MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74f923a34a4d0703161deb822860f3aed7ccb5964aab2b3bfc5a8701533dc617. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74f923a34a4d0703161deb822860f3aed7ccb5964aab2b3bfc5a8701533dc617
SHA3-384 hash: 3a6f294cc9f7ca2d50fe3df71f90bbbadb9ac4c1912a08dd1a92fe0c8a2dcb0065a5dc336e7ed54403fce11004c01ad1
SHA1 hash: c9884abf29ecb563be071f2af8f18cf7442a108d
MD5 hash: 24adc440b6080c3f02b583d3edcb12c7
humanhash: autumn-lemon-sixteen-november
File name:24adc440b6080c3f02b583d3edcb12c7.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:341'504 bytes
First seen:2021-11-12 16:35:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 89c49e3ae23d79644984deb991645019 (2 x RaccoonStealer, 2 x RedLineStealer, 1 x Glupteba)
ssdeep 6144:XoUbrdpXxXhygtOZaGdxi0urjpLNZ8qawM91QOg:YgXxogcZaGdxi0c9LNZadTQOg
TLSH T13F747D00BAA1C035F1B216F8497A9379B53FBDE19B2490CF62D42AEE5634AD0ED31357
File icon (PE):PE icon
dhash icon 60e8e8e8aa66a489 (2 x CryptBot, 2 x RaccoonStealer, 1 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
86.107.197.248:56626

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
86.107.197.248:56626 https://threatfox.abuse.ch/ioc/247483/

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205331/
Detection(s):
Win.Malware.Generic-9908111-0
Create hunting rule

Win.Dropper.Ulise-9908333-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/618e97fa3edf00a722d094b2/reports/6a314a40-ef94-4fb6-b729-df04321995ce/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f35e36c6-2033-4003-8577-3b6fa2cc5214
Result
Threat name:
Raccoon RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888257
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 520731 Sample: TutoxSXknF.exe Startdate: 12/11/2021 Architecture: WINDOWS Score: 100 64 www-googletagmanager.l.google.com 2->64 66 www-google-analytics.l.google.com 2->66 68 16 other IPs or domains 2->68 120 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->120 122 Antivirus detection for URL or domain 2->122 124 Multi AV Scanner detection for submitted file 2->124 126 11 other signatures 2->126 10 TutoxSXknF.exe 2->10         started        12 hgfdbht 2->12         started        15 hwfdbht 2->15         started        signatures3 process4 signatures5 17 TutoxSXknF.exe 10->17         started        20 svchost.exe 10->20         started        136 Multi AV Scanner detection for dropped file 12->136 138 DLL reload attack detected 12->138 140 Detected unpacking (changes PE section rights) 12->140 142 Checks if the current machine is a virtual machine (disk enumeration) 12->142 144 Machine Learning detection for dropped file 15->144 22 hwfdbht 15->22         started        process6 signatures7 112 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->112 114 Maps a DLL or memory area into another process 17->114 116 Checks if the current machine is a virtual machine (disk enumeration) 17->116 118 Creates a thread in another existing process (thread injection) 17->118 24 explorer.exe 18 17->24 injected 29 WerFault.exe 17->29         started        process8 dnsIp9 78 216.128.137.31, 443, 49693, 49694 AS-CHOOPAUS United States 24->78 80 nusurtal4f.net 45.141.84.21, 80 MEDIALAND-ASRU Russian Federation 24->80 82 6 other IPs or domains 24->82 54 C:\Users\user\AppData\Roaming\hwfdbht, PE32 24->54 dropped 56 C:\Users\user\AppData\Roaming\hgfdbht, PE32 24->56 dropped 58 C:\Users\user\AppData\Local\Temp\F12D.exe, PE32 24->58 dropped 60 9 other malicious files 24->60 dropped 128 System process connects to network (likely due to code injection or exploit) 24->128 130 Benign windows process drops PE files 24->130 132 Deletes itself after installation 24->132 134 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->134 31 CCB0.exe 1 24->31         started        35 C746.exe 24->35         started        37 F12D.exe 2 24->37         started        40 6 other processes 24->40 file10 signatures11 process12 dnsIp13 62 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 31->62 dropped 86 Multi AV Scanner detection for dropped file 31->86 88 DLL reload attack detected 31->88 90 Detected unpacking (changes PE section rights) 31->90 106 5 other signatures 31->106 92 Query firmware table information (likely to detect VMs) 35->92 94 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->94 96 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 35->96 108 3 other signatures 35->108 42 AppLaunch.exe 35->42         started        70 45.9.20.149, 10844 DEDIPATH-LLCUS Russian Federation 37->70 98 Machine Learning detection for dropped file 37->98 110 2 other signatures 37->110 72 93.115.20.139, 28978, 49743 MVPShttpswwwmvpsnetEU Romania 40->72 74 162.159.129.233, 443, 49732, 49864 CLOUDFLARENETUS United States 40->74 76 cdn.discordapp.com 40->76 100 Antivirus detection for dropped file 40->100 102 Detected unpacking (overwrites its own PE header) 40->102 104 Contains functionality to inject code into remote processes 40->104 44 CE62.exe 40->44         started        47 EE83.exe 40->47         started        50 C2EB.exe 2 40->50         started        52 2 other processes 40->52 file14 signatures15 process16 dnsIp17 146 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 44->146 148 Maps a DLL or memory area into another process 44->148 150 Checks if the current machine is a virtual machine (disk enumeration) 44->150 152 Creates a thread in another existing process (thread injection) 44->152 84 telegin.top 47->84 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74f923a34a4d0703161deb822860f3aed7ccb5964aab2b3bfc5a8701533dc617/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2021-11-11 22:38:38 UTC
AV detection:
28 of 44 (63.64%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ot4shi2kjudqgfq55obcqyhtv3l4znmwjkvswo74lkdqcuz5yylq._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:superstar backdoor discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211112-t39qdsdha2/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
Malware Config
C2 Extraction:
http://nalirou70.top/
http://xacokuo80.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
185.159.80.90:38637
185.215.113.29:36224
Unpacked files
SH256 hash:
cdb9c842ba86fc328ec80226975c54c24a3ee9868cbbaab14d2b651cc80e70e6
MD5 hash:
f7ff52793660cabb5ebd2bd4b9810336
SHA1 hash:
23e6a68262b479a1ff214b09dbfe159292475a22
Link:
https://www.unpac.me/results/4e52adb1-c21f-41c3-8fb8-739293729fc9/
SH256 hash:
74f923a34a4d0703161deb822860f3aed7ccb5964aab2b3bfc5a8701533dc617
MD5 hash:
24adc440b6080c3f02b583d3edcb12c7
SHA1 hash:
c9884abf29ecb563be071f2af8f18cf7442a108d
Link:
https://www.unpac.me/results/4e52adb1-c21f-41c3-8fb8-739293729fc9/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/74f923a34a4d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 74f923a34a4d0703161deb822860f3aed7ccb5964aab2b3bfc5a8701533dc617

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1755148/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205331/

Comments