MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5af14eed5da9b6c6341581bd9e989db2f8fce94452463afebc4581ab07d37f11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5af14eed5da9b6c6341581bd9e989db2f8fce94452463afebc4581ab07d37f11
SHA3-384 hash: 78dc9ef80d55c49197e957056bca22542ca2aa35cae6c02b4688db5f6196744b2a82b614f5eb10d79e4e05432c237e7a
SHA1 hash: 749c3e74ed602f69dc1370bf5ae4dc455be30963
MD5 hash: 07a6907ef31e1cdc6c4490bb25f82a1d
humanhash: mirror-don-lima-jersey
File name:07a6907ef31e1cdc6c4490bb25f82a1d.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:342'528 bytes
First seen:2022-01-04 19:15:34 UTC
Last seen:2022-01-04 20:50:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e64508a754c560e6e71788b6f0d7d44d (5 x RedLineStealer, 2 x RaccoonStealer, 1 x ArkeiStealer)
ssdeep 6144:HEU33IGfkQkMRk75Xy1CgNTg0tYL5TS+d7R282Mtc3AkQ8:HEU33ffbRk75ioGgsCJSI7R1tcF
Threatray 1'880 similar samples on MalwareBazaar
TLSH T115747D10BBA0C03AE1B715F449B59368B62E7EE15B2451CB63D52BEE5B356E0EC3070B
File icon (PE):PE icon
dhash icon 2dac1378399b9b91 (35 x Smoke Loader, 34 x RedLineStealer, 18 x Amadey)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
95.143.179.186:4633

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.143.179.186:4633 https://threatfox.abuse.ch/ioc/290925/
185.215.113.50:19704 https://threatfox.abuse.ch/ioc/290933/

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
07a6907ef31e1cdc6c4490bb25f82a1d.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-04 19:22:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4d9ec9ca-4e97-4dd8-a7d5-ded7d1204043

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217310/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.6491.24386.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61d49cf7aeeec3fd2dfc06d4/reports/a65f4c91-7988-4862-904f-199027570341/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8a1f16f-84e2-44ee-bee5-7451c791f19e
Result
Threat name:
RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/915447
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 547921 Sample: tLhG5jGH69.exe Startdate: 04/01/2022 Architecture: WINDOWS Score: 100 97 116.202.186.120, 49913, 80 HETZNER-ASDE Germany 2->97 99 91.219.236.18, 80 SERVERASTRA-ASHU Hungary 2->99 101 7 other IPs or domains 2->101 127 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->127 129 Antivirus detection for URL or domain 2->129 131 Yara detected Vidar 2->131 133 14 other signatures 2->133 11 tLhG5jGH69.exe 2->11         started        14 giqpffzw.exe 2->14         started        16 stecwgj 2->16         started        18 5 other processes 2->18 signatures3 process4 signatures5 175 Contains functionality to inject code into remote processes 11->175 177 Injects a PE file into a foreign processes 11->177 20 tLhG5jGH69.exe 11->20         started        179 Detected unpacking (changes PE section rights) 14->179 181 Detected unpacking (overwrites its own PE header) 14->181 183 Writes to foreign memory regions 14->183 185 Allocates memory in foreign processes 14->185 23 svchost.exe 14->23         started        187 Machine Learning detection for dropped file 16->187 26 stecwgj 16->26         started        28 WerFault.exe 18->28         started        process6 dnsIp7 135 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->135 137 Maps a DLL or memory area into another process 20->137 139 Checks if the current machine is a virtual machine (disk enumeration) 20->139 30 explorer.exe 10 20->30 injected 103 patmushta.info 194.87.235.183, 443, 49829, 49895 MTW-ASRU Russian Federation 23->103 105 microsoft-com.mail.protection.outlook.com 52.101.24.0, 25, 49819 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->105 141 System process connects to network (likely due to code injection or exploit) 23->141 143 Creates a thread in another existing process (thread injection) 26->143 signatures8 process9 dnsIp10 113 185.233.81.115, 443, 49783, 49784 SUPERSERVERSDATACENTERRU Russian Federation 30->113 115 188.166.28.199, 80 DIGITALOCEAN-ASNUS Netherlands 30->115 117 21 other IPs or domains 30->117 89 C:\Users\user\AppData\Roaming\stecwgj, PE32 30->89 dropped 91 C:\Users\user\AppData\Local\Temp\F17E.exe, PE32 30->91 dropped 93 C:\Users\user\AppData\Local\Temp902.exe, PE32 30->93 dropped 95 9 other malicious files 30->95 dropped 119 System process connects to network (likely due to code injection or exploit) 30->119 121 Benign windows process drops PE files 30->121 123 Deletes itself after installation 30->123 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->125 35 7D55.exe 2 30->35         started        39 FFE6.exe 30->39         started        42 F17E.exe 127 30->42         started        44 3 other processes 30->44 file11 signatures12 process13 dnsIp14 81 C:\Users\user\AppData\Local\...\giqpffzw.exe, PE32 35->81 dropped 145 Detected unpacking (changes PE section rights) 35->145 147 Detected unpacking (overwrites its own PE header) 35->147 149 Machine Learning detection for dropped file 35->149 165 2 other signatures 35->165 46 cmd.exe 35->46         started        49 cmd.exe 35->49         started        51 sc.exe 35->51         started        63 3 other processes 35->63 107 185.7.214.239, 49853, 49874, 49893 DELUNETDE France 39->107 151 Query firmware table information (likely to detect VMs) 39->151 153 Tries to detect sandboxes and other dynamic analysis tools (window names) 39->153 155 Tries to harvest and steal browser information (history, passwords, etc) 39->155 167 3 other signatures 39->167 109 file-file-host4.com 42->109 83 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 42->83 dropped 85 C:\ProgramData\sqlite3.dll, PE32 42->85 dropped 157 Tries to steal Crypto Currency Wallets 42->157 159 Contains functionality to detect sleep reduction / modifications 42->159 53 cmd.exe 42->53         started        161 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->161 163 Injects a PE file into a foreign processes 44->163 55 E902.exe 44->55         started        58 8778.exe 44->58         started        61 WerFault.exe 23 9 44->61         started        file15 signatures16 process17 dnsIp18 87 C:\Windows\SysWOW64\...\giqpffzw.exe (copy), PE32 46->87 dropped 65 conhost.exe 46->65         started        67 conhost.exe 49->67         started        69 conhost.exe 51->69         started        71 conhost.exe 53->71         started        73 timeout.exe 53->73         started        169 Maps a DLL or memory area into another process 55->169 171 Checks if the current machine is a virtual machine (disk enumeration) 55->171 173 Creates a thread in another existing process (thread injection) 55->173 111 86.107.197.138, 38133, 49870 MOD-EUNL Romania 58->111 75 conhost.exe 63->75         started        77 conhost.exe 63->77         started        79 conhost.exe 63->79         started        file19 signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5af14eed5da9b6c6341581bd9e989db2f8fce94452463afebc4581ab07d37f11/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2022-01-04 19:16:12 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=llyu53k5vg3mmnavqg6z5ge5wl4pz2kekjddv7v4iwa2wb6tp4iq._file
Verdict:
malicious
Similar samples:
06af78c89fc6b79696c14326d98a5d8ff14ae51b4303c308a77d980dbd731922
RaccoonStealer
0dee20eae747781c183499abc341feded87a5a6325f0a9b789067d1b6377ef89
RaccoonStealer
25cd127b9d559d6754269ecc116d35be66aca027640bcd71a836567c32b946c5
RaccoonStealer
4f9443050501f6fe2ca8483e102c08a0bf7581dc511a54d01a038e4f7b3406e3
RaccoonStealer
716408476bc23c3e74a852ed6246dd60e8ed18533bedc13d4984279c97cd1a74
RaccoonStealer
7387dda5e2f645e2bdb9c2b366b4917a52a0535800580deb50f28e6790418ec9
RaccoonStealer
b75c337a0fb7eb49ec34d6d313a612e93dc4180a8bf25f99fd7b10ea1077e8e1
RaccoonStealer
d9ef2723a2d54f8774224b15ad9324598e2213597cf882292af713223b097294
RaccoonStealer
+ 1'870 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:smokeloader family:tofsee family:vidar botnet:408 backdoor collection discovery evasion persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220104-xyssvshgcn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Arkei
SmokeLoader
Tofsee
Vidar
Windows security bypass
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
patmushta.info
parubey.info
https://qoto.org/@banda4ker
https://c.im/@banda3ker
Unpacked files
SH256 hash:
788f723ebfe0110232b52ee15345acc5f74a53ea45e5f422dc5ce2eb5833fadc
MD5 hash:
198ff357daf4345c9fc869616b139381
SHA1 hash:
24c9899b296cf004e400b77e72b89f42bb726f37
Link:
https://www.unpac.me/results/dc277d64-a31f-40a0-b24e-9c64567e5892/
Parent samples :
3c6f5e38acd57a6372e44dc341bf46060fef8c8b0e1dd3ffa38b21ddaddc3773
6861cdee1ee282ee8c69e31503d95291409907d8b27538f8082adb00205ad105
ccf4e081582226315f3a2bc171b604e3911d0225cc85e18188872ea9832a5388
be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005
53bcd8239258dcbb10f9d3b6d057103c18fe3dd614c5809053426b01b741500d
SH256 hash:
5af14eed5da9b6c6341581bd9e989db2f8fce94452463afebc4581ab07d37f11
MD5 hash:
07a6907ef31e1cdc6c4490bb25f82a1d
SHA1 hash:
749c3e74ed602f69dc1370bf5ae4dc455be30963
Link:
https://www.unpac.me/results/dc277d64-a31f-40a0-b24e-9c64567e5892/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5af14eed5da9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5af14eed5da9b6c6341581bd9e989db2f8fce94452463afebc4581ab07d37f11

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 5af14eed5da9b6c6341581bd9e989db2f8fce94452463afebc4581ab07d37f11

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1919115/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1928873/
Cape
Cape
https://www.capesandbox.com/analysis/217310/

Comments