a3b0c3220421fb09aa0b76e6860bf479b5ecc
MD5 hash:
31510a6590cddd6d5d0ba8000a201a02
SHA1 hash:
87b172b8502bd786f3dd2b7b4279f7878c2a9e69
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
SH256 hash:
e908b68a03d90382e544a4323e229015f4aca5af3acb672b240abd038e6f9a78
MD5 hash:
9f13f537a627eac3c819bb4f6302bda0
SHA1 hash:
f4522c67ebc03362bf9d2dc7c37a06d5d8b2b089
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
SH256 hash:
74f0a218c7f9172a664ea8d8191781b1abe481e63819e3fe4caff31b35811177
MD5 hash:
73e7176e99d2d2b593e7e5fcd2a22e09
SHA1 hash:
dfdf1c5d9c9ce08a1374560f066be5b8e6de6592
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
SH256 hash:
7ba772bd35e652ca48595aa3771cb9730ac3c1b7d1d279afdd5c50429384ef2e
MD5 hash:
9d7981b65b7a554c5a427f4884a9432f
SHA1 hash:
44ac49ca4bc94151ad020bd95bb93da54c8651b4
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
SH256 hash:
5ad7bfb790fc652df60360024af60578790930bb78489aabf352eae3fff103fb
MD5 hash:
788045d291dccd0c7bdf32e1d8e2ae51
SHA1 hash:
ceda27c0b8d08c34d131575557a5ba20e797bbd4
Link:
https://www.unpac.me/results/62f4d5de-482b-4720-840a-cc955edcd1fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ad7bfb790fc652df60360024af60578790930bb78489aabf352eae3fff103fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180814/

Comments