MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ad251e42f399701cbb54886554c2a65e5744f5db57f6f627ad47eab268784cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ad251e42f399701cbb54886554c2a65e5744f5db57f6f627ad47eab268784cf
SHA3-384 hash: f9bf6ca8f166e452b8d24182f9b015a83eb105ca79e4ff5a7bf5b75e505e32cfdccbc31648c3a91362d2c61dabde70a3
SHA1 hash: 938d5a744984f8a85e8da69aa0fe246bb14c3da9
MD5 hash: 3550d89ccc593511ce463f3deeb42499
humanhash: mississippi-undress-fillet-monkey
File name:6ad251e42f399701cbb54886554c2a65e5744f5db57f6.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:251'904 bytes
First seen:2021-09-07 06:46:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a2b61ec335a437915fc26e9e5178da86 (5 x RaccoonStealer, 4 x Stop, 2 x ArkeiStealer)
ssdeep 3072:9kJUJPTFCCTYUaq6VyVaMINYaVgOIRZF7IxSgqptNXtm/piL7BbHOt+EvGOqRBKv:9k4TFCTUWkVaDOarWtOMtbuRN0o6
Threatray 3'935 similar samples on MalwareBazaar
TLSH T168348D20B6E0C035F4F712F859B983BC693ABDB26B2440CB62D52BEE56356E49D30357
dhash icon e0e8e8e8aa66a499 (32 x RaccoonStealer, 23 x RedLineStealer, 14 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.142.215.237/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.237/ https://threatfox.abuse.ch/ioc/216755/

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6ad251e42f399701cbb54886554c2a65e5744f5db57f6.exe
Verdict:
No threats detected
Analysis date:
2021-09-07 06:51:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/edbfb271-9bfe-49c4-817a-176e287db281

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185931/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader42.32996.27661.18836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Deleting of the original file
Enabling autorun by creating a file
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8235eb27-1797-4e6e-8faa-d0a40bd3bdb5
Result
Threat name:
RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846307
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 478738 Sample: 6ad251e42f399701cbb54886554... Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Antivirus detection for URL or domain 2->76 78 Yara detected Vidar 2->78 80 6 other signatures 2->80 9 6ad251e42f399701cbb54886554c2a65e5744f5db57f6.exe 2->9         started        12 gdvtasa 2->12         started        process3 signatures4 96 Detected unpacking (changes PE section rights) 9->96 98 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->98 100 Maps a DLL or memory area into another process 9->100 14 explorer.exe 7 9->14 injected 102 Checks if the current machine is a virtual machine (disk enumeration) 12->102 104 Creates a thread in another existing process (thread injection) 12->104 process5 dnsIp6 60 fernandomayol.com 197.44.54.172, 49711, 49712, 49713 TE-ASTE-ASEG Egypt 14->60 62 185.212.47.137, 49714, 80 SERVINGADE Sweden 14->62 64 6 other IPs or domains 14->64 44 C:\Users\user\AppData\Roaming\gdvtasa, PE32 14->44 dropped 46 C:\Users\user\AppData\Local\Temp\36E8.exe, PE32 14->46 dropped 48 C:\Users\user\AppData\Local\Temp\320A.exe, PE32 14->48 dropped 50 C:\Users\user\...\gdvtasa:Zone.Identifier, ASCII 14->50 dropped 66 System process connects to network (likely due to code injection or exploit) 14->66 68 Benign windows process drops PE files 14->68 70 Deletes itself after installation 14->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->72 19 320A.exe 72 14->19         started        24 36E8.exe 15 26 14->24         started        file7 signatures8 process9 dnsIp10 52 gheorghip.tumblr.com 74.114.154.22, 443, 49733 AUTOMATTICUS Canada 19->52 54 162.55.179.90, 49734, 80 ACPCA United States 19->54 36 C:\Users\user\AppData\...\softokn3[1].dll, PE32 19->36 dropped 38 C:\Users\user\AppData\...\mozglue[1].dll, PE32 19->38 dropped 40 C:\Users\user\AppData\...\freebl3[1].dll, PE32 19->40 dropped 42 9 other files (none is malicious) 19->42 dropped 82 Detected unpacking (changes PE section rights) 19->82 84 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->84 86 Machine Learning detection for dropped file 19->86 88 Tries to harvest and steal browser information (history, passwords, etc) 19->88 26 cmd.exe 1 19->26         started        56 185.215.113.29, 49738, 8678 WHOLESALECONNECTIONSNL Portugal 24->56 58 api.ip.sb 24->58 90 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->90 92 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 24->92 94 Tries to steal Crypto Currency Wallets 24->94 28 conhost.exe 24->28         started        file11 signatures12 process13 process14 30 taskkill.exe 1 26->30         started        32 conhost.exe 26->32         started        34 timeout.exe 1 26->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ad251e42f399701cbb54886554c2a65e5744f5db57f6f627ad47eab268784cf/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 06:46:07 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nljfdzbphglqds5vjcdfktbkmxsxit25wv7w6yt22r7kwjuhqthq._file
Verdict:
malicious
Similar samples:
2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324
RaccoonStealer
32acadd5cb9e6594707c809f7b63261b93966ace27204fc22c114d67c9196383
RaccoonStealer
3452c19700d3f2ec14d731a042a1b86e19869bdc481b0c35c6fab9a48e2a53a2
RaccoonStealer
38fd2cb3083f33b50606b7821453769103bde2433573499a514452e102cb95df
RaccoonStealer
4c89265179f2471e24688ac126c541886173be7773617450b0849cb48a5a293d
RaccoonStealer
96b71515cdcecab1e0ba69bfc967794c82167c253072c81a5cd511f0a1e61443
RaccoonStealer
9777f2cf04e2600693817b4a63dface6a20ff7dd6bb04dca2af027c510318c37
RaccoonStealer
ba6500d3d342ecdbca59b6c47b9b6e078bb54365ffe5be38f958983a7715645d
RaccoonStealer
bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
RaccoonStealer
daa924a51f13b11f37dac4ed05098052357d6c78816e121c9105c118692bd1a2
RaccoonStealer
+ 3'925 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:redline family:smokeloader family:vidar botnet:517 botnet:828 backdoor discovery infostealer persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210907-hjm7hacag2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Detected Djvu ransomeware
Djvu Ransomware
RedLine
RedLine Payload
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
185.215.113.29:8678
https://gheorghip.tumblr.com/
Unpacked files
SH256 hash:
72926f77b18124a88c12bbaec8a5c9a58c70a688e5196644a3a4ac55488dce5e
MD5 hash:
ac1ebf8391883236227202609559d948
SHA1 hash:
a874b61d132a474f49c240d09aa399dd64b15bd4
Link:
https://www.unpac.me/results/f5b7f91d-ea53-46b1-91e2-043cbe0d4084/
SH256 hash:
6ad251e42f399701cbb54886554c2a65e5744f5db57f6f627ad47eab268784cf
MD5 hash:
3550d89ccc593511ce463f3deeb42499
SHA1 hash:
938d5a744984f8a85e8da69aa0fe246bb14c3da9
Link:
https://www.unpac.me/results/f5b7f91d-ea53-46b1-91e2-043cbe0d4084/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6ad251e42f39/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ad251e42f399701cbb54886554c2a65e5744f5db57f6f627ad47eab268784cf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185931/

Comments