MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79df67c7efab39b9b413c0844b58b8597c32ff7870225bbc1d2e300416ec5b4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79df67c7efab39b9b413c0844b58b8597c32ff7870225bbc1d2e300416ec5b4e
SHA3-384 hash: 86360b15ce95a2c3418247897c4a6167dc37ed08dd9216daeb86b32e32ea4e8ff5adeed98985060cb07d8684a558efdb
SHA1 hash: 0bc1e9f96133a3c7097b6d12ab821a56a21d6c7e
MD5 hash: b484efa22535df53c8d90a8a9e1ca9fd
humanhash: seven-bakerloo-london-uranus
File name:SecuriteInfo.com.W32.AIDetect.malware1.22628.10737
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:289'792 bytes
First seen:2021-09-23 01:00:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f74a0f3da1e112835a6ac32552c0a4d2 (9 x RedLineStealer, 5 x ArkeiStealer, 4 x RaccoonStealer)
ssdeep 3072:guLi+WieM+oNjGUpagcbJD1qIXH/x09ZOycLIAVahKRgn9Sf/ycRjUzX8j1:gkiu0oVp8bJZLX/iWahIg9SScRwX
Threatray 1'693 similar samples on MalwareBazaar
TLSH T1EC547C10B6F0C034F2F712BA59BA83B8A93A7DB16B7495CF62D41AEA56746D0DC30353
File icon (PE):PE icon
dhash icon aad8ac9cc6a68ee0 (34 x RedLineStealer, 14 x RaccoonStealer, 11 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware1.22628.10737
Verdict:
Suspicious activity
Analysis date:
2021-09-23 01:05:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1dd237b1-564d-4c8a-8074-49ccfc3cfe83

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190441/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.22628.10737.UNOFFICIAL
Create hunting rule

Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/439b00d1-2c67-4455-a091-5b1917f65ffc
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856090
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses the Telegram API (likely for C&C communication)
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 488518 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 86 www.twitter.com 2->86 88 www.facebook.com 2->88 90 6 other IPs or domains 2->90 108 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->108 110 Antivirus detection for dropped file 2->110 112 Multi AV Scanner detection for submitted file 2->112 114 16 other signatures 2->114 11 SecuriteInfo.com.W32.AIDetect.malware1.22628.exe 2->11         started        14 fwrseti 2->14         started        16 svchost.exe 2->16         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 146 Detected unpacking (changes PE section rights) 11->146 21 SecuriteInfo.com.W32.AIDetect.malware1.22628.exe 11->21         started        148 Multi AV Scanner detection for dropped file 14->148 150 Machine Learning detection for dropped file 14->150 24 fwrseti 14->24         started        152 Changes security center settings (notifications, updates, antivirus, firewall) 16->152 26 MpCmdRun.exe 1 16->26         started        92 127.0.0.1 unknown unknown 18->92 94 192.168.2.1 unknown unknown 18->94 signatures6 process7 signatures8 138 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->138 140 Maps a DLL or memory area into another process 21->140 142 Checks if the current machine is a virtual machine (disk enumeration) 21->142 28 explorer.exe 9 21->28 injected 144 Creates a thread in another existing process (thread injection) 24->144 33 conhost.exe 26->33         started        process9 dnsIp10 102 216.128.137.31, 80 AS-CHOOPAUS United States 28->102 104 privacy-toolz-for-you-403.top 194.87.234.157, 49739, 49740, 49741 MTW-ASRU Russian Federation 28->104 106 2 other IPs or domains 28->106 76 C:\Users\user\AppData\Roaming\fwrseti, PE32 28->76 dropped 78 C:\Users\user\AppData\Local\Temp\B4AF.exe, PE32 28->78 dropped 80 C:\Users\user\AppData\Local\Temp\8CE3.exe, PE32 28->80 dropped 82 2 other malicious files 28->82 dropped 154 System process connects to network (likely due to code injection or exploit) 28->154 156 Benign windows process drops PE files 28->156 158 Deletes itself after installation 28->158 160 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->160 35 B4AF.exe 3 28->35         started        39 8CE3.exe 2 28->39         started        41 7FF1.exe 28->41         started        43 6 other processes 28->43 file11 signatures12 process13 dnsIp14 96 188.124.36.242 SELECTELRU Russian Federation 35->96 116 Multi AV Scanner detection for dropped file 35->116 118 Detected unpacking (changes PE section rights) 35->118 120 Query firmware table information (likely to detect VMs) 35->120 136 2 other signatures 35->136 46 conhost.exe 35->46         started        122 Antivirus detection for dropped file 39->122 124 Machine Learning detection for dropped file 39->124 126 Injects a PE file into a foreign processes 39->126 48 8CE3.exe 2 39->48         started        51 conhost.exe 39->51         started        128 Contains functionality to inject code into remote processes 41->128 53 7FF1.exe 41->53         started        98 185.163.45.42, 49867, 80 MIVOCLOUDMD Moldova Republic of 43->98 100 t.me 149.154.167.99, 443, 49866 TELEGRAMRU United Kingdom 43->100 72 C:\Users\user\AppData\Local\...\wmhtnzdv.exe, PE32 43->72 dropped 74 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 43->74 dropped 130 Detected unpacking (overwrites its own PE header) 43->130 132 Tries to detect sandboxes and other dynamic analysis tools (window names) 43->132 134 Tries to harvest and steal browser information (history, passwords, etc) 43->134 55 cmd.exe 43->55         started        58 cmd.exe 43->58         started        60 powershell.exe 43->60         started        62 3 other processes 43->62 file15 signatures16 process17 dnsIp18 84 135.181.142.223, 30397, 49852 HETZNER-ASDE Germany 48->84 70 C:\Windows\SysWOW64\...\wmhtnzdv.exe (copy), PE32 55->70 dropped 64 conhost.exe 55->64         started        66 conhost.exe 58->66         started        68 conhost.exe 60->68         started        file19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79df67c7efab39b9b413c0844b58b8597c32ff7870225bbc1d2e300416ec5b4e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-22 23:58:33 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=phpwpr7pvm43tnatyccewwfylf6df73yoarfxpa5fyyaifxmlnha._file
Verdict:
malicious
Similar samples:
04b094e1e2f34f1382df94fa610e9e74a74e6a73c8b755285a70f60da73b392d
RaccoonStealer
286ac923f7619b720847b3820652ca94b3b09ee4885e581ced04e8f1395713b9
RaccoonStealer
2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf
RaccoonStealer
6627c9361e155d9298742a38e549d7fda3a06196bdcbdcf679217b663753e9e1
RaccoonStealer
6913c25f5eff616fd043909d0a96175b498d9a1dd74a1743d6a3296a175c902f
RaccoonStealer
7dc5a00ea0996d4edb8fbee2a9d2caa97ece60b4d5f755c3e82a06205ee2a385
RaccoonStealer
a98b37b337927ef6cea8a053a4ea676646de4dfbf6ce9619593246a1ecc362b6
RaccoonStealer
ecf100d294f5b6b63ebc4e1430f6a07b07e3899b0c447a536d7c53c51d711549
RaccoonStealer
fc7e2d14aca1c37d3ca70c37f23183eb96da7b8db3361b8bfe15dc3a16f71c25
RaccoonStealer
fe7e25d0fd410494f9d8299439faf7d89edb627b494c882d2b33c94625c7c35c
RaccoonStealer
+ 1'683 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:xmrig botnet:qq botnet:uralogi backdoor discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210923-bc8fjagfgr/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Runs regedit.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Windows security bypass
suricata: ET MALWARE DNS Query Sinkhole Domain Various Families (Possible Infected Host)
xmrig
Malware Config
C2 Extraction:
http://hamilaharr6.top/
http://bartanayane7.top/
http://zesiahavie8.top/
http://hancarlenei9.top/
http://samillavakiv10.top/
http://feryleromand11.top/
http://ubrianella12.top/
http://hepryceeaaa13.top/
http://viahalexandy14.top/
http://wenataliana15.top/
http://gfdgashgsjdfhgjhsdf.space/
http://gfdghfsdfghfdegr.space/
http://gfdjgh4re3rfds.space/
http://gfdhjdsjhgsdhgfjfsdhj.space/
http://gdfhjgfhdjghjashjgdf.space/
http://gfdjgdfjgdhfbg.space/
http://gfdkjgdfhughrue.space/
http://gfdsjgsuhdgurur.space/
http://ryewrewthxjsfhydfbsd.space/
135.181.142.223:30397
94.26.249.88:23619
Unpacked files
SH256 hash:
14cd529ab1a67eeed2fdf0fe71a08b9dc8ecf61384072f676b4ff9ec3ef8fe74
MD5 hash:
125ecb7456bb5a2c5c724c2eca56f87e
SHA1 hash:
982aaa66cda8c0500e0811aa9e447cba4f0752ff
Link:
https://www.unpac.me/results/289394c4-b197-4619-8b4d-3610a9e6c5e7/
SH256 hash:
79df67c7efab39b9b413c0844b58b8597c32ff7870225bbc1d2e300416ec5b4e
MD5 hash:
b484efa22535df53c8d90a8a9e1ca9fd
SHA1 hash:
0bc1e9f96133a3c7097b6d12ab821a56a21d6c7e
Link:
https://www.unpac.me/results/289394c4-b197-4619-8b4d-3610a9e6c5e7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79df67c7efab39b9b413c0844b58b8597c32ff7870225bbc1d2e300416ec5b4e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190441/

Comments