MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8144bba77de25af88b17f17986b4c2777174fb4c24371a30c9762fd4e243b1f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8144bba77de25af88b17f17986b4c2777174fb4c24371a30c9762fd4e243b1f2
SHA3-384 hash: 15c3e3d8f68d1cbff2b24c266fe0ea3b3adac28858b3cdf3b3363efcb7623c943b6075c03edff8ecb6810956354508e9
SHA1 hash: 73cee0055be3f756775730e7754c1cadaa40c037
MD5 hash: 9b7152517b6948e384ef399673382489
humanhash: two-moon-minnesota-oranges
File name:9b7152517b6948e384ef399673382489.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:247'808 bytes
First seen:2021-10-06 21:00:35 UTC
Last seen:2021-10-06 21:57:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e7a97aff935fd5f902aa97ce23e1da74 (5 x RaccoonStealer, 1 x Smoke Loader, 1 x ArkeiStealer)
ssdeep 6144:25oVsxf42ysDRAEGnBaq/9hSn0zl19pDJf:xGxf42ysDqlX9Yn0B19b
Threatray 5'049 similar samples on MalwareBazaar
TLSH T14D34AF1031D2CFF1E66346306A71D6E08B2ABE6D3A32714B37D12A5F1E3D6E1C666706
File icon (PE):PE icon
dhash icon 4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.47.232/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.47.232/ https://threatfox.abuse.ch/ioc/231118/

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9b7152517b6948e384ef399673382489.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-06 21:04:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b29d0802-1f24-4185-bbc6-d21241fdc97f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195554/
Detection(s):
SecuriteInfo.com.Heur.Mint.Zard.52.15372.24140.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/47a2d2ae-928d-47bb-a9a8-0126d7c55648
Result
Threat name:
RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865890
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 498318 Sample: U57IDV7aIj.exe Startdate: 06/10/2021 Architecture: WINDOWS Score: 100 83 defeatwax.ru 2->83 85 ckauni.ru 2->85 113 Multi AV Scanner detection for domain / URL 2->113 115 Found malware configuration 2->115 117 Antivirus detection for URL or domain 2->117 119 12 other signatures 2->119 11 U57IDV7aIj.exe 2->11         started        14 swrudvc 2->14         started        16 svchost.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 signatures5 129 Detected unpacking (changes PE section rights) 11->129 131 Contains functionality to inject code into remote processes 11->131 133 Injects a PE file into a foreign processes 11->133 20 U57IDV7aIj.exe 11->20         started        135 Multi AV Scanner detection for dropped file 14->135 137 Machine Learning detection for dropped file 14->137 23 swrudvc 14->23         started        139 Changes security center settings (notifications, updates, antivirus, firewall) 16->139 25 MpCmdRun.exe 1 16->25         started        process6 signatures7 121 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->121 123 Maps a DLL or memory area into another process 20->123 125 Checks if the current machine is a virtual machine (disk enumeration) 20->125 127 Creates a thread in another existing process (thread injection) 20->127 27 explorer.exe 8 20->27 injected 32 conhost.exe 25->32         started        process8 dnsIp9 89 193.56.146.41, 49843, 9080 LVLT-10753US unknown 27->89 91 privacy-toolz-for-you-3000.top 94.142.140.28, 49768, 49771, 49781 IHOR-ASRU Russian Federation 27->91 93 2 other IPs or domains 27->93 75 C:\Users\user\AppData\Roaming\swrudvc, PE32 27->75 dropped 77 C:\Users\user\AppData\Local\Temp\BE2E.exe, PE32 27->77 dropped 79 C:\Users\user\AppData\Local\Temp\ABFD.exe, PE32 27->79 dropped 81 2 other malicious files 27->81 dropped 149 System process connects to network (likely due to code injection or exploit) 27->149 151 Benign windows process drops PE files 27->151 153 Deletes itself after installation 27->153 155 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->155 34 922F.exe 27->34         started        37 BE2E.exe 3 27->37         started        39 D021.exe 2 27->39         started        42 ABFD.exe 2 27->42         started        file10 signatures11 process12 file13 95 Detected unpacking (changes PE section rights) 34->95 97 Machine Learning detection for dropped file 34->97 99 Injects a PE file into a foreign processes 34->99 44 922F.exe 34->44         started        101 Multi AV Scanner detection for dropped file 37->101 103 Query firmware table information (likely to detect VMs) 37->103 105 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->105 111 2 other signatures 37->111 47 conhost.exe 37->47         started        73 C:\Users\user\AppData\Local\...\dtoaugkc.exe, PE32 39->73 dropped 107 Detected unpacking (overwrites its own PE header) 39->107 49 cmd.exe 39->49         started        52 cmd.exe 39->52         started        54 sc.exe 39->54         started        56 sc.exe 39->56         started        109 Antivirus detection for dropped file 42->109 58 ABFD.exe 2 42->58         started        61 conhost.exe 42->61         started        signatures14 process15 dnsIp16 141 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 44->141 143 Maps a DLL or memory area into another process 44->143 145 Checks if the current machine is a virtual machine (disk enumeration) 44->145 147 Creates a thread in another existing process (thread injection) 44->147 71 C:\Windows\SysWOW64\...\dtoaugkc.exe (copy), PE32 49->71 dropped 63 conhost.exe 49->63         started        65 conhost.exe 52->65         started        67 conhost.exe 54->67         started        69 conhost.exe 56->69         started        87 93.115.20.139, 28978, 49922 MVPShttpswwwmvpsnetEU Romania 58->87 file17 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8144bba77de25af88b17f17986b4c2777174fb4c24371a30c9762fd4e243b1f2/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 21:01:06 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qfclxj354jnprcyx6f4ynngco5yxj62meq3rumgjoyx5jysdwhza._file
Verdict:
malicious
Similar samples:
0091825486c2d7cfdee49e98c6795be8d32a7f50a68e0d33542b1f047fb7ed7a
RaccoonStealer
06a230f0ab409f9d41e63698b35f0bed4dad07bf3063caa97101c122474c5260
RaccoonStealer
30ac6a662fbc040f84b7cc5b940768a1ea01ed3bd8bf257c27573ba343069ecb
RaccoonStealer
4e2576cc482bc9b98a8dfd14c7a0126d8ec8d38a4ec438047072af232637f4bf
RaccoonStealer
87ac304ad10b59837156111ee42a49410f41e34af40e8c27efe62bf2e5ac4eee
RaccoonStealer
9dc2025bc582fe0ea8f8e13aa176c2b78cbf51168128f24ec228dbe7de72c9ae
RaccoonStealer
ace47e45078030efcad320ecd4636a916efbf5412786baf0865089db70fee417
RaccoonStealer
bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c
RaccoonStealer
d8fe055ab9b0014f88a3072a845447c161f67b5f9229dbd6760c2288b7a2333d
RaccoonStealer
eb32c6e488657eae46e3dc1ac48e1c4399af28356d6952469cd5976192fe7c57
RaccoonStealer
+ 5'039 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:2ea41939378a473cbe7002fd507389778c0f10e7 botnet:777 botnet:800 botnet:8d179b9e611eee525425544ee8c6d77360ab7cd9 backdoor discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211006-ztwp3abhcm/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Vidar
Windows security bypass
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
xmrig
Malware Config
C2 Extraction:
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
93.115.20.139:28978
87.251.71.44:80
Unpacked files
SH256 hash:
592b089027938156e18387e4402b965a5f1ffc25e96d7efc3aa9331254587bdd
MD5 hash:
2dbb1eb8c40c88994738a736ad55c79b
SHA1 hash:
88e2fc9242606c7dfcd68d5da8c6d457837157a3
Link:
https://www.unpac.me/results/54e58674-a640-465e-a641-59f29f60dfc5/
SH256 hash:
8144bba77de25af88b17f17986b4c2777174fb4c24371a30c9762fd4e243b1f2
MD5 hash:
9b7152517b6948e384ef399673382489
SHA1 hash:
73cee0055be3f756775730e7754c1cadaa40c037
Link:
https://www.unpac.me/results/54e58674-a640-465e-a641-59f29f60dfc5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8144bba77de2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8144bba77de25af88b17f17986b4c2777174fb4c24371a30c9762fd4e243b1f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 8144bba77de25af88b17f17986b4c2777174fb4c24371a30c9762fd4e243b1f2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1653238/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195554/

Comments