MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63ccf79d80fa6ad8254711296240ff29f27d41e40301324371581af10d56ca02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63ccf79d80fa6ad8254711296240ff29f27d41e40301324371581af10d56ca02
SHA3-384 hash: 118affb5f5ffaf0d08b0d2abddcab60da49e86cd4cb076bb5fa4989599a82b3ab4dcbeeccae14e63cf626fce15230afe
SHA1 hash: c3a0966d82f9645c7999fb718bc0beebc6295a96
MD5 hash: a90e1a7dfcb8d9f8912de1b99ff03139
humanhash: august-pennsylvania-happy-fruit
File name:a90e1a7dfcb8d9f8912de1b99ff03139.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:252'416 bytes
First seen:2021-09-07 11:31:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 35e1a5a67390846ef9c927633accec41 (3 x RaccoonStealer, 2 x ArkeiStealer, 2 x RedLineStealer)
ssdeep 6144:6wZFDyHJPUtXknQT6zQJEPVoAh9buXc34FYtnY:fFDoJctXkFzQivhJoYtY
TLSH T167348C20B6A0C035F5F711F589B993A8693DBEB26F3051CB62D427EE56346E4AD30783
dhash icon e0e8e8e8aa62a499 (12 x RaccoonStealer, 9 x RedLineStealer, 7 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://178.23.190.242/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://178.23.190.242/ https://threatfox.abuse.ch/ioc/216953/

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a90e1a7dfcb8d9f8912de1b99ff03139.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-07 11:32:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f94ced34-935e-4ad3-95b2-01b6037458e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Sharik
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186011/
Detection(s):
Win.Packed.Generic-9891245-0
Create hunting rule

Win.Packed.Generic-9891264-0
Create hunting rule

Win.Packed.Generic-9891283-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1b4d71f-bd83-47a7-bb9d-e2f161912180
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846562
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to download HTTP data from a sinkholed server
Tries to resolve many domain names, but no domain seems valid
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 478994 Sample: f9aoawyl4M.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 89 sky.com 2->89 91 rogers.com 2->91 93 180 other IPs or domains 2->93 121 Tries to download HTTP data from a sinkholed server 2->121 123 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->123 125 Antivirus detection for URL or domain 2->125 129 14 other signatures 2->129 13 f9aoawyl4M.exe 2->13         started        16 sicfwvv 2->16         started        18 svchost.exe 2->18         started        20 11 other processes 2->20 signatures3 127 Tries to resolve many domain names, but no domain seems valid 91->127 process4 dnsIp5 149 Detected unpacking (changes PE section rights) 13->149 23 f9aoawyl4M.exe 13->23         started        151 Multi AV Scanner detection for dropped file 16->151 153 Machine Learning detection for dropped file 16->153 26 sicfwvv 16->26         started        155 Changes security center settings (notifications, updates, antivirus, firewall) 18->155 95 127.0.0.1 unknown unknown 20->95 97 192.168.2.1 unknown unknown 20->97 signatures6 process7 signatures8 133 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 23->133 135 Maps a DLL or memory area into another process 23->135 137 Checks if the current machine is a virtual machine (disk enumeration) 23->137 28 explorer.exe 6 20 23->28 injected 139 Creates a thread in another existing process (thread injection) 26->139 process9 dnsIp10 99 onyokandis9.store 28->99 101 nastanizab8.store 28->101 103 22 other IPs or domains 28->103 79 C:\Users\user\AppData\Roaming\sicfwvv, PE32 28->79 dropped 81 C:\Users\user\AppData\Local\Temp\91D8.exe, PE32 28->81 dropped 83 C:\Users\user\AppData\Local\Temp\7D55.exe, PE32 28->83 dropped 85 6 other files (5 malicious) 28->85 dropped 157 System process connects to network (likely due to code injection or exploit) 28->157 159 Benign windows process drops PE files 28->159 161 Performs DNS queries to domains with low reputation 28->161 165 2 other signatures 28->165 33 798B.exe 1 6 28->33         started        36 25C2.exe 1 28->36         started        38 63FE.exe 28->38         started        40 2 other processes 28->40 file11 163 Tries to resolve many domain names, but no domain seems valid 101->163 signatures12 process13 file14 105 Machine Learning detection for dropped file 33->105 43 cmd.exe 1 33->43         started        46 dllhost.exe 33->46         started        107 Multi AV Scanner detection for dropped file 36->107 109 Detected unpacking (changes PE section rights) 36->109 111 Query firmware table information (likely to detect VMs) 36->111 119 3 other signatures 36->119 48 conhost.exe 36->48         started        113 Contains functionality to inject code into remote processes 38->113 115 Injects a PE file into a foreign processes 38->115 50 63FE.exe 38->50         started        75 C:\Users\user\AppData\Local\...\pfamgswo.exe, PE32 40->75 dropped 117 Contains functionality to steal Internet Explorer form passwords 40->117 signatures15 process16 signatures17 143 Submitted sample is a known malware sample 43->143 145 Obfuscated command line found 43->145 147 Uses ping.exe to check the status of other devices and networks 43->147 52 cmd.exe 3 43->52         started        55 conhost.exe 43->55         started        process18 signatures19 131 Obfuscated command line found 52->131 57 Versato.exe.com 52->57         started        60 findstr.exe 1 52->60         started        63 PING.EXE 52->63         started        process20 file21 141 Drops PE files with a suspicious file extension 57->141 65 Versato.exe.com 57->65         started        77 C:\Users\user\AppData\...\Versato.exe.com, Targa 60->77 dropped signatures22 process23 dnsIp24 87 XnreryDtttxrMmEdC.XnreryDtttxrMmEdC 65->87 69 C:\Users\user\AppData\...\TmpVRlruOk.exe.com, PE32 65->69 dropped 71 C:\Users\user\AppData\...\pEjCHcEgLkCJZt.js, ASCII 65->71 dropped 73 C:\Users\user\AppData\...\TmpVRlruOk.url, MS 65->73 dropped file25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63ccf79d80fa6ad8254711296240ff29f27d41e40301324371581af10d56ca02/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 11:32:08 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpgpphma7jvnqjkhceuweqh7fhzh2qpeamateq3rlanpcdkwziba._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:xmrig botnet:e89524de1a131be43c3cc9ec324dabb6a9998c12 botnet:fe582536ec580228180f270f7cb80a867860e010 backdoor discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210907-nnapvsffgr/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Core1 .NET packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Windows security bypass
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
xmrig
Malware Config
C2 Extraction:
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
http://rigtestforum.ru/board/
http://rigtestforum.click/board/
http://rigtestforum.to/board/
45.14.49.232:14970
Unpacked files
SH256 hash:
00f084577498574656aee0e4ce71090d1127e61b121ded642095d8abafa8faad
MD5 hash:
1ebf9a8027fe82a4416188d52ee12a8c
SHA1 hash:
b78dd61046152043e8a4c7a4b144d7d94c9c0867
Link:
https://www.unpac.me/results/b8e9fbb5-5e1a-49c5-934d-d6d67719cf4b/
SH256 hash:
63ccf79d80fa6ad8254711296240ff29f27d41e40301324371581af10d56ca02
MD5 hash:
a90e1a7dfcb8d9f8912de1b99ff03139
SHA1 hash:
c3a0966d82f9645c7999fb718bc0beebc6295a96
Link:
https://www.unpac.me/results/b8e9fbb5-5e1a-49c5-934d-d6d67719cf4b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/63ccf79d80fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63ccf79d80fa6ad8254711296240ff29f27d41e40301324371581af10d56ca02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Embedded_PE
Create hunting rule
Rule name:Embedded_PE
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 63ccf79d80fa6ad8254711296240ff29f27d41e40301324371581af10d56ca02

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1558724/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/186011/

Comments