MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa
SHA3-384 hash: ec7c9ab466f36399a4fbc454ff48fb5157b14eff3a87ede6a33f7e22c4097e538e4ac6478534a901ef1ba0dfea8192de
SHA1 hash: 6e13c0866589e928e074c85e0225d7cbca241c36
MD5 hash: 7c71c41506fdc306efd7c00f359abbfd
humanhash: charlie-johnny-red-maine
File name:7C71C41506FDC306EFD7C00F359ABBFD.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:646'144 bytes
First seen:2021-08-15 23:20:57 UTC
Last seen:2021-08-15 23:45:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d0f5faff0d9a42cffdcdc1bfda477ddc (2 x DiamondFox, 1 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 12288:k36SNp0mWujfTYiVgDR6FmgGak6H3lP3XJik0YhBhrLz0:k3fYj0F876j0KDrf0
Threatray 239 similar samples on MalwareBazaar
TLSH T19FD45A3255A4F866F4A50CB8A1A6E3B69838AF758AD78053F2B0773F86313D17C60537
dhash icon 31f8ce8282c0e001 (3 x DiamondFox, 3 x AgentTesla, 2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
188.124.36.242:25802

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
188.124.36.242:25802 https://threatfox.abuse.ch/ioc/189204/

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://mega.nz/file/ASZlWAJZ#6Cgeb20jdxGBfYMDDbEJu1FNfXCTnVix6HMHWncuyqU
Verdict:
Malicious activity
Analysis date:
2021-08-15 18:47:58 UTC
Tags:
evasion trojan stealer rat redline phishing
Link:
https://app.any.run/tasks/3285fea3-b9b7-4980-8e64-12a8a1921ae0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179397/
Detection(s):
SecuriteInfo.com.Variant.Zusy.397336.1891.5954.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Connection attempt to an infection source
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Replacing files
Creating a file in the %AppData% subdirectories
Blocking the Windows Defender launch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Coinhive Glupteba Metasploit Raccoon Red
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833251
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Performs DNS TXT record lookups
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Coinhive miner
Yara detected Glupteba
Yara detected Metasploit Payload
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465678 Sample: kXJzvVUsyN.exe Startdate: 16/08/2021 Architecture: WINDOWS Score: 100 54 all-brain-company.xyz 2->54 56 sytareliar.xyz 2->56 58 32 other IPs or domains 2->58 80 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->80 82 Antivirus detection for URL or domain 2->82 84 Multi AV Scanner detection for submitted file 2->84 90 12 other signatures 2->90 8 kXJzvVUsyN.exe 4 75 2->8         started        signatures3 86 May check the online IP address of the machine 54->86 88 Performs DNS queries to domains with low reputation 56->88 process4 dnsIp5 60 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com 8->60 62 37.0.10.236, 49715, 80 WKD-ASIE Netherlands 8->62 64 16 other IPs or domains 8->64 28 C:\Users\...\yY2VMzRDfAcwrftMQZ7mRQoI.exe, PE32 8->28 dropped 30 C:\Users\...\y7J6xDjFYivYgQB3g2GLbF9S.exe, PE32 8->30 dropped 32 C:\Users\...\ukrRJ4mreclqrSARuBLnK9h5.exe, PE32 8->32 dropped 34 47 other files (25 malicious) 8->34 dropped 92 Drops PE files to the document folder of the user 8->92 94 May check the online IP address of the machine 8->94 96 Creates HTML files with .exe extension (expired dropper behavior) 8->96 98 Disable Windows Defender real time protection (registry) 8->98 13 nCPUAhdih5XPMx1qgDXCdPUf.exe 82 8->13         started        18 D6elmF9Nvf7GIBXK2QjQIomB.exe 8->18         started        20 CKrhfKaeE6jEYi61dAJVDPvF.exe 8->20         started        22 11 other processes 8->22 file6 100 Performs DNS queries to domains with low reputation 60->100 signatures7 process8 dnsIp9 66 45.153.230.19 TEAM-HOSTASRU Russian Federation 13->66 68 telete.in 195.201.225.248 HETZNER-ASDE Germany 13->68 70 gmailservice7911.com 13->70 36 C:\Users\user\AppData\...\Ciug15ERx4.exe, PE32 13->36 dropped 38 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 13->38 dropped 50 58 other files (none is malicious) 13->50 dropped 102 Detected unpacking (changes PE section rights) 13->102 104 Detected unpacking (overwrites its own PE header) 13->104 106 Tries to steal Mail credentials (via file access) 13->106 108 Contains functionality to steal Internet Explorer form passwords 13->108 110 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 18->110 112 Writes to foreign memory regions 18->112 124 3 other signatures 18->124 76 2 other IPs or domains 20->76 40 C:\Users\user\AppData\Roaming\7839232.exe, PE32 20->40 dropped 42 C:\Users\user\AppData\Roaming\4332934.exe, PE32 20->42 dropped 114 May check the online IP address of the machine 20->114 116 Performs DNS queries to domains with low reputation 20->116 72 ip-api.com 208.95.112.1 TUT-ASUS United States 22->72 74 cleaner-partners.com 149.202.43.93 OVHFR France 22->74 78 7 other IPs or domains 22->78 44 C:\Users\...\n3Xy86FJL9wEfDrZK1xxYhws.tmp, PE32 22->44 dropped 46 C:\Users\user\AppData\Roaming\8604848.exe, PE32 22->46 dropped 48 C:\Users\user\AppData\Roaming\5202335.exe, PE32 22->48 dropped 52 16 other files (none is malicious) 22->52 dropped 118 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->118 120 Contains functionality to inject code into remote processes 22->120 122 Tries to harvest and steal browser information (history, passwords, etc) 22->122 126 4 other signatures 22->126 24 conhost.exe 22->24         started        26 conhost.exe 22->26         started        file10 signatures11 process12
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-08-13 22:53:48 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=my6rdrvgq6lb5c243ie3oifjkeozoku6ufsm7dbyka32gpxkkp5a._file
Verdict:
malicious
Similar samples:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
RaccoonStealer
2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf
RaccoonStealer
31452b50fe8475fa4566b814ed702c6910029ff66db45d3dbb21c2e3ed63594f
RaccoonStealer
3d93d1e45579a47c3a3425fd16319c5a004396a2d98b7cf170ed009dad29c247
RaccoonStealer
4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
RaccoonStealer
62cf8452627f42cc0f5655a12ef386c720e11f2fd2ad7ec64ea821184ffacc65
RaccoonStealer
67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33
RaccoonStealer
8f2789b6a628a92f9f6313305b255c405f867c49161bb864263dcfef5a6f712d
RaccoonStealer
f70d4b4fc9941796d149798614345b8e8bf6e0c69022ac407cb8b03bf26fdc7c
RaccoonStealer
+ 229 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:redline family:smokeloader family:vidar botnet:32222 botnet:937 botnet:93d3ccba4a3cbd5e268873fc1760b2335272e198 botnet:@soul3ss botnet:dibild botnet:install2 botnet:ls3 backdoor discovery dropper evasion infostealer loader stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/210815-2xy2kzdle6/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
CustAttr .NET packer
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Glupteba
Glupteba Payload
MetaSploit
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
ganedokhot.xyz:80
188.124.36.242:25802
135.148.139.222:33569
65.21.103.71:56458
188.130.139.12:23747
Unpacked files
SH256 hash:
663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa
MD5 hash:
7c71c41506fdc306efd7c00f359abbfd
SHA1 hash:
6e13c0866589e928e074c85e0225d7cbca241c36
Link:
https://www.unpac.me/results/feecd943-176a-4089-844b-55d361705280/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/663d11c6a687/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179397/

Comments