MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 738108e1651deb6c04e05a4a2680819283433189eff93426a56e834381b5e4b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 738108e1651deb6c04e05a4a2680819283433189eff93426a56e834381b5e4b5
SHA3-384 hash: ff503d350ff8ddb45fa19e0557550a0e16d52d4c2167f20de3fbd8f3038bd4dc8c777f3a1301f7cb809e320ee075d800
SHA1 hash: 74e3fdbaab01c95295a466f520767b0bc7a681ab
MD5 hash: f201b12e3cb2a1817ab645155746e935
humanhash: two-failed-london-jupiter
File name:F201B12E3CB2A1817AB645155746E935.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:3'992'008 bytes
First seen:2021-06-10 03:40:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UbfbJTaFymi7g2Tx/KNLzkyZ9DBXS047Cz:UD98e7gccNL7jDJxv
Threatray 768 similar samples on MalwareBazaar
TLSH 69063342BDC09572E97109324D28AB25613D7E101E28DEFFA3E4AE5999340D0FB35BB7
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
141.136.0.74:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
141.136.0.74:80 https://threatfox.abuse.ch/ioc/85595/

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
F201B12E3CB2A1817AB645155746E935.exe
Verdict:
Malicious activity
Analysis date:
2021-06-10 09:06:08 UTC
Tags:
evasion autoit trojan
Link:
https://app.any.run/tasks/19a79549-e1d1-4b07-be65-b78cb91f51a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165737/
Detection(s):
Win.Malware.Generic-9866235-0
Create hunting rule

Win.Malware.Nymeria-9869693-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Launching a process
Sending a UDP request
Creating a file in the %temp% directory
Creating a file
DNS request
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Sending an HTTP GET request
Deleting a recently created file
Creating a process with a hidden window
Reading critical registry keys
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Connecting to a non-recommended domain
Running batch commands
Connection attempt
Sending an HTTP POST request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Setting a single autorun event
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/799945
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
DLL reload attack detected
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 432341 Sample: Yl6482CO6U.exe Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 112 142.251.37.4 GOOGLEUS United States 2->112 144 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->144 146 Multi AV Scanner detection for domain / URL 2->146 148 Antivirus detection for dropped file 2->148 150 15 other signatures 2->150 10 Yl6482CO6U.exe 1 14 2->10         started        13 iexplore.exe 2->13         started        signatures3 process4 file5 86 C:\Users\user\Desktop\pub2.exe, PE32 10->86 dropped 88 C:\Users\user\Desktop\jg3_3uag.exe, PE32 10->88 dropped 90 C:\Users\user\Desktop\KRSetp.exe, PE32 10->90 dropped 92 5 other files (1 malicious) 10->92 dropped 15 Folder.exe 10->15         started        18 KRSetp.exe 15 8 10->18         started        22 IDWCH1.exe 10->22         started        26 5 other processes 10->26 24 iexplore.exe 13->24         started        process6 dnsIp7 94 C:\Users\user\AppData\Local\...\install.dll, PE32 15->94 dropped 106 2 other files (none is malicious) 15->106 dropped 28 rundll32.exe 15->28         started        31 conhost.exe 15->31         started        114 topnewsdesign.xyz 104.21.69.75, 443, 49742 CLOUDFLARENETUS United States 18->114 96 C:\Users\user\AppData\Roaming\3200525.exe, PE32 18->96 dropped 98 C:\Users\user\AppData\Roaming\2249116.exe, PE32 18->98 dropped 108 2 other files (none is malicious) 18->108 dropped 152 Detected unpacking (changes PE section rights) 18->152 154 Detected unpacking (overwrites its own PE header) 18->154 156 Performs DNS queries to domains with low reputation 18->156 33 3200525.exe 18->33         started        36 2249116.exe 18->36         started        39 7703180.exe 18->39         started        41 2424263.exe 18->41         started        100 C:\Users\user\AppData\Local\...\IDWCH1.tmp, PE32 22->100 dropped 43 IDWCH1.tmp 22->43         started        116 www.listincode.com 144.202.76.47, 443, 49738 AS-CHOOPAUS United States 26->116 118 101.36.107.74, 49735, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 26->118 120 8 other IPs or domains 26->120 102 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 26->102 dropped 104 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 26->104 dropped 110 2 other files (1 malicious) 26->110 dropped 158 DLL reload attack detected 26->158 160 Drops PE files to the document folder of the user 26->160 162 Renames NTDLL to bypass HIPS 26->162 164 Checks if the current machine is a virtual machine (disk enumeration) 26->164 45 jfiag3g_gg.exe 26->45         started        47 3 other processes 26->47 file8 signatures9 process10 dnsIp11 168 Contains functionality to infect the boot sector 28->168 170 Contains functionality to inject threads in other processes 28->170 172 Contains functionality to inject code into remote processes 28->172 184 5 other signatures 28->184 49 svchost.exe 28->49 injected 60 C:\Users\user\AppData\...\WinHoster.exe, PE32 33->60 dropped 174 Detected unpacking (changes PE section rights) 33->174 176 Detected unpacking (overwrites its own PE header) 33->176 178 Creates multiple autostart registry keys 33->178 122 videoconvert-download12.xyz 104.21.76.97, 443, 49747 CLOUDFLARENETUS United States 36->122 74 7 other files (none is malicious) 36->74 dropped 180 Performs DNS queries to domains with low reputation 36->180 124 104.21.81.186 CLOUDFLARENETUS United States 39->124 62 C:\ProgramData\65\vcruntime140.dll, PE32 39->62 dropped 64 C:\ProgramData\65\sqlite3.dll, PE32 39->64 dropped 76 5 other files (none is malicious) 39->76 dropped 126 limesfile.com 198.54.126.101, 49746, 80 NAMECHEAP-NETUS United States 43->126 66 C:\Users\user\...\8__________________67.exe, PE32 43->66 dropped 68 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 43->68 dropped 70 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 43->70 dropped 72 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 43->72 dropped 52 8__________________67.exe 43->52         started        182 Tries to harvest and steal browser information (history, passwords, etc) 45->182 file12 signatures13 process14 dnsIp15 136 System process connects to network (likely due to code injection or exploit) 49->136 138 Sets debug register (to hijack the execution of another thread) 49->138 140 Modifies the context of a thread in another process (thread injection) 49->140 56 svchost.exe 49->56         started        128 198.54.116.159 NAMECHEAP-NETUS United States 52->128 130 2.20.142.209 AKAMAI-ASN1EU European Union 52->130 132 2 other IPs or domains 52->132 78 C:\Users\user\AppData\...\Pawybaexoqi.exe, PE32 52->78 dropped 80 C:\Users\user\AppData\...\Byrokezhuga.exe, PE32 52->80 dropped 82 C:\Program Files (x86)\...\Rafupavezhe.exe, PE32 52->82 dropped 84 4 other files (3 malicious) 52->84 dropped 142 Creates multiple autostart registry keys 52->142 file16 signatures17 process18 dnsIp19 134 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 56->134 166 Query firmware table information (likely to detect VMs) 56->166 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/738108e1651deb6c04e05a4a2680819283433189eff93426a56e834381b5e4b5/
Threat name:
Win32.Trojan.CookiesStealer
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 11:16:53 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ooaqrylfdxvwybhaljfcnaebskbugmmj574tijvfn2buhanv4s2q._file
Verdict:
malicious
Similar samples:
2c32dcb54c310daf509527d74de8ab4cb7b45425fa543a5df22afd1e9bd00fd5
RaccoonStealer
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
RaccoonStealer
541ebfa6dd694728edd3cf536a13c739179edadcd880e7c28e074b60da1bcac8
RaccoonStealer
6a966d8a8bc18b016f35a159c110eb8dd5527b83e39db5fa7300e4634c9cb096
RaccoonStealer
a9aa703a747507172df67af14684440e244fbe237507140eacc01726c1c0af13
RaccoonStealer
b412a43bbd6598818a0fe157f513fc8d74e67430b53b8f29eaefdceb57e7b80b
RaccoonStealer
da19103e927e19daedc51212deb60ceca403e3e9876c52a9dec41d7e6215929b
RaccoonStealer
e6e11a92390d1e01775514d1a4f047f5b94471070a07bf82b6e9fe5c547d55a8
RaccoonStealer
ff4a3e44fcd1cfbbf10ac318aca7559e0c20d0563e11e8a98e21e09e97ca68d3
RaccoonStealer
ffecd6261932159067dd93f5c1df26f8da517f37ded13d122db853c1c84e7924
RaccoonStealer
+ 758 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:elysiumstealer family:plugx family:raccoon family:redline family:smokeloader family:vidar backdoor bootkit discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210610-lglx46yndn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
autoit_exe
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Accesses 2FA software files, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
ElysiumStealer
PlugX
Raccoon
RedLine
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Unpacked files
SH256 hash:
e77cdc6d91da7a5293f4b9ec11524dd8302c63b44d3aa2eaa5ea6691e5216237
MD5 hash:
2724973fee4e3d0f9e3da19e32be212c
SHA1 hash:
632e40eece8d06f9d8bcb88488ecfe34b608ead3
Link:
https://www.unpac.me/results/424522a6-10c0-4348-aaa5-a29119053920/
SH256 hash:
111653974d68833836a9e851cfaf04878deb7fef2e71f77c6481eda75ac7134e
MD5 hash:
01eac0173a72a3cfaa28bc068a367d4c
SHA1 hash:
8ff84dacccf456c35661461d6e33a16f2816326a
Link:
https://www.unpac.me/results/424522a6-10c0-4348-aaa5-a29119053920/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/424522a6-10c0-4348-aaa5-a29119053920/
SH256 hash:
12b2a34db1f822c089218f1b46c1870462a0afb65ff0364e0f0ba043e93c1e5a
MD5 hash:
a7732204d9c883a4373c8b615c97de43
SHA1 hash:
017de30fc0647908eb8dd532982ce6644fb13e59
Link:
https://www.unpac.me/results/424522a6-10c0-4348-aaa5-a29119053920/
SH256 hash:
1bb1e726362311c789fdfd464f12e72c279fb3ad639d27338171d16e73360e7c
MD5 hash:
428557b1005fd154585af2e3c721e402
SHA1 hash:
3fc4303735f8355f787f3181d69450423627b5c9
Link:
https://www.unpac.me/results/424522a6-10c0-4348-aaa5-a29119053920/
SH256 hash:
23727008a6d11e05b25c30e50482fa3c2a1e8a5cb5a5e81d1a40ada85744eab4
MD5 hash:
8b1a9c380ee1595abe220455a5e678e7
SHA1 hash:
cddc8c68c0da0dfab5fc0545e14c93f2801cae38
Link:
https://www.unpac.me/results/424522a6-10c0-4348-aaa5-a29119053920/
SH256 hash:
1badef9c89d708a864b0f9fc7cc036601e3f9ea88ea50545647a5c76e59a5e65
MD5 hash:
0c969ac813005e77997ea50a2451d3f5
SHA1 hash:
d2330287caa11e8979fb2c6454aa844fe8edb88a
Link:
https://www.unpac.me/results/424522a6-10c0-4348-aaa5-a29119053920/
SH256 hash:
60b476d8f13ab19f881ef203722bb668648dcd60735bc441e89466faeab5b695
MD5 hash:
bb53dc8a50d56669547ed5d248f8be79
SHA1 hash:
a965e6fd62ed50aa91a158582c56004b2ea7b96c
Link:
https://www.unpac.me/results/424522a6-10c0-4348-aaa5-a29119053920/
SH256 hash:
ca66c2e83ee28ab24e69a17d363d5f5a0c552944c9223aa89cf53293d24f777e
MD5 hash:
0810820727bd1014cebdd9762340c4c3
SHA1 hash:
0b3944f15f41949ab781df9e80ed461a95696adb
Link:
https://www.unpac.me/results/424522a6-10c0-4348-aaa5-a29119053920/
SH256 hash:
49ad1d04a242756bea3cb7ef1285a1c2355326901ef480ccc9b41ed8b923aa4c
MD5 hash:
790565c1e8b6b638a01c90346c3f7330
SHA1 hash:
81658e0815a68da0083a913d47a8abbc9f97df27
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/424522a6-10c0-4348-aaa5-a29119053920/
Parent samples :
3d30ffd438512742fc01ca5df9c4b9d0deb9f908ef56e7dd3e284eec904f517d
738108e1651deb6c04e05a4a2680819283433189eff93426a56e834381b5e4b5
SH256 hash:
1286aa4cb88f0aa5d84e123b4e0dc15f4d4de5f7971a6f6ac01998c0cf63a371
MD5 hash:
50d1f99ba34afd2bb3b78197de22f781
SHA1 hash:
31a26798c199c6a2ca735b5452c52f7f23eecf6e
Link:
https://www.unpac.me/results/424522a6-10c0-4348-aaa5-a29119053920/
SH256 hash:
a8458c498791b1085f8aec3923d103cf2f099eb7171e1863215d70ea6285b24b
MD5 hash:
d83e4673eb5bb3b841c9b2e2ab132d2a
SHA1 hash:
1ba8f1b753b36c3557872396644ccc671ff150cf
Link:
https://www.unpac.me/results/424522a6-10c0-4348-aaa5-a29119053920/
SH256 hash:
738108e1651deb6c04e05a4a2680819283433189eff93426a56e834381b5e4b5
MD5 hash:
f201b12e3cb2a1817ab645155746e935
SHA1 hash:
74e3fdbaab01c95295a466f520767b0bc7a681ab
Link:
https://www.unpac.me/results/424522a6-10c0-4348-aaa5-a29119053920/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/738108e1651deb6c04e05a4a2680819283433189eff93426a56e834381b5e4b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165737/

Comments