MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 676efd23da897b1cd244d4bf83607ee87fbb00434839e9913e0fd48e4fb48ef6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 676efd23da897b1cd244d4bf83607ee87fbb00434839e9913e0fd48e4fb48ef6
SHA3-384 hash: cff6f3c7b6514dd69fef300b9070a8b395b14fa743c43588cce4bfb7bcdbcd4326af0a92d9f374c2d55bb1d82f9d6b3e
SHA1 hash: 0926e349243a6946f1d19e06364d5adc87dd67ef
MD5 hash: 3903123e8fabc0eb0cc737517a63c8d2
humanhash: twenty-mexico-missouri-uranus
File name:Sirus.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'549'856 bytes
First seen:2021-07-16 22:44:53 UTC
Last seen:2021-07-16 23:42:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 129e9ef609b7048f8b92cbfb16c31fd6 (2 x RaccoonStealer)
ssdeep 98304:oyvXBAIX5kXyyQkm3oSmea+umyBtcPnEMvOhAfQ3RlxLW9eJ178:eIX+FQkm3oq/QxYOA6RlxH7o
Threatray 429 similar samples on MalwareBazaar
TLSH T17526237336A520C4E5E0C8388637FDE972BA17698B42A87D64BB6DC134735E1E723943
Reporter Anonymous
Tags:exe RaccoonStealer Redline

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbHJxVXg1clN2cFF1bzVLSUs2TllnMTJ2VV9JQXxBQ3Jtc0trRU05bEl6bENNMHUteWdIVVdKNjhVTl9YbF9xNFNkdHdiYnI3dWw3bHdHSHFCUVROa25oYkstRkxZWlB6NkdKb2trZUZhODFyNnVCdk12eWNNZXQ3RGpQQ2FiNGg5dzRQU19lOVJGdXBLcHlfRXhMRQ&q=https%3A%2F%2Fd0iiinl0ads.ru%2F
Verdict:
Malicious activity
Analysis date:
2021-07-16 16:11:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5a320b7e-9232-4c28-b7e2-fdf966daf478

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172289/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46630716.28882.4508.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f8bd133-9d1b-4b40-a4c4-ec2a949736b2
Result
Threat name:
Raccoon RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817737
Signature
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Drops PE files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450148 Sample: Sirus.exe Startdate: 17/07/2021 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected RedLine Stealer 2->53 55 10 other signatures 2->55 7 Sirus.exe 83 2->7         started        12 Chrome updater.exe 14 3 2->12         started        process3 dnsIp4 37 t.me 149.154.167.99, 443, 49740 TELEGRAMRU United Kingdom 7->37 39 cheat-free.com 193.203.203.37, 443, 49750 SEAP-AGEES Russian Federation 7->39 43 2 other IPs or domains 7->43 29 C:\Users\user\AppData\...\YrsMQg6MIR.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\...\SwSSCr8SO1.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\...\vcruntime140.dll, PE32 7->33 dropped 35 58 other files (none is malicious) 7->35 dropped 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->57 59 Tries to steal Mail credentials (via file access) 7->59 61 Tries to harvest and steal browser information (history, passwords, etc) 7->61 14 YrsMQg6MIR.exe 15 2 7->14         started        18 SwSSCr8SO1.exe 14 3 7->18         started        21 cmd.exe 1 7->21         started        41 iplogger.org 12->41 file5 signatures6 process7 dnsIp8 45 176.111.174.231, 49368 WILWAWPL Russian Federation 14->45 63 Detected unpacking (changes PE section rights) 14->63 65 Query firmware table information (likely to detect VMs) 14->65 67 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->67 73 2 other signatures 14->73 47 iplogger.org 88.99.66.31, 443, 49752, 49759 HETZNER-ASDE Germany 18->47 27 C:\Users\user\AppData\...\Chrome updater.exe, PE32 18->27 dropped 69 May check the online IP address of the machine 18->69 71 Drops PE files to the startup folder 18->71 23 conhost.exe 21->23         started        25 timeout.exe 1 21->25         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/676efd23da897b1cd244d4bf83607ee87fbb00434839e9913e0fd48e4fb48ef6/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 22:29:12 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m5xp2i62rf5rzuse2s7ygyd65b73wacdja46tej6b7ki4t5ur33a._file
Verdict:
suspicious
Similar samples:
0f0eb4a8a538f339214f86a8b084d685a4fb51d54f258f5718393003ab1ff35b
RaccoonStealer
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
RaccoonStealer
3d3112ce7c1a80e0378b15c7084b1b49a9805a5e47a85a97acdd7841d0a9b40b
RaccoonStealer
60f649f6d971c44b959f6fef2bf1d08c3dbe00edeac7a889e81adc761ba5ddba
RaccoonStealer
6c8131fc986f9477582f43530e0bdc660887285c83360c52e6b68876a57dc9b0
RaccoonStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RaccoonStealer
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
RaccoonStealer
8b7e447356ade4824db0565f713751a6c0b37cc560269ced9cc6176e1d1fdd24
RaccoonStealer
e13ba9f6e63e4013b75c3d45b012d8cbdda80913669bdd10942828b05d66e798
RaccoonStealer
+ 419 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210716-fgahf6tgqx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
RedLine
RedLine Payload
Unpacked files
SH256 hash:
0007ddd0301ebad9f9f1bdcd9fa8853fb0dd560a5325b3e1efb21f094c5e2fa6
MD5 hash:
23f72997f3e40ef6e6901862d73c2949
SHA1 hash:
2af88cde1aa00eae82e68505efd2fb3ad1ebdedd
Link:
https://www.unpac.me/results/1eca18d1-4fad-4c09-af47-b9f583c684d2/
SH256 hash:
676efd23da897b1cd244d4bf83607ee87fbb00434839e9913e0fd48e4fb48ef6
MD5 hash:
3903123e8fabc0eb0cc737517a63c8d2
SHA1 hash:
0926e349243a6946f1d19e06364d5adc87dd67ef
Link:
https://www.unpac.me/results/1eca18d1-4fad-4c09-af47-b9f583c684d2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/676efd23da897b1cd244d4bf83607ee87fbb00434839e9913e0fd48e4fb48ef6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_07f9d80b85ceff7ee3f58dc594fe66b6
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_KB_CERT_0f9d91c6aba86f4e54cbb9ef57e68346
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172289/

Comments