MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75b52e3106f8fed4498d1b3610f28069e0a068dd455d43b565860faf03b3bda5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75b52e3106f8fed4498d1b3610f28069e0a068dd455d43b565860faf03b3bda5
SHA3-384 hash: 68bbc356d5a9f7a4ee0f1b327a7358a2557859fee7a25617f30189218aa19a11fd53ca1c0884302620cc01efc1a41960
SHA1 hash: f63dd9cbfe36beed4c9227205f9fc330f4573338
MD5 hash: 32471f45ab82afca2523f848c39bda10
humanhash: asparagus-twelve-bulldog-venus
File name:75b52e3106f8fed4498d1b3610f28069e0a068dd455d43b565860faf03b3bda5.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:350'720 bytes
First seen:2021-11-05 06:34:32 UTC
Last seen:2021-11-05 06:35:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c19e8d727961fe75bcdcd452c23e64c (4 x RaccoonStealer, 3 x Smoke Loader, 1 x ArkeiStealer)
ssdeep 6144:JSwNcKfMIJVWpkrHVToqU0u0C8KJETl4BPs3B8:JFSkvHWKr1ToqU0u0C8r4BEx
TLSH T12B748C00A6A1C039F1B316F479B593B9A93E7DA1AB3450CF53D62AEE56346E0EC70707
File icon (PE):PE icon
dhash icon badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter Anonymous
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
75b52e3106f8fed4498d1b3610f28069e0a068dd455d43b565860faf03b3bda5.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-05 06:37:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/684ba714-d18b-44b2-b5a8-f6b6cb22455c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/202554/
Detection(s):
SecuriteInfo.com.Variant.Jaik.49059.10838.3758.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6184d099c03a81a50241bcfe/reports/8c587b28-5605-448f-ae54-76451851e917/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e51726bf-8a8c-47c8-b030-af5e1264a6fc
Result
Threat name:
RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/883737
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Renames NTDLL to bypass HIPS
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 516168 Sample: gbK83KlPgI.exe Startdate: 05/11/2021 Architecture: WINDOWS Score: 100 92 quadoil.ru 85.143.175.153, 443, 49832, 49861 TRADERSOFTRU Russian Federation 2->92 94 microsoft-com.mail.protection.outlook.com 40.93.212.0, 25, 49828 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->94 96 6 other IPs or domains 2->96 110 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->110 112 Multi AV Scanner detection for domain / URL 2->112 114 Antivirus detection for URL or domain 2->114 116 17 other signatures 2->116 11 gbK83KlPgI.exe 2->11         started        14 zfadmvvq.exe 2->14         started        16 svchost.exe 2->16         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 152 Contains functionality to inject code into remote processes 11->152 154 Injects a PE file into a foreign processes 11->154 21 gbK83KlPgI.exe 11->21         started        156 Detected unpacking (changes PE section rights) 14->156 158 Detected unpacking (overwrites its own PE header) 14->158 160 Writes to foreign memory regions 14->160 162 Allocates memory in foreign processes 14->162 164 Changes security center settings (notifications, updates, antivirus, firewall) 16->164 24 MpCmdRun.exe 16->24         started        98 127.0.0.1 unknown unknown 18->98 166 Machine Learning detection for dropped file 18->166 26 biiawwi 18->26         started        signatures6 process7 signatures8 136 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->136 138 Maps a DLL or memory area into another process 21->138 140 Checks if the current machine is a virtual machine (disk enumeration) 21->140 142 Creates a thread in another existing process (thread injection) 21->142 28 explorer.exe 16 21->28 injected 33 conhost.exe 24->33         started        process9 dnsIp10 104 hajezey10.top 28->104 106 192.162.246.70, 49781, 80 DATACHEAP-LLC-ASRU Russian Federation 28->106 108 7 other IPs or domains 28->108 82 C:\Users\user\AppData\Roaming\tjiawwi, PE32 28->82 dropped 84 C:\Users\user\AppData\Roaming\biiawwi, PE32 28->84 dropped 86 C:\Users\user\AppData\Local\Temp\F348.exe, PE32 28->86 dropped 88 10 other malicious files 28->88 dropped 168 System process connects to network (likely due to code injection or exploit) 28->168 170 Benign windows process drops PE files 28->170 172 Deletes itself after installation 28->172 174 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->174 35 61C1.exe 28->35         started        39 382D.exe 2 28->39         started        41 BACC.exe 28->41         started        43 3 other processes 28->43 file11 signatures12 process13 dnsIp14 72 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 35->72 dropped 118 Multi AV Scanner detection for dropped file 35->118 120 DLL reload attack detected 35->120 122 Detected unpacking (changes PE section rights) 35->122 134 5 other signatures 35->134 74 C:\Users\user\AppData\Local\...\zfadmvvq.exe, PE32 39->74 dropped 124 Detected unpacking (overwrites its own PE header) 39->124 126 Machine Learning detection for dropped file 39->126 128 Uses netsh to modify the Windows network and firewall settings 39->128 130 Modifies the windows firewall 39->130 46 cmd.exe 39->46         started        49 cmd.exe 39->49         started        51 sc.exe 39->51         started        58 3 other processes 39->58 53 BACC.exe 41->53         started        100 45.9.20.149, 10844, 49856 DEDIPATH-LLCUS Russian Federation 43->100 102 cdn.discordapp.com 162.159.135.233, 443, 49819, 49831 CLOUDFLARENETUS United States 43->102 76 C:\Users\user\AppData\Local\...\ninth.vbs, ASCII 43->76 dropped 78 C:\Users\user\AppData\...\repudiations.exe, PE32 43->78 dropped 80 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 43->80 dropped 132 Detected unpacking (creates a PE file in dynamic memory) 43->132 56 wscript.exe 43->56         started        file15 signatures16 process17 file18 90 C:\Windows\SysWOW64\...\zfadmvvq.exe (copy), PE32 46->90 dropped 60 conhost.exe 46->60         started        62 conhost.exe 49->62         started        64 conhost.exe 51->64         started        144 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 53->144 146 Maps a DLL or memory area into another process 53->146 148 Checks if the current machine is a virtual machine (disk enumeration) 53->148 150 Creates a thread in another existing process (thread injection) 53->150 66 conhost.exe 58->66         started        68 conhost.exe 58->68         started        70 conhost.exe 58->70         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75b52e3106f8fed4498d1b3610f28069e0a068dd455d43b565860faf03b3bda5/
Threat name:
Win32.Trojan.DiskWriter
Create hunting rule
Status:
Malicious
First seen:
2021-11-05 06:35:05 UTC
AV detection:
20 of 44 (45.45%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ow2s4mig7d7nismndm3bb4uanhqka2g5ivouhnlfqyh26a5txwsq._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:icedid family:raccoon family:redline family:smokeloader family:tofsee family:xmrig botnet:101 botnet:1cb6d1b7211b77f96ff654c9904c9c8522f8a677 botnet:23435346346 botnet:8dec62c1db2959619dca43e02fa46ad7bd606400 botnet:8f84893fac8025c5bfbe688da7bcaf1820b04ead botnet:cf8c71fed0cf0dfbee3479ea60d7e24ca157301c botnet:love botnet:superstar campaign:3055572094 backdoor banker discovery evasion infostealer miner persistence spyware stealer trojan
Link:
https://tria.ge/reports/211105-hcelsaagd6/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Core1 .NET packer
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Windows security bypass
xmrig
IcedID, BokBot
Malware Config
C2 Extraction:
http://honawey70.top/
http://wijibui00.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
quadoil.ru
lakeflex.ru
93.115.20.139:28978
185.215.113.29:36224
actuallyobligat.ink
185.92.73.142:52097
91.242.229.222:21475
Unpacked files
SH256 hash:
6adf4031225d8cd75191c0af65deaa09ae21f01e6fdcc8d3b342b2f36f6743f0
MD5 hash:
c6e8f3b5e26a4cf2f571658ca81e47d7
SHA1 hash:
fe66b6b82adecb21182f281b9a2358bd60aa7fee
Link:
https://www.unpac.me/results/8fde6365-de60-4edc-a2c3-082d74fc8519/
SH256 hash:
75b52e3106f8fed4498d1b3610f28069e0a068dd455d43b565860faf03b3bda5
MD5 hash:
32471f45ab82afca2523f848c39bda10
SHA1 hash:
f63dd9cbfe36beed4c9227205f9fc330f4573338
Link:
https://www.unpac.me/results/8fde6365-de60-4edc-a2c3-082d74fc8519/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/75b52e3106f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75b52e3106f8fed4498d1b3610f28069e0a068dd455d43b565860faf03b3bda5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 75b52e3106f8fed4498d1b3610f28069e0a068dd455d43b565860faf03b3bda5

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/202554/
  
URLhaus
https://urlhaus.abuse.ch/url/1740412/
  
Delivery method
Distributed via web download

Comments