MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash:	767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255
SHA3-384 hash:	e7612c5ce3ad4f6405595d66a5753f330805774ad5c0971c567391aa5c94386ca0a8cb208b5fe6bbf05c629d0cc9a76c
SHA1 hash:	db0894463edf3ac11e5ca4b4584e8f10d75810f6
MD5 hash:	7009fb80a52366b6c2cd8ec052a65791
humanhash:	queen-georgia-island-virginia
File name:	767C546DECF6F669263E4A0A87A0F5D92234E031E9A0D.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	1'633'280 bytes
First seen:	2022-01-06 20:36:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5593da1f9a01d8f98a484ea81b113ac8 (1 x Tofsee, 1 x ArkeiStealer, 1 x RaccoonStealer)
ssdeep	49152:IldcuFGnuxWiOuRg/iyFzb2QN83XfeYav:IldhGnuxWiOl/hNOmB
Threatray	512 similar samples on MalwareBazaar
TLSH	T126754B31E200C239E8E725F556BD3A79356CAA71470439C72BC81EF99B222D97E3416F
File icon (PE):
dhash icon	e8d959ccc866e6c3 (3 x RaccoonStealer, 2 x CoinMiner, 1 x Tofsee)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
154.82.111.44:12391

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
154.82.111.44:12391	https://threatfox.abuse.ch/ioc/291626/

Intelligence

File Origin

# of uploads :

# of downloads :

218

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://package.avira.com/download/spotlight-windows-bootstrapper/avira_en_sptl1_abea7be69ff5a356__phpws-spotlight-release.exe

Verdict:

Malicious activity

Analysis date:

2021-09-10 04:26:18 UTC

Tags:

evasion trojan rat azorult stealer raccoon fareit pony loader

Link:

https://app.any.run/tasks/70d91ec1-8e31-47a7-8dc1-864998d4b9bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

PredatorTheThief

Link:

https://www.capesandbox.com/analysis/217608/

Detection(s):

Win.Malware.Zusy-9891357-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a file

Reading critical registry keys

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Sending an HTTP GET request

Blocking the Windows Defender launch

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed zusy

Link:

https://www.filescan.io/uploads/61d752f01c0d769df9d3d440/reports/2966790e-1b77-4ab6-bedb-406abb8d7cb4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/020d8284-a2a9-492d-879c-def39d4dec3f

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/916520

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Connects to a pastebin service (likely for C&C)

Contains functionality to inject threads in other processes

Disable Windows Defender real time protection (registry)

Downloads files with wrong headers with respect to MIME Content-Type

Found C&C like URL pattern

Machine Learning detection for dropped file

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255/

Threat name:

Win32.Downloader.SmallAgent

Status:

Malicious

First seen:

2021-09-07 21:48:42 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 28 (100.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oz6fi3pm633gsjr6jifipihv3erdjybr5gqn4nzt7kkuvdz6ajkq._file

Verdict:

malicious

RaccoonStealer

4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7

RaccoonStealer

62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720

RaccoonStealer

780426de24ae46f300fdaf9cbf597c8f2164f7b6c525c0bbcc07dca087be768c

RaccoonStealer

951049989eb772c71ec4fa9f0685ab45cae755ca5d34cf3089fd791999fafa1c

RaccoonStealer

c7304ff0966068d305da031f9da60c5b0ebe32ac43533d27f50190f1ba549347

RaccoonStealer

ccfd37710068b3998537ac325e29555ba9375ebf1230cf90e9dcf133e06bcdf3

RaccoonStealer

+ 502 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1114 evasion spyware stealer trojan upx

Link:

https://tria.ge/reports/220106-zd5b9sbfa3/

Behaviour

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

NSIS installer

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

NirSoft WebBrowserPassView

Nirsoft

Vidar Stealer

Modifies Windows Defender Real-time Protection settings

Vidar

Malware Config

C2 Extraction:

https://qoto.org/@banda4ker
https://c.im/@banda3ker

Unpacked files

SH256 hash:

767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255

MD5 hash:

7009fb80a52366b6c2cd8ec052a65791

SHA1 hash:

db0894463edf3ac11e5ca4b4584e8f10d75810f6

Link:

https://www.unpac.me/results/5147528c-bc9e-4583-9340-d419c69fa19d/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/767c546decf6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/217608/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample