MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71bbaf19229855f0bfdebbe93d12b5f5fac6c0b542b5ca3b5a00d4b088ccdadc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71bbaf19229855f0bfdebbe93d12b5f5fac6c0b542b5ca3b5a00d4b088ccdadc
SHA3-384 hash: 9165359888d446c544ee1b0945269b30d226f32b20175e90417985ed55acca72fb7671bdf60ee2e040d63b274a75beb4
SHA1 hash: 04d158591858f17abd9295f481c26ae7ef771e37
MD5 hash: 28ea220f0c8f906c66e1ab5657ca0260
humanhash: india-helium-freddie-london
File name:28ea220f0c8f906c66e1ab5657ca0260.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:275'456 bytes
First seen:2021-09-20 13:10:59 UTC
Last seen:2021-09-20 14:25:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7273bdafbe151bbfd9b7057bf9d812ba (2 x RaccoonStealer, 2 x DanaBot, 1 x CryptBot)
ssdeep 6144:5p7QfPWyR02IU+riqyQS6pUA28NRkkIPQ2Q95OsO:3MtR02b+rcP6pUANokIPQpk
Threatray 4'449 similar samples on MalwareBazaar
TLSH T1D0448D20A690F035E5B31EF44ABA83E8A42D7D716B2051CB62EE67EE563C6D4DC30357
File icon (PE):PE icon
dhash icon 9824e790c4e7215c (12 x RedLineStealer, 4 x Stop, 2 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://179.43.187.252/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://179.43.187.252/ https://threatfox.abuse.ch/ioc/223814/

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
28ea220f0c8f906c66e1ab5657ca0260.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-20 13:13:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ee38968c-6d3b-4631-9dac-d9024714682d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189449/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.32294.7093.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/216b1e7f-a95f-4c3a-a185-88be61ab42ca
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854066
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 486502 Sample: KOXZZJpKQQ.exe Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 86 microsoft-com.mail.protection.outlook.com 40.93.207.0, 25, 49838 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->86 88 defeatwax.ru 193.56.146.188, 443, 49844 LVLT-10753US unknown 2->88 90 2 other IPs or domains 2->90 114 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->114 116 Multi AV Scanner detection for domain / URL 2->116 118 Antivirus detection for URL or domain 2->118 120 17 other signatures 2->120 11 KOXZZJpKQQ.exe 2->11         started        14 zpkwqcgy.exe 2->14         started        16 rwjuwtw 2->16         started        signatures3 process4 signatures5 130 Detected unpacking (changes PE section rights) 11->130 132 Contains functionality to inject code into remote processes 11->132 134 Injects a PE file into a foreign processes 11->134 18 KOXZZJpKQQ.exe 11->18         started        136 Detected unpacking (overwrites its own PE header) 14->136 138 Writes to foreign memory regions 14->138 140 Allocates memory in foreign processes 14->140 142 Multi AV Scanner detection for dropped file 16->142 144 Machine Learning detection for dropped file 16->144 21 rwjuwtw 16->21         started        process6 signatures7 106 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->106 108 Maps a DLL or memory area into another process 18->108 110 Checks if the current machine is a virtual machine (disk enumeration) 18->110 112 Creates a thread in another existing process (thread injection) 18->112 23 explorer.exe 8 18->23 injected process8 dnsIp9 100 216.128.137.31, 80 AS-CHOOPAUS United States 23->100 102 193.56.146.41, 49819, 9080 LVLT-10753US unknown 23->102 104 4 other IPs or domains 23->104 74 C:\Users\user\AppData\Roaming\rwjuwtw, PE32 23->74 dropped 76 C:\Users\user\AppData\Local\Temp\4459.exe, PE32 23->76 dropped 78 C:\Users\user\AppData\Local\Temp\342C.exe, PE32 23->78 dropped 80 2 other malicious files 23->80 dropped 122 System process connects to network (likely due to code injection or exploit) 23->122 124 Benign windows process drops PE files 23->124 126 Deletes itself after installation 23->126 128 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->128 28 8EB7.exe 2 23->28         started        32 342C.exe 23->32         started        34 27EE.exe 3 23->34         started        37 3 other processes 23->37 file10 signatures11 process12 dnsIp13 82 C:\Users\user\AppData\Local\...\zpkwqcgy.exe, PE32 28->82 dropped 146 Detected unpacking (changes PE section rights) 28->146 148 Detected unpacking (overwrites its own PE header) 28->148 150 Uses netsh to modify the Windows network and firewall settings 28->150 152 Modifies the windows firewall 28->152 39 cmd.exe 28->39         started        42 cmd.exe 2 28->42         started        44 sc.exe 28->44         started        56 3 other processes 28->56 154 Machine Learning detection for dropped file 32->154 46 342C.exe 32->46         started        92 188.124.36.242, 25802, 49849 SELECTELRU Russian Federation 34->92 156 Multi AV Scanner detection for dropped file 34->156 158 Query firmware table information (likely to detect VMs) 34->158 160 Hides threads from debuggers 34->160 162 Tries to detect sandboxes / dynamic malware analysis system (registry check) 34->162 49 conhost.exe 34->49         started        94 179.43.187.252, 49851, 80 PLI-ASCH Panama 37->94 96 telete.in 195.201.225.248, 443, 49840, 49850 HETZNER-ASDE Germany 37->96 84 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 37->84 dropped 164 Antivirus detection for dropped file 37->164 166 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->166 168 Tries to harvest and steal browser information (history, passwords, etc) 37->168 170 Injects a PE file into a foreign processes 37->170 51 4459.exe 2 37->51         started        54 conhost.exe 37->54         started        58 2 other processes 37->58 file14 signatures15 process16 dnsIp17 72 C:\Windows\SysWOW64\...\zpkwqcgy.exe (copy), PE32 39->72 dropped 60 conhost.exe 39->60         started        62 conhost.exe 42->62         started        64 conhost.exe 44->64         started        172 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 46->172 174 Maps a DLL or memory area into another process 46->174 176 Checks if the current machine is a virtual machine (disk enumeration) 46->176 178 Creates a thread in another existing process (thread injection) 46->178 98 146.70.35.170, 30905, 49859 TENET-1ZA United Kingdom 51->98 66 conhost.exe 56->66         started        68 conhost.exe 56->68         started        70 conhost.exe 56->70         started        file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71bbaf19229855f0bfdebbe93d12b5f5fac6c0b542b5ca3b5a00d4b088ccdadc/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 13:11:13 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=og526gjctbk7bp66xput2evv6x5mnqfvik24uo22adklbcgm3loa._file
Verdict:
malicious
Similar samples:
198032ed08a5197c0b5ceefa0be69749d46a724b7d88915fe0762242692cb942
RaccoonStealer
9136c982fe9d870f6199002d9509f242b4a5df661f81553fd9ecbc7389e924e4
RaccoonStealer
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
RaccoonStealer
ae885f7399e866a92c723cd37afaed16c5ffc61dd48c3fc58c409bf8402729dd
RaccoonStealer
b0b88bd5ef4cb0e3197d653775e474e1adb118d000a527c7646dd3e961c475b5
RaccoonStealer
b48ed78846a0c92b08b18caee3f7edd319e9700c00f198965b25befc80b6f592
RaccoonStealer
d9d7678108e2232287ddb69fe46c5b11d6eeb39e83cb57bc229b050e481008a4
RaccoonStealer
dc9787f1ca396af3c6a84f52c1f4a1969b7d33999507f2093480071fc22e9d63
RaccoonStealer
ed57b99cc61aee7b08ab0fb6647000f8c4df08ff0350e94f1a15765021955072
RaccoonStealer
f9413fb1d83a6b6c776d29b764d28895bc7b7d878d1a9c317c3d5a00fd288a99
RaccoonStealer
+ 4'439 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:medusalocker family:raccoon family:redline family:smokeloader family:tofsee family:xmrig botnet:installbv botnet:installexe botnet:moneymaker backdoor discovery evasion infostealer miner persistence ransomware spyware stealer themida trojan
Link:
https://tria.ge/reports/210920-qey27sebg7/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Interacts with shadow copies
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Deletes System State backups
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Modifies extensions of user files
Sets service image path in registry
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies boot configuration data using bcdedit
XMRig Miner Payload
RedLine
RedLine Payload
SmokeLoader
Tofsee
Windows security bypass
xmrig
MedusaLocker
MedusaLocker Payload
Modifies WinLogon for persistence
Process spawned unexpected child process
Raccoon
Malware Config
C2 Extraction:
http://venerynnet1.top/
http://kevonahira2.top/
http://vegangelist3.top/
http://kingriffaele4.top/
http://arakeishant5.top/
146.70.35.170:30905
80.85.137.89:17954
185.244.217.166:56316
Unpacked files
SH256 hash:
61a8d403c777699f36db41e26c95ee6f29ff6cdbc4b3768bd06db2aa6bdfe2f7
MD5 hash:
cfcd9c4378e041fb0d07d607727c024b
SHA1 hash:
7e06773d4a2e07501b171e0187e2997cc7de1dac
Link:
https://www.unpac.me/results/a26a62b3-c1c3-42f5-8b08-830e36e34f44/
SH256 hash:
71bbaf19229855f0bfdebbe93d12b5f5fac6c0b542b5ca3b5a00d4b088ccdadc
MD5 hash:
28ea220f0c8f906c66e1ab5657ca0260
SHA1 hash:
04d158591858f17abd9295f481c26ae7ef771e37
Link:
https://www.unpac.me/results/a26a62b3-c1c3-42f5-8b08-830e36e34f44/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71bbaf19229855f0bfdebbe93d12b5f5fac6c0b542b5ca3b5a00d4b088ccdadc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 71bbaf19229855f0bfdebbe93d12b5f5fac6c0b542b5ca3b5a00d4b088ccdadc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1612961/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189449/

Comments