MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a
SHA3-384 hash: b635a6cffe126d11a943ff7e74a81be6c727061fffee1535aa034d24d388b6d2c338b05eaa0a2f4b805ed6c43b2201ea
SHA1 hash: fa64fda0c3433678cfd7a7a15d4f916c34536ca6
MD5 hash: ac322b1440245bc82d6bb9d38d86d7fa
humanhash: leopard-summer-thirteen-arizona
File name:ac322b1440245bc82d6bb9d38d86d7fa.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:14'385'598 bytes
First seen:2022-01-01 11:05:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 393216:JFnWm0JpQIxu/kbL7snsJT1VKwswLYCTHO:JFV0jQIw/mcOZVV3xTO
Threatray 992 similar samples on MalwareBazaar
TLSH T1EAE633883FD00622DBBA8EBA2DC46B65D474B0517DD9E6BB6B3B531603C0185C2F6DD2
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
88.99.35.59:63020

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
88.99.35.59:63020 https://threatfox.abuse.ch/ioc/290203/

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ac322b1440245bc82d6bb9d38d86d7fa.exe
Verdict:
No threats detected
Analysis date:
2022-01-01 11:07:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f83506fa-3cea-421a-82d8-599f438186f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Launching a process
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed
Link:
https://www.filescan.io/uploads/61d0359d4ab5c44cbf5a54e0/reports/c83a90ae-80f9-41f8-907c-363618d4930b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95e776ba-27e4-4814-a4ef-68e68b9462ea
Result
Threat name:
RedLine SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914440
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 546918 Sample: 9FfrM4JJzA.exe Startdate: 01/01/2022 Architecture: WINDOWS Score: 100 66 185.163.204.24, 49766, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 2->66 68 65.108.180.72, 49761, 80 ALABANZA-BALTUS United States 2->68 70 11 other IPs or domains 2->70 86 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->86 88 Antivirus detection for URL or domain 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 22 other signatures 2->92 11 9FfrM4JJzA.exe 10 2->11         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->52 dropped 14 setup_installer.exe 23 11->14         started        process6 file7 54 C:\Users\user\AppData\...\setup_install.exe, PE32 14->54 dropped 56 C:\Users\user\...\Tue19e6c79301292632b.exe, PE32+ 14->56 dropped 58 C:\Users\user\...\Tue19ab10ee6eada2.exe, PE32 14->58 dropped 60 16 other files (9 malicious) 14->60 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 62 kelenxz.xyz 104.21.50.158, 49752, 80 CLOUDFLARENETUS United States 17->62 64 127.0.0.1 unknown unknown 17->64 80 Performs DNS queries to domains with low reputation 17->80 82 Adds a directory exclusion to Windows Defender 17->82 84 Disables Windows Defender (via service or powershell) 17->84 21 cmd.exe 17->21         started        23 cmd.exe 17->23         started        25 cmd.exe 1 17->25         started        27 6 other processes 17->27 signatures10 process11 signatures12 30 Tue193bc8a9bfee5e695.exe 21->30         started        33 Tue19086417d928d64b.exe 23->33         started        35 Tue193fcc48685.exe 25->35         started        94 Adds a directory exclusion to Windows Defender 27->94 96 Disables Windows Defender (via service or powershell) 27->96 37 Tue19905223ef60f07e2.exe 27->37         started        40 Tue19b8bff6e291.exe 27->40         started        43 powershell.exe 25 27->43         started        45 powershell.exe 18 27->45         started        process13 dnsIp14 98 Multi AV Scanner detection for dropped file 30->98 100 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->100 102 Machine Learning detection for dropped file 30->102 116 5 other signatures 30->116 104 Detected unpacking (changes PE section rights) 33->104 106 Detected unpacking (overwrites its own PE header) 33->106 108 Injects a PE file into a foreign processes 33->108 110 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 33->110 47 Tue19086417d928d64b.exe 33->47         started        112 Sample uses process hollowing technique 35->112 72 iplogger.org 148.251.234.83, 443, 49753, 49754 HETZNER-ASDE Germany 37->72 74 www.listincode.com 149.28.253.196, 443, 49747 AS-CHOOPAUS United States 37->74 76 192.168.2.1 unknown unknown 37->76 114 May check the online IP address of the machine 37->114 50 C:\Users\user\AppData\Local\Temp\I4N0z.cpl, PE32 40->50 dropped file15 signatures16 process17 dnsIp18 78 ad-postback.biz 82.118.234.104, 49746, 80 DAINTERNATIONALGROUPGB Bulgaria 47->78
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a/
Threat name:
Win32.Trojan.Mixer
Create hunting rule
Status:
Malicious
First seen:
2021-12-28 23:58:06 UTC
File Type:
PE (Exe)
Extracted files:
495
AV detection:
27 of 42 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmspcthb2lfwelkbyt4ln7rd5wyuohw6acylb2ggyn6yg6pv6wfa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
raccoon
Create hunting rule
trickbot
Create hunting rule
Similar samples:
10eb78f5a36f8ca290bf100f6f05d7a04489cef0023e86860062d6d03e6fa9ed
RaccoonStealer
1d7c3a08d1e69e704039850f64a88363fc6c9f3721907aa3c0d8165ae20de3a1
RaccoonStealer
48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
RaccoonStealer
a2f9f5a099a6b1c2ba6789effefa150aec52c5587e85df9a6963fd03b55d4d57
RaccoonStealer
a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6
RaccoonStealer
bcfa6e6fb8a5b32e164fd8a7b49d448e65482fae38fe17e48cc35cb6427a360e
RaccoonStealer
cc2d611eb3f0e462f0c136b1664348fc05669fbac46ebb4b28c900c4dff94318
RaccoonStealer
fea660657f6285124e61fe5dcafe9374344d941e6fbeaa89f3a2640572ccc784
RaccoonStealer
+ 982 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:smokeloader family:socelars family:vidar family:xmrig botnet:915 botnet:a9912f1030c80831a4857ec7cb54b69653332c85 aspackv2 backdoor discovery miner persistence spyware stealer suricata trojan vmprotect
Link:
https://tria.ge/reports/220101-m7emgsgagr/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
NirSoft WebBrowserPassView
Nirsoft
Vidar Stealer
XMRig Miner Payload
Process spawned unexpected child process
Raccoon
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
xmrig
Malware Config
C2 Extraction:
http://www.chosenncrowned.com/
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
http://melchen-testet.at/upload/
http://zjymf.com/upload/
http://pbxbmu70275.cn/upload/
http://mnenenravitsya.ru/upload/
http://pitersprav.ru/upload/
Unpacked files
SH256 hash:
673d3ac584eac9a13df6885bedca1c421783bc52ba0f1ae805154850a0ae62bc
MD5 hash:
06d0483ff6b1a8068b807fcf155f1682
SHA1 hash:
1a605ba4af2781a515bd5044f5ca09427cf80922
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
Parent samples :
48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a
SH256 hash:
012c3d22b5374c4f595fcf1986bf2a67697f322f36e8bb6456809334f98f5781
MD5 hash:
8bacb64db8fb73308faefd14b863fd43
SHA1 hash:
c5bf54f8b9cc198d6d380f3ee7a74df2feadf32a
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
9dac78cf97a753e813b02cb654f076cdea03155bc9a98ed64ec248729ead52ec
MD5 hash:
29fa5c5ade39d4ae5a0f564949278923
SHA1 hash:
376051004220051779d97fcb44065a8724de370b
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
04e582850441e36ea75efefc30fdf7c7619cc4dd9b7931e32badb19491ae7ff8
MD5 hash:
4c08e664bf367d0558316ebcac26cf9e
SHA1 hash:
32148c45ec823838f426bd91d43693d7ef3dd821
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
0efac9c1f24c44e5265ba1c8a80e0169d8b4aa6e8df218c524c57942c246f578
MD5 hash:
3d3b789155f41db5f058047d8e78a552
SHA1 hash:
c2f8488bf2c823bd165f1a41b53427ca1b24acb4
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
7dce97154d24b9982361a37133e35aaf9106f3836bb48e27dd7daea568e75378
MD5 hash:
dd601e359de7b856efc57a630f90554e
SHA1 hash:
97995811c6bbb33ea6bf7cf808570dc6b15ed6e0
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
938a6070df973d01b969d20e7b8f26172e82d8a3d3071082fd0a19096e381978
MD5 hash:
4adbf2b3bd926dd568bdd3100bc2ce70
SHA1 hash:
ad08453e58ea9ac01b91c34fa77e06860068c422
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
0297da008fa4a4f604695b2c00e22a4038dd55416d7c61dd1c241c16b0624341
MD5 hash:
640f0c0cd3565fbad48fc0fcfae2155f
SHA1 hash:
8957c94a0b324584a0baad4a483842edc11763fa
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
f9745f4811a91afcc7f685500d80cb65f4dd73c3fbb2f2028b70b7d9dd50dd12
MD5 hash:
28eb26bf31e241525a486a56eecf5232
SHA1 hash:
42729849b89d6a8485ca804038aa56b38eafcf72
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
7e4c288f060981b8cfd9c908997578b69ffc16438672f065bd50784fab3edcca
MD5 hash:
d7159e861f2881a05ace80394d805087
SHA1 hash:
3dcf96205f2a95ffdb3c463c264b68d7babe03a8
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
4f7016fb630595204b4cb47d03f4cdf9a75597d2586fa9bbd244a0407a567748
MD5 hash:
ec94b9dbbb8502ae096f9d7e1f33901c
SHA1 hash:
d5f73eaaa6df419e83bb2c58f30d28ba2e348b72
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
Parent samples :
e4fb57012d7a31e6511c4bac952323093e8bb51f138841f994f58259162dfd6e
24d4daedba9b8060bf0d09b4383849b69e8d1741c3ffaad8156ab8cfa56f8625
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
046a27a726f8a267e66933583c1e99e98f8479115fbd28bafc50170cef08c01d
MD5 hash:
c42aba617faf937c4fee4362e09cc347
SHA1 hash:
c251555d2d4b7f42c70e16da0a95b437b64b5291
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
2a063ee4b47f7cacd3d63207a8b7e14d51a91bcf18a55ae6fb93e13ed92b2e1b
MD5 hash:
c92698e5f0e8899cdf56e9ba240dddfe
SHA1 hash:
10cf8c24db7b9592ea120c7b4dba17b657c70d32
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
c9654d80a9d367112dca1295ace0acc1e02e0f41b09ca4d6d92c2b1847479a36
MD5 hash:
0d1843d3cdbd4f737523ef07ac2edb62
SHA1 hash:
a3cae443014f957afb16884ad576198aabbd88c5
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
575ce3063920db3c913f7cfa2d9d5e0ed1b5f73b650b321e2d9fac08f21d8f20
MD5 hash:
8f41ff23033e4e1c9bbb4b9b300edefe
SHA1 hash:
79cd331cc84cbd6718b751c7a29d34cd955cf024
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
35403c13df78aeea9d4f441a1de0b2f86491f1a0ab1d2b0709ed8ab3de008d7b
MD5 hash:
689d2f7d45270b263c310adb93186a79
SHA1 hash:
f62aff92e53369928012dd6f796e118c7ca65701
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
dc2e8f51a6a435ac28402569f80a1cfefdd7e1ac6eea1ffa918f9771c856bc9c
MD5 hash:
29842661948f724ba39a175f079068bb
SHA1 hash:
766dcf740cfcaf1bc9d4a5305d09f0f3f4561a13
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
17eba5a8fc60b5e62fbbea29e971691988da98a98db3a2c2bf9aad00b1b72dc4
MD5 hash:
e74d9b73743dfbb9f025a7908c85da37
SHA1 hash:
8a5b323b090cb0d2c4ff59f0ef520d323dd86097
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
ee551283e393cb5bad1f02078b3455537aaf87be140e0ed348cdddb46cb0ef3a
MD5 hash:
440c6ef944ee7a5b0175ada589ab102b
SHA1 hash:
e38b756d062fa2ec3d0bcfea164de1ac0f274383
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
SH256 hash:
7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a
MD5 hash:
ac322b1440245bc82d6bb9d38d86d7fa
SHA1 hash:
fa64fda0c3433678cfd7a7a15d4f916c34536ca6
Link:
https://www.unpac.me/results/665ba337-fe2a-477a-a530-e3f53105bf42/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7b24f14ce1d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments