MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63f6a92084e81e72720f6160287e6766e2214f489d11142a9668925c6c4616f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63f6a92084e81e72720f6160287e6766e2214f489d11142a9668925c6c4616f2
SHA3-384 hash: c3da9b9af76ad0e22474fa79e3a00efc9139aa5c1f34d8eb94d0fc9f611438bd829eef75fde0c9a610565269b0eccfcc
SHA1 hash: f87844987a3690336ec089d44ca7a9f51c18f33c
MD5 hash: 72ec822792e913d602bf3b3d6ad3c68a
humanhash: burger-comet-lamp-zebra
File name:72ec822792e913d602bf3b3d6ad3c68a.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:197'120 bytes
First seen:2021-10-08 11:51:04 UTC
Last seen:2021-10-08 13:18:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 452a573570b57080deb33a6b6e9df7c8 (3 x RedLineStealer, 3 x RaccoonStealer, 2 x DanaBot)
ssdeep 3072:6pmtya3uZMpxy8iwJDXKv5shnjRsmW8H5LxcqPrbtZPwOfP3ARsH+kKfhgC:6pmxukxySXKvYlsSSytXjH+kKx
Threatray 5'377 similar samples on MalwareBazaar
TLSH T17B14AE9076E58076F2AE15304A699BE08737FC62E931D98B1FB156FE1F792D18A21303
File icon (PE):PE icon
dhash icon a1bcdcac9cccb48c (9 x RaccoonStealer, 6 x ArkeiStealer, 3 x Loki)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
72ec822792e913d602bf3b3d6ad3c68a.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-08 12:14:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5440aa12-c971-4f2b-a8f7-b2aed759a92c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196137/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.5804.1703.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867046
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 499474 Sample: FRGgs09s5v.exe Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 68 mas.to 88.99.75.82, 443, 49822 HETZNER-ASDE Germany 2->68 70 65.108.80.190, 49826, 80 ALABANZA-BALTUS United States 2->70 72 2 other IPs or domains 2->72 90 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Yara detected Vidar 2->94 96 12 other signatures 2->96 10 FRGgs09s5v.exe 2->10         started        13 fdihvhv 2->13         started        15 svchost.exe 2->15         started        17 7 other processes 2->17 signatures3 process4 signatures5 106 Detected unpacking (changes PE section rights) 10->106 108 Contains functionality to inject code into remote processes 10->108 110 Injects a PE file into a foreign processes 10->110 19 FRGgs09s5v.exe 10->19         started        22 fdihvhv 13->22         started        112 Changes security center settings (notifications, updates, antivirus, firewall) 15->112 114 DLL side loading technique detected 17->114 process6 signatures7 98 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->98 100 Maps a DLL or memory area into another process 19->100 102 Checks if the current machine is a virtual machine (disk enumeration) 19->102 24 explorer.exe 16 19->24 injected 104 Creates a thread in another existing process (thread injection) 22->104 process8 dnsIp9 74 193.56.146.41, 49792, 9080 LVLT-10753US unknown 24->74 76 privacy-toolz-for-you-5000.top 5.188.88.26, 49772, 49773, 49775 PINDC-ASRU Russian Federation 24->76 78 2 other IPs or domains 24->78 50 C:\Users\user\AppData\Roaming\fdihvhv, PE32 24->50 dropped 52 C:\Users\user\AppData\Local\Temp\9A68.exe, PE32 24->52 dropped 54 C:\Users\user\AppData\Local\Temp\9065.exe, PE32 24->54 dropped 56 6 other files (3 malicious) 24->56 dropped 116 System process connects to network (likely due to code injection or exploit) 24->116 118 Benign windows process drops PE files 24->118 120 Deletes itself after installation 24->120 122 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->122 29 5CA9.exe 24->29         started        34 9A68.exe 24->34         started        36 6DA8.exe 24->36         started        38 2 other processes 24->38 file10 signatures11 process12 dnsIp13 80 91.219.236.103, 49813, 80 SERVERASTRA-ASHU Hungary 29->80 82 teletop.top 104.21.17.146, 49812, 80 CLOUDFLARENETUS United States 29->82 58 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 29->58 dropped 60 C:\Users\user\AppData\...\vcruntime140.dll, PE32 29->60 dropped 62 C:\Users\user\AppData\...\ucrtbase.dll, PE32 29->62 dropped 66 56 other files (none is malicious) 29->66 dropped 132 Detected unpacking (changes PE section rights) 29->132 134 Detected unpacking (overwrites its own PE header) 29->134 136 Tries to steal Mail credentials (via file access) 29->136 146 2 other signatures 29->146 84 193.56.146.60, 21821, 49891 LVLT-10753US unknown 34->84 138 Query firmware table information (likely to detect VMs) 34->138 140 Tries to detect sandboxes and other dynamic analysis tools (window names) 34->140 142 Hides threads from debuggers 34->142 144 Tries to detect sandboxes / dynamic malware analysis system (registry check) 34->144 40 conhost.exe 34->40         started        42 6DA8.exe 36->42         started        64 C:\Users\user\AppData\Local\...\rpzxxnwm.exe, PE32 38->64 dropped 45 747F.exe 15 2 38->45         started        48 conhost.exe 38->48         started        file14 signatures15 process16 dnsIp17 124 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->124 126 Maps a DLL or memory area into another process 42->126 128 Checks if the current machine is a virtual machine (disk enumeration) 42->128 130 Creates a thread in another existing process (thread injection) 42->130 86 ckauni.ru 81.177.141.85, 443, 49892 RTCOMM-ASRU Russian Federation 45->86 88 93.115.20.139, 28978, 49869 MVPShttpswwwmvpsnetEU Romania 45->88 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63f6a92084e81e72720f6160287e6766e2214f489d11142a9668925c6c4616f2/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 09:17:49 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mp3ksiee5aphe4qpmfqcq7thm3rcct2ituirikuwncjfy3cgc3za._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0d9bae8c6ba3fe8d9cace7e0b9a68721f9febcc73730b00d1b103c318ba6f361
RaccoonStealer
27fedb8ef3fb428492824755d575ca2f19c7c02e95a5c153edffaea3a7560787
RaccoonStealer
3081dd771b70907a5ce4c447c3a8dd6aac2d49030face32d60127d220122fd70
RaccoonStealer
35cd41eed1dcc9629dbf360fbea09f8406ec25061fa73643d0c7f6d82bf3ffc3
RaccoonStealer
3f19653a117fe3c7b00b53a2ac212503b2d4a0d4650a2e95788d2b2b5cc7a981
RaccoonStealer
86a52a844928c72e0e51f369092b44e9924b588d131ae14ff31cee2d0bf94558
RaccoonStealer
aa91fc9cbcf0c8f03593dc8801dfbc24b35e6ac0317c11c36b93e17fc915a44b
RaccoonStealer
c52d24dc24c1cafd05297ae27e27dda206583220b0b5c5e518317043a3f4042d
RaccoonStealer
c9a0c77dce1e1f7e570b187e01a8a2e2c0a87e0c24d8b1345389775a42c9b35c
RaccoonStealer
d93931a4805f6ba426222b756f48c649fdf28a2ae51b9e4fde0d393ee5b340a0
RaccoonStealer
+ 5'367 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:1033 botnet:2ea41939378a473cbe7002fd507389778c0f10e7 botnet:777 botnet:8d179b9e611eee525425544ee8c6d77360ab7cd9 backdoor collection discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211008-nz6xfaebep/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Vidar
Windows security bypass
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
xmrig
Malware Config
C2 Extraction:
http://fazanaharahe10.top/
http://xandelissane20.top/
http://ustiassosale30.top/
http://cytheriata40.top/
http://ggiergionard50.top/
93.115.20.139:28978
defeatwax.ru
refabyd.info
https://mas.to/@serg4325
Unpacked files
SH256 hash:
2384bfa55466572c6b776df6d320a761b053c636d9e29d75e2eaae6e12e98119
MD5 hash:
28b14b815891ae62b48159abdfbf4076
SHA1 hash:
53163b6fa19c2446aeaf146f4fb96590cf7e4257
Link:
https://www.unpac.me/results/d3e26416-cca0-43f7-ae8f-fb04a7e42ba2/
SH256 hash:
63f6a92084e81e72720f6160287e6766e2214f489d11142a9668925c6c4616f2
MD5 hash:
72ec822792e913d602bf3b3d6ad3c68a
SHA1 hash:
f87844987a3690336ec089d44ca7a9f51c18f33c
Link:
https://www.unpac.me/results/d3e26416-cca0-43f7-ae8f-fb04a7e42ba2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/63f6a92084e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63f6a92084e81e72720f6160287e6766e2214f489d11142a9668925c6c4616f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 63f6a92084e81e72720f6160287e6766e2214f489d11142a9668925c6c4616f2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1660824/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196137/

Comments