MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6226d51fab1b39f5ff32c59eea507554d38242b0f5f7b8f85eb17974c0148ba0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6226d51fab1b39f5ff32c59eea507554d38242b0f5f7b8f85eb17974c0148ba0
SHA3-384 hash: 26ba0b78d70ec18b62499bad805883383f6fbd87e9826e0b82b42f20f3340b4d4f25b04dc26f4bf64cd2690f96f1c3ed
SHA1 hash: 1d3787f929ad6935a407ac9b5326eef087a9200e
MD5 hash: 0364d2db6f72cd60edcdba813f9ea16f
humanhash: west-august-triple-butter
File name:0364d2db6f72cd60edcdba813f9ea16f.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:143'360 bytes
First seen:2021-08-29 19:50:59 UTC
Last seen:2021-08-29 20:59:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6af2f376c26d45636195772a4c22fdda (12 x RaccoonStealer, 5 x Stop, 3 x Amadey)
ssdeep 1536:5u+EpPlQ0hcPdTlu7uK28x9Mpy8IdhOAiuWWwrsjk5/Npj6T61mD:5u362SKlMpy8mhOCesI5/DuT61m
Threatray 4'017 similar samples on MalwareBazaar
TLSH T123E3BF147DB0C473C6C61975481996A166BBB931DB71DA8B3B988BAE3E312C0C72F353
dhash icon 4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://5.181.156.252/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.252/ https://threatfox.abuse.ch/ioc/201911/

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0364d2db6f72cd60edcdba813f9ea16f.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-29 19:54:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2ee77ef0-4ada-48aa-9f4a-72d2b708f4b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183300/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.12980.1191.30143.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Changing a file
Sending a custom TCP request
Setting a global event handler
Creating a file
Connection attempt to an infection source
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Setting browser functions hooks
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the User Account Control
Launching a tool to kill processes
Deleting of the original file
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Unauthorized injection to a system process
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/331a8fae-aa95-4504-8904-9f0eff3d82c1
Result
Threat name:
Raccoon RedLine SmokeLoader Zeppelin
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841112
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RansomwareGeneric
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Zeppelin Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473543 Sample: xQDLIutCAU.exe Startdate: 29/08/2021 Architecture: WINDOWS Score: 100 64 www.geodatatool.com 2->64 66 geoiptool.com 2->66 68 api.ip.sb 2->68 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for URL or domain 2->98 100 16 other signatures 2->100 10 xQDLIutCAU.exe 2->10         started        13 rjfhbii 2->13         started        signatures3 process4 signatures5 118 Detected unpacking (changes PE section rights) 10->118 15 xQDLIutCAU.exe 10->15         started        120 Multi AV Scanner detection for dropped file 13->120 122 Machine Learning detection for dropped file 13->122 18 rjfhbii 13->18         started        process6 signatures7 150 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->150 152 Maps a DLL or memory area into another process 15->152 154 Checks if the current machine is a virtual machine (disk enumeration) 15->154 20 explorer.exe 17 15->20 injected 156 Creates a thread in another existing process (thread injection) 18->156 process8 dnsIp9 70 185.49.70.90, 2080 LEASEWEB-DE-FRA-10DE United Kingdom 20->70 72 readinglistforaugust2.xyz 95.213.224.6, 49721, 80 SELECTELRU Russian Federation 20->72 74 9 other IPs or domains 20->74 50 C:\Users\user\AppData\Roaming\rjfhbii, PE32 20->50 dropped 52 C:\Users\user\AppData\Local\Temp\85CB.exe, PE32 20->52 dropped 54 C:\Users\user\AppData\Local\Temp\82DC.exe, PE32 20->54 dropped 56 6 other malicious files 20->56 dropped 110 System process connects to network (likely due to code injection or exploit) 20->110 112 Benign windows process drops PE files 20->112 114 Performs DNS queries to domains with low reputation 20->114 116 2 other signatures 20->116 25 4254.exe 20->25         started        30 2C0A.exe 20->30         started        32 explorer.exe 20->32         started        34 8 other processes 20->34 file10 signatures11 process12 dnsIp13 84 www.geodatatool.com 158.69.65.151, 443, 49737, 49738 OVHFR Canada 25->84 86 geoiptool.com 25->86 58 C:\Users\user\AppData\...\explorer.exe, PE32 25->58 dropped 124 May check the online IP address of the machine 25->124 142 2 other signatures 25->142 36 explorer.exe 25->36         started        126 Multi AV Scanner detection for dropped file 30->126 128 Detected unpacking (changes PE section rights) 30->128 130 Query firmware table information (likely to detect VMs) 30->130 144 2 other signatures 30->144 40 conhost.exe 30->40         started        88 readinglistforaugust8.xyz 32->88 132 System process connects to network (likely due to code injection or exploit) 32->132 134 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->134 136 Tries to steal Mail credentials (via file access) 32->136 146 2 other signatures 32->146 90 5.181.156.252, 49752, 80 MIVOCLOUDMD Moldova Republic of 34->90 92 telete.in 195.201.225.248, 443, 49747 HETZNER-ASDE Germany 34->92 60 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 34->60 dropped 62 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 34->62 dropped 138 Tries to detect sandboxes and other dynamic analysis tools (window names) 34->138 140 Machine Learning detection for dropped file 34->140 148 2 other signatures 34->148 42 AdvancedRun.exe 34->42         started        44 7B7.exe 2 34->44         started        46 WerFault.exe 9 34->46         started        48 7 other processes 34->48 file14 signatures15 process16 dnsIp17 76 iplogger.org 88.99.66.31, 443, 49745, 49746 HETZNER-ASDE Germany 36->76 78 www.geodatatool.com 36->78 80 geoiptool.com 36->80 102 System process connects to network (likely due to code injection or exploit) 36->102 104 Multi AV Scanner detection for dropped file 36->104 106 May check the online IP address of the machine 36->106 108 Machine Learning detection for dropped file 36->108 82 192.168.2.1 unknown unknown 42->82 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6226d51fab1b39f5ff32c59eea507554d38242b0f5f7b8f85eb17974c0148ba0/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-29 19:38:23 UTC
AV detection:
19 of 42 (45.24%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mitnkh5ldm47l7zsywpouudvktjyeqvq6x33r6c6wf4xjqauroqa._file
Verdict:
suspicious
Similar samples:
48d81158ea4d8260ab5c9743eb37e81d184eecd48f5747a26f1689cc4bb0b286
RaccoonStealer
5c755d14199295a752594d0bb2a4c6bd7ede35ea7c078499fc7fff96451b2530
RaccoonStealer
7207f2cb25a9c37cded5eff0dc7707d7ef1c4f42ffb8b93aeab22f40d551a2de
RaccoonStealer
907f6b8f9c0e1e15fb052deaa36b96fe53c6bd8d1e3b15f9297b4f1295c16271
RaccoonStealer
c87fe4ff57a5464c0155bd1a8a924a2d77a79fdf87cba206e9ef5ac0d0f848cf
RaccoonStealer
f4e1fc78ba0a65bde5687a67eb89e20166e062356b77227c9e0211060bd14dc8
RaccoonStealer
f74c97d626730018ba9a8dd5e6fb806bfcc42d15a8b20ef328cc5f0d6a052ccc
RaccoonStealer
faf49f9b1d785e077bd17c37eddec80c57d3ffc843a745e6854c9b7a6812b7e0
RaccoonStealer
+ 4'007 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:20d9c80657d1d0fda9625cbd629ba419b8a34404 botnet:d02c5d65069fc7ce1993e7c52edf0c9c4c195c81 botnet:fe582536ec580228180f270f7cb80a867860e010 botnet:nn botnet:zz backdoor evasion infostealer persistence ransomware spyware stealer themida trojan
Link:
https://tria.ge/reports/210829-zdfmka143j/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
185.167.97.37:30902
135.181.49.56:47634
Unpacked files
SH256 hash:
0a9a7acf77fe4f890fe2acf761fa7f369418bb1f733504acd0792f589ccc7b15
MD5 hash:
ad94a86355be2ad9348b88e8972e8320
SHA1 hash:
8c7ff71739a5194efc5c7bee9c37ad92a9e72646
Link:
https://www.unpac.me/results/bc2f2bb6-baf1-4473-8ec4-bcd4af79baa9/
SH256 hash:
6226d51fab1b39f5ff32c59eea507554d38242b0f5f7b8f85eb17974c0148ba0
MD5 hash:
0364d2db6f72cd60edcdba813f9ea16f
SHA1 hash:
1d3787f929ad6935a407ac9b5326eef087a9200e
Link:
https://www.unpac.me/results/bc2f2bb6-baf1-4473-8ec4-bcd4af79baa9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6226d51fab1b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6226d51fab1b39f5ff32c59eea507554d38242b0f5f7b8f85eb17974c0148ba0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 6226d51fab1b39f5ff32c59eea507554d38242b0f5f7b8f85eb17974c0148ba0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1558724/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/183300/

Comments