MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
SHA3-384 hash: b9a241992ccc76f0d0bf339f81db73da9979a19b753006b9a2c731e9082d0673b31f5b85e72a4d7267806d4e0fb699ee
SHA1 hash: 8d67cae338c2e3ed1211d423551b4707c820f3d2
MD5 hash: 7e482e491570380453244a9d6e4744e1
humanhash: single-juliet-stairway-massachusetts
File name:7e482e491570380453244a9d6e4744e1.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:5'632 bytes
First seen:2021-03-17 07:23:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 96:NjJcUvjOIqFQTzz3znIhXPg5+kYQfj9cFtk68aezNt:NjdOIqKzDnuHkYQfj9DE4
Threatray 518 similar samples on MalwareBazaar
TLSH 46C1E7017BE85733DAAE8B3508F2435152BFF71059538FAF74E4030AEC2619586937B2
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7e482e491570380453244a9d6e4744e1.exe
Verdict:
Malicious activity
Analysis date:
2021-03-17 07:27:07 UTC
Tags:
evasion loader trojan stealer vidar raccoon autoit
Link:
https://app.any.run/tasks/ba6bdb30-b886-4fe0-a4a2-ce5b17a18c64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45912456.24972.20144.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Launching cmd.exe command interpreter
Creating a file in the %temp% subdirectories
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP POST request
Connection attempt
Deleting a recently created file
Reading critical registry keys
Replacing files
Changing a file
Delayed writing of the file
Launching a process
Delayed reading of the file
Using the Windows Management Instrumentation requests
Searching for the window
Moving a file to the %temp% subdirectory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Forced shutdown of a browser
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa70cf05-5ce2-4c0d-871e-5dc3c76d1ef0
Result
Threat name:
Raccoon Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/641778
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Raccoon Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 369863 Sample: AxR7BY4wzz.exe Startdate: 17/03/2021 Architecture: WINDOWS Score: 100 135 Antivirus detection for URL or domain 2->135 137 Antivirus detection for dropped file 2->137 139 Antivirus / Scanner detection for submitted sample 2->139 141 9 other signatures 2->141 8 AxR7BY4wzz.exe 51 40 2->8         started        13 P4spIRUgZaGsOoss8iTuROPe.exe 2->13         started        process3 dnsIp4 107 88.99.66.31 HETZNER-ASDE Germany 8->107 109 8.8.8.8 GOOGLEUS United States 8->109 111 3 other IPs or domains 8->111 73 C:\Users\...\wPJpV6wXZpyjnBMOYzxgE3t8.exe, PE32 8->73 dropped 75 C:\Users\...\vqyRFgquJpQYdckJj0BfPrUX.exe, PE32 8->75 dropped 77 C:\Users\...\vpMGcvqGNwRhELPUKhSNpM5E.exe, PE32 8->77 dropped 85 33 other malicious files 8->85 dropped 143 Drops PE files to the document folder of the user 8->143 145 Creates multiple autostart registry keys 8->145 15 P4spIRUgZaGsOoss8iTuROPe.exe 23 14 8->15         started        20 8w6LXI5bueWdFxwfxZAelq0w.exe 23 14 8->20         started        22 5KgipWM0NdZN6pmV5Q5F3keu.exe 23 14 8->22         started        24 4 other processes 8->24 79 C:\Users\...\tsvrELQL0GiGTdUNYHispThc.exe, PE32 13->79 dropped 81 C:\Users\...\r4nptuTmGxyqT0vepQ5ASCtV.exe, PE32 13->81 dropped 83 C:\Users\...\nyVEhBnLuTHl9mAuT67OpIFn.exe, PE32 13->83 dropped 87 4 other malicious files 13->87 dropped file5 signatures6 process7 dnsIp8 113 108.167.143.77 UNIFIEDLAYER-AS-1US United States 15->113 115 103.155.92.70 TWIDC-AS-APTWIDCLimitedHK unknown 15->115 123 9 other IPs or domains 15->123 55 C:\Users\...\sFw3GboLo42AxVx1X52NzrTT.exe, PE32 15->55 dropped 65 6 other malicious files 15->65 dropped 125 Drops PE files to the document folder of the user 15->125 127 Creates HTML files with .exe extension (expired dropper behavior) 15->127 129 Creates multiple autostart registry keys 15->129 26 sFw3GboLo42AxVx1X52NzrTT.exe 15->26         started        38 6 other processes 15->38 117 192.168.2.1 unknown unknown 20->117 57 C:\Users\...\zPqpYzWWxHhr6MIzRQrK6PB1.exe, PE32 20->57 dropped 67 6 other malicious files 20->67 dropped 131 Antivirus detection for dropped file 20->131 133 Machine Learning detection for dropped file 20->133 30 hp7fVzs4bdDqybEEtQI31oo5.exe 20->30         started        32 G6f8vkqjcHygLm8pRj348Spo.exe 20->32         started        41 5 other processes 20->41 119 162.159.129.233 CLOUDFLARENETUS United States 22->119 121 172.67.136.211 CLOUDFLARENETUS United States 22->121 69 7 other malicious files 22->69 dropped 34 2du8qUVfPtZ09dixu6C4Rz9A.exe 22->34         started        36 cksT5jwua3gMsVNxEMxylFvj.exe 22->36         started        43 5 other processes 22->43 59 C:\Users\...\xrcK3HeOOT2v3CjJLLEC3Jpe.exe, PE32 24->59 dropped 61 C:\Users\...\qf9Oyh55rHqk3mxe0MD92l22.exe, PE32 24->61 dropped 63 C:\Users\...\qCWBXz1GwX1UJAcgSisYUki6.exe, PE32 24->63 dropped 71 18 other malicious files 24->71 dropped 45 2 other processes 24->45 file9 signatures10 process11 dnsIp12 89 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 26->89 dropped 147 Detected unpacking (changes PE section rights) 26->147 149 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 26->149 151 Renames NTDLL to bypass HIPS 26->151 161 3 other signatures 26->161 153 Detected unpacking (overwrites its own PE header) 30->153 155 Contains functionality to steal Internet Explorer form passwords 30->155 157 Machine Learning detection for dropped file 34->157 101 91.214.124.126 VPSSC-ASUA Ukraine 38->101 103 104.244.76.207 PONYNETUS United States 38->103 105 3 other IPs or domains 38->105 91 C:\Users\...\8Na7FvfeZLrPja5cLMAed62A.tmp, PE32 38->91 dropped 93 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 38->93 dropped 95 C:\ProgramData\softokn3.dll, PE32 38->95 dropped 99 4 other files (none is malicious) 38->99 dropped 159 Tries to harvest and steal browser information (history, passwords, etc) 38->159 97 C:\Users\...\FEYeg6w6ruERQdMvIiRFiLm5.tmp, PE32 41->97 dropped 47 cmd.exe 41->47         started        49 conhost.exe 45->49         started        51 conhost.exe 45->51         started        53 cmd.exe 45->53         started        file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787/
Threat name:
ByteCode-MSIL.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-03-17 02:27:51 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3zrue6xducz23qap6zdaxeofv3blq6unde7f5haeo2fjefva6dq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459
RaccoonStealer
0c7591403c6672c67cd0fbb1a7d4db34a224e5388a81a82a725811999bc49b4e
RaccoonStealer
267adb8b92c06ae53186fc26b40caf4d9e1ae4893475b2d1d8f29b040c67d9b4
RaccoonStealer
7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd
RaccoonStealer
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
RaccoonStealer
9fd72df8cc980ea1257a11c3e64acb9b004caa7670dbe36f021615ce636b567a
RaccoonStealer
b12941d367baf1228f6d262c4696b267cd1d36e600742aaf1fee00582fe1ea07
RaccoonStealer
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1
RaccoonStealer
d1597e584fec8eb356aa5c831045b2ce68531e69fe70436fa3ca0d8dd1d90ca7
RaccoonStealer
e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37
RaccoonStealer
+ 508 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:smokeloader family:vidar botnet:32d5e6449b6744aa586038532e2d41d15ce4f201 backdoor bootkit discovery evasion persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/210317-wkmbg2mk9n/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Writes to the Master Boot Record (MBR)
Drops startup file
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Sets service image path in registry
UPX packed file
Checks for common network interception software
Raccoon
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://funzel.info/upload/
http://doeros.xyz/upload/
http://vromus.com/upload/
http://hqans.com/upload/
http://vxeudy.com/upload/
http://poderoa.com/upload/
http://nezzzo.com/upload/
Unpacked files
SH256 hash:
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
MD5 hash:
7e482e491570380453244a9d6e4744e1
SHA1 hash:
8d67cae338c2e3ed1211d423551b4707c820f3d2
Link:
https://www.unpac.me/results/180b4dfa-0dc5-4fe0-9547-e49cf6b5f2b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1071309/
  
Delivery method
Distributed via web download

Comments