MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 662198412b44e61f7f0b495b939249c6bc05ebb154407de517b422e09145b19b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 662198412b44e61f7f0b495b939249c6bc05ebb154407de517b422e09145b19b
SHA3-384 hash: d71b106f9b9c92f2ca474005c02a31cb209ca8fc11594b52b239b1a67df1a032710e97d2d2635bd0d6a91905648ded93
SHA1 hash: af2225e7ee8e1d80266a791df6e9ae8e77850224
MD5 hash: 6f0d4cb85d8eda6dfd3a80d538923db5
humanhash: arizona-uranus-kansas-november
File name:6F0D4CB85D8EDA6DFD3A80D538923DB5.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'660'704 bytes
First seen:2021-06-30 23:40:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:1qxVqDU70Z5ErEjC6xGx+L3NR33tsFwUMcjCYj0GZemeKYZ:wJ70j1C1x+L373lUzX0G0meKa
Threatray 1'046 similar samples on MalwareBazaar
TLSH 40759F10FD94F806E1B6593ECAD5CC2F0AAFBD415E328A2524B7268F931371ADC505BE
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
176.111.174.231:8938

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
176.111.174.231:8938 https://threatfox.abuse.ch/ioc/156576/

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://d0wnload-cheat.site/
Verdict:
Malicious activity
Analysis date:
2021-06-28 23:30:18 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/6c6a153c-57b2-4708-b0cb-b3c92231dfa1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169021/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.889-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4d06731-2450-43ab-9ccd-8ceafdcbe842
Result
Threat name:
Raccoon RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810269
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Check external IP via Powershell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442680 Sample: kvAgGyJqYT.exe Startdate: 01/07/2021 Architecture: WINDOWS Score: 100 93 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->93 95 Found malware configuration 2->95 97 Multi AV Scanner detection for submitted file 2->97 99 13 other signatures 2->99 9 kvAgGyJqYT.exe 3 2->9         started        process3 file4 49 C:\Users\user\AppData\...\kvAgGyJqYT.exe.log, ASCII 9->49 dropped 101 May check the online IP address of the machine 9->101 103 Contains functionality to steal Internet Explorer form passwords 9->103 105 Injects a PE file into a foreign processes 9->105 13 kvAgGyJqYT.exe 83 9->13         started        18 kvAgGyJqYT.exe 9->18         started        signatures5 process6 dnsIp7 59 tttttt.me 95.216.186.40, 443, 49737 HETZNER-ASDE Germany 13->59 61 cheat-free.online 193.203.203.48, 443, 49759 SEAP-AGEES Russian Federation 13->61 63 2 other IPs or domains 13->63 51 C:\Users\user\AppData\...behaviorgraphHaXQhVGjd.exe, PE32 13->51 dropped 53 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 13->53 dropped 55 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->55 dropped 57 57 other files (none is malicious) 13->57 dropped 107 Tries to steal Mail credentials (via file access) 13->107 20 GHaXQhVGjd.exe 19 13->20         started        23 cmd.exe 13->23         started        file8 signatures9 process10 file11 41 C:\Users\user\AppData\Local\...\build2606.exe, PE32 20->41 dropped 43 C:\Users\user\AppData\...\RandomName.exe, PE32 20->43 dropped 45 C:\Users\user\AppData\Local\Temp\444.exe, PE32 20->45 dropped 47 C:\Users\user\AppData\...\1PHCE58YRCZ1O.dll, PE32 20->47 dropped 25 cmd.exe 1 20->25         started        27 conhost.exe 23->27         started        29 timeout.exe 23->29         started        process12 process13 31 build2606.exe 25->31         started        35 RandomName.exe 25->35         started        37 444.exe 14 51 25->37         started        39 2 other processes 25->39 dnsIp14 65 api.ip.sb 31->65 67 176.111.174.231, 49783, 49788, 49790 WILWAWPL Russian Federation 31->67 69 bitbucket.org 104.192.141.1 AMAZON-02US United States 31->69 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->79 81 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->81 83 Tries to harvest and steal browser information (history, passwords, etc) 31->83 77 3 other IPs or domains 35->77 85 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 35->85 87 Queries memory information (via WMI often done to detect virtual machines) 35->87 71 api.ip.sb 37->71 73 185.215.113.62, 49781, 49785, 51929 WHOLESALECONNECTIONSNL Portugal 37->73 89 Tries to steal Crypto Currency Wallets 37->89 75 iplogger.org 39->75 91 May check the online IP address of the machine 39->91 signatures15
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/662198412b44e61f7f0b495b939249c6bc05ebb154407de517b422e09145b19b/
Threat name:
ByteCode-MSIL.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-06-28 03:44:04 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=myqzqqjlittb67yljfnzhesjy26al25rkrah3zixwqrobekfwgnq._file
Verdict:
malicious
Similar samples:
14ea0d3828549bfd5d7d3733bc1e3495aa86b21333daeabd4d9408b53f707933
RaccoonStealer
278fbae6952f9d802509d29d6033e824a92e467a22adc87d0a8231d6e6175fc5
RaccoonStealer
5ee3f639bb7e4a7bc91f9ead0035fb6665f4d55ea7ca0f5c726ae44de4235bea
RaccoonStealer
7c4b4872ed76f3ca1b6241b682b38e64d6b7ba1eb0ea2c9893cf16c3719c48cb
RaccoonStealer
929ea8cb5bdef95c8f6b1b7f98ce1a27565fb40af90be41cc4aa70044f53ea31
RaccoonStealer
a00fa5a6df14735054f3b9700d0a9418be11971365eda296c2d539141f05fc7f
RaccoonStealer
ac84f24af4ee7638d9ee6c5d4b080130a7e1055e5f9bfbc1991dc889a03f664c
RaccoonStealer
cbcadf05dbd77ff66668dd965e7f3cfc96ded00d9dce31aaa91fa47602138c1c
RaccoonStealer
e11175a6771df0a22bd2fdb04e93daae3ef75539e3fb301a53fd51245a0ff256
RaccoonStealer
e4fae47c8647fc72fb1bbcadc0df6814c22298b3040938f81cbe0b83fec8b8b3
RaccoonStealer
+ 1'036 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210630-k6h4v82rsj/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Raccoon
RedLine
RedLine Payload
Unpacked files
SH256 hash:
b002fb3119484607e7b8520fc86f009244ec6b1c72ae843f1ee03d5f43f1d668
MD5 hash:
35909e391bce18564f5574317c82e55e
SHA1 hash:
fb56de4316b0c424efe4daf1c48e3f195ffd74b9
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/c10e7f28-8c12-400d-8cc1-19b6b673b160/
SH256 hash:
adbae8b37dec77544b400bc36003e31143ede8411980919c4b2e939dd86e9976
MD5 hash:
33f5900004a97fabb362d5b573b7f2e0
SHA1 hash:
21d6c61a7c729cf308852f7d6ffb3eec8f53b599
Link:
https://www.unpac.me/results/c10e7f28-8c12-400d-8cc1-19b6b673b160/
SH256 hash:
1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec
MD5 hash:
81faf15c7e3c9446d906659f7c7a9f16
SHA1 hash:
d7e05a22b109ce608109dc509029a7fe22b4b8bf
Link:
https://www.unpac.me/results/c10e7f28-8c12-400d-8cc1-19b6b673b160/
SH256 hash:
662198412b44e61f7f0b495b939249c6bc05ebb154407de517b422e09145b19b
MD5 hash:
6f0d4cb85d8eda6dfd3a80d538923db5
SHA1 hash:
af2225e7ee8e1d80266a791df6e9ae8e77850224
Link:
https://www.unpac.me/results/c10e7f28-8c12-400d-8cc1-19b6b673b160/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/662198412b44e61f7f0b495b939249c6bc05ebb154407de517b422e09145b19b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_07f9d80b85ceff7ee3f58dc594fe66b6
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_KB_CERT_0f9d91c6aba86f4e54cbb9ef57e68346
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169021/

Comments