MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79cfa9dd85705b7c3453ca1959f6a3edd2d3b7ca63f894b01b3214d7d74c76a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79cfa9dd85705b7c3453ca1959f6a3edd2d3b7ca63f894b01b3214d7d74c76a6
SHA3-384 hash: 78c91f794264a6df97407127683a3519b249269ebee7a35face992ce87143bba00e40b31af2d94b624b416d0446a7efe
SHA1 hash: d1f2348e0080cffde8730b5181b1c4d4558bdbb4
MD5 hash: a0def880b3b1f9067a34dc674a8e9ad7
humanhash: bacon-golf-seventeen-october
File name:79cfa9dd85705b7c3453ca1959f6a3edd2d3b7ca63f89.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:283'136 bytes
First seen:2021-08-22 12:30:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3253baac7b96bb829538a388ffb0c01e (4 x RedLineStealer, 1 x RaccoonStealer, 1 x Stop)
ssdeep 3072:ZW/IyeFOky2C4mthKkFXX1v2s2NzdklvfSD7Kh8DjyfdH5OWb9Sy09O5OvW8dCpr:ZWQyel6V3RFt4N5mvfhbQi6g/iUz
Threatray 3'214 similar samples on MalwareBazaar
TLSH T109548D20A6A4C038E1F311F0557DE3BDA5297EB0AB3050CB62D626EE96376E4DC31797
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
185.180.231.69:42875

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.180.231.69:42875 https://threatfox.abuse.ch/ioc/192572/

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
79cfa9dd85705b7c3453ca1959f6a3edd2d3b7ca63f89.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-22 12:32:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/87ea5bb0-efb5-4400-b1fb-5f4d0d23cf4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181235/
Detection(s):
Win.Packed.Generic-9887643-0
Create hunting rule

Win.Packed.Generic-9887679-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for analyzing tools
Searching for the window
Using the Windows Management Instrumentation requests
Creating a file
Launching the default Windows debugger (dwwin.exe)
Deleting a recently created file
Reading critical registry keys
Launching a process
Setting browser functions hooks
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78d4bfb7-7bac-49f6-8fce-127e68a673c8
Result
Threat name:
Raccoon RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837040
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 469471 Sample: 79cfa9dd85705b7c3453ca1959f... Startdate: 22/08/2021 Architecture: WINDOWS Score: 100 68 192.168.2.1 unknown unknown 2->68 70 ovarishean.xyz 2->70 72 api.ip.sb 2->72 92 Antivirus detection for URL or domain 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Yara detected UAC Bypass using CMSTP 2->96 98 13 other signatures 2->98 10 79cfa9dd85705b7c3453ca1959f6a3edd2d3b7ca63f89.exe 2->10         started        13 irefcui 2->13         started        signatures3 process4 signatures5 108 Detected unpacking (changes PE section rights) 10->108 110 Contains functionality to inject code into remote processes 10->110 112 Injects a PE file into a foreign processes 10->112 15 79cfa9dd85705b7c3453ca1959f6a3edd2d3b7ca63f89.exe 10->15         started        18 irefcui 13->18         started        process6 signatures7 140 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->140 142 Maps a DLL or memory area into another process 15->142 144 Checks if the current machine is a virtual machine (disk enumeration) 15->144 20 explorer.exe 14 15->20 injected 146 Creates a thread in another existing process (thread injection) 18->146 process8 dnsIp9 74 readinglistforaugust2.xyz 95.213.224.6, 80 SELECTELRU Russian Federation 20->74 76 readinglistforaugust3.xyz 212.224.105.79, 49710, 80 DE-FIRSTCOLOwwwfirst-colonetDE Germany 20->76 78 readinglistforaugust1.xyz 20->78 44 C:\Users\user\AppData\Roaming\irefcui, PE32 20->44 dropped 46 C:\Users\user\AppData\Local\Temp\B06B.exe, PE32 20->46 dropped 48 C:\Users\user\AppData\Local\Temp\9159.exe, PE32 20->48 dropped 50 4 other files (3 malicious) 20->50 dropped 100 System process connects to network (likely due to code injection or exploit) 20->100 102 Benign windows process drops PE files 20->102 104 Performs DNS queries to domains with low reputation 20->104 106 2 other signatures 20->106 25 8159.exe 80 20->25         started        30 explorer.exe 20->30         started        32 DE92.exe 20->32         started        34 6 other processes 20->34 file10 signatures11 process12 dnsIp13 80 telete.in 195.201.225.248, 443, 49711 HETZNER-ASDE Germany 25->80 82 34.135.32.61, 49712, 80 ATGS-MMD-ASUS United States 25->82 52 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 25->52 dropped 54 C:\Users\user\AppData\...\vcruntime140.dll, PE32 25->54 dropped 56 C:\Users\user\AppData\...\ucrtbase.dll, PE32 25->56 dropped 64 56 other files (none is malicious) 25->64 dropped 114 Detected unpacking (changes PE section rights) 25->114 116 Tries to steal Mail credentials (via file access) 25->116 118 Contains functionality to steal Internet Explorer form passwords 25->118 84 readinglistforaugust3.xyz 30->84 120 System process connects to network (likely due to code injection or exploit) 30->120 122 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->122 124 Performs DNS queries to domains with low reputation 30->124 126 Query firmware table information (likely to detect VMs) 32->126 128 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->128 130 Hides threads from debuggers 32->130 132 Tries to detect sandboxes / dynamic malware analysis system (registry check) 32->132 36 conhost.exe 32->36         started        86 ovarishean.xyz 185.117.75.123 HSAE Netherlands 34->86 88 188.34.200.103 HETZNER-ASDE Germany 34->88 90 2 other IPs or domains 34->90 58 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 34->58 dropped 60 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 34->60 dropped 62 C:\Users\user\AppData\...\freebl3[1].dll, PE32 34->62 dropped 66 10 other files (none is malicious) 34->66 dropped 134 Tries to harvest and steal browser information (history, passwords, etc) 34->134 136 Tries to delay execution (extensive OutputDebugStringW loop) 34->136 138 Tries to steal Crypto Currency Wallets 34->138 38 conhost.exe 34->38         started        40 conhost.exe 34->40         started        42 conhost.exe 34->42         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79cfa9dd85705b7c3453ca1959f6a3edd2d3b7ca63f894b01b3214d7d74c76a6/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2021-08-22 10:34:13 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=phh2txmfobnxynctzimvt5vd5xjnhn6kmp4jjma3giknpv2mo2ta._file
Verdict:
malicious
Similar samples:
31452b50fe8475fa4566b814ed702c6910029ff66db45d3dbb21c2e3ed63594f
RaccoonStealer
53379b36716f384e530dae9ec883c459d0c12f0260116614a0482ded7d9b5ba9
RaccoonStealer
8c6e8a02877680a2b503cef0b068b452221f95e68f9131a59421ca95c4339eb2
RaccoonStealer
a7b172d3fb0092b616e486d62a628e6fa09608d9e9a54773bc34fd37f2227a3e
RaccoonStealer
b817002c69c6315e116f14d6fe64151577999eb773842f052fb17d9a7413a53c
RaccoonStealer
ddde937fc1cac25ab3c8e7b91b4f074f8eadf1d39ca93c88be816441ee58ff41
RaccoonStealer
e410f0f20286eb82dc9ab7a184bb9743238ce872e622ae159a07e3a2d7b37103
RaccoonStealer
f034bdf1699d2bfaa76b3ba0326d4bcd0999d593b05a6b0cd146b59fa7167569
RaccoonStealer
f6a8aa29264495625e7a74ada5f3a792c06c3f9ef472e01c4761bed7d1e4ff96
RaccoonStealer
+ 3'204 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar botnet:824 botnet:fe582536ec580228180f270f7cb80a867860e010 botnet:onyxx1 botnet:shitline backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/210822-yh8rfmtvzj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Turns off Windows Defender SpyNet reporting
Vidar
Windows security bypass
Malware Config
C2 Extraction:
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
ovarishean.xyz:80
https://eduarroma.tumblr.com/
185.180.231.69:42875
Unpacked files
SH256 hash:
0a9a7acf77fe4f890fe2acf761fa7f369418bb1f733504acd0792f589ccc7b15
MD5 hash:
ad94a86355be2ad9348b88e8972e8320
SHA1 hash:
8c7ff71739a5194efc5c7bee9c37ad92a9e72646
Link:
https://www.unpac.me/results/469925c0-b717-4aa8-aa9c-c1c503d77085/
SH256 hash:
79cfa9dd85705b7c3453ca1959f6a3edd2d3b7ca63f894b01b3214d7d74c76a6
MD5 hash:
a0def880b3b1f9067a34dc674a8e9ad7
SHA1 hash:
d1f2348e0080cffde8730b5181b1c4d4558bdbb4
Link:
https://www.unpac.me/results/469925c0-b717-4aa8-aa9c-c1c503d77085/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/79cfa9dd8570/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79cfa9dd85705b7c3453ca1959f6a3edd2d3b7ca63f894b01b3214d7d74c76a6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/181235/

Comments