MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8303c9a626d7edb090bdd8f0d128fc887b7fa36b0dfc43a7f71dcb5b34b1bbab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8303c9a626d7edb090bdd8f0d128fc887b7fa36b0dfc43a7f71dcb5b34b1bbab
SHA3-384 hash: c06be24f73ff1a884cc31fe32506e6029c98a2668a03ee648ecce4eb7a4bfa0d97d0b54ee82d8dbf2cbc7783f1ffa0d0
SHA1 hash: f7addaaf851436721919294927253726b67ce17b
MD5 hash: a75ffc6ab58574119e960ec0b1f72bfd
humanhash: fifteen-mexico-tango-violet
File name:A75FFC6AB58574119E960EC0B1F72BFD.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:3'158'917 bytes
First seen:2021-09-05 01:15:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xnCvLUBsg9Xr8A8IzhdMLpxytoEKyCPwpAuYxoNl:xELUCg9r8jIzMLpxyKdXuYxoT
Threatray 494 similar samples on MalwareBazaar
TLSH T100E5331037D9C8F2D4821032CB886BB3E1FDD39C292769C77375561F5B28CD6626AB1A
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://94.158.245.173/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.173/ https://threatfox.abuse.ch/ioc/215894/

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
A75FFC6AB58574119E960EC0B1F72BFD.exe
Verdict:
No threats detected
Analysis date:
2021-09-05 01:18:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e0ca5594-0b2c-45b1-8bb7-6176ec8047a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185355/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Generickdz-9890301-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Connection attempt
Sending a custom TCP request
DNS request
Running batch commands
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Launching a process
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e0eca30a-f931-40de-a590-bb46dd7067a3
Result
Threat name:
SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845385
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477816 Sample: hhXB3QLUty.exe Startdate: 05/09/2021 Architecture: WINDOWS Score: 100 105 185.177.125.94 WORLDSTREAMNL Netherlands 2->105 107 104.21.32.206 CLOUDFLARENETUS United States 2->107 109 5 other IPs or domains 2->109 131 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->131 133 Antivirus detection for URL or domain 2->133 135 Antivirus detection for dropped file 2->135 137 12 other signatures 2->137 11 hhXB3QLUty.exe 16 2->11         started        14 svchost.exe 1 2->14         started        signatures3 process4 file5 69 C:\Users\user\AppData\...\setup_install.exe, PE32 11->69 dropped 71 C:\Users\user\AppData\Local\...\libcurl.dll, PE32 11->71 dropped 73 C:\Users\user\AppData\...\Wed06c0310f7c9.exe, PE32 11->73 dropped 75 11 other files (7 malicious) 11->75 dropped 16 setup_install.exe 1 11->16         started        process6 dnsIp7 87 sornx.xyz 172.67.190.165, 49705, 80 CLOUDFLARENETUS United States 16->87 89 127.0.0.1 unknown unknown 16->89 127 Performs DNS queries to domains with low reputation 16->127 129 Adds a directory exclusion to Windows Defender 16->129 20 cmd.exe 1 16->20         started        22 cmd.exe 16->22         started        24 cmd.exe 16->24         started        26 7 other processes 16->26 signatures8 process9 signatures10 29 Wed062611295f.exe 20->29         started        32 Wed06c0310f7c9.exe 22->32         started        36 Wed0677c055f84f3.exe 24->36         started        139 Adds a directory exclusion to Windows Defender 26->139 38 Wed06bee4c0f9.exe 26->38         started        40 Wed068238a49b99.exe 1 26->40         started        42 Wed0660009604.exe 26->42         started        44 3 other processes 26->44 process11 dnsIp12 141 Multi AV Scanner detection for dropped file 29->141 143 Detected unpacking (changes PE section rights) 29->143 145 Machine Learning detection for dropped file 29->145 159 4 other signatures 29->159 46 explorer.exe 29->46 injected 91 gavenetwork.bar 32->91 99 4 other IPs or domains 32->99 57 C:\Users\user\AppData\Roaming\4596964.exe, PE32 32->57 dropped 59 C:\Users\user\AppData\Roaming\3844797.exe, PE32 32->59 dropped 61 C:\Users\user\AppData\Roaming\8111147.exe, PE32 32->61 dropped 67 2 other files (none is malicious) 32->67 dropped 147 Performs DNS queries to domains with low reputation 32->147 93 162.159.134.233, 443, 49719 CLOUDFLARENETUS United States 36->93 63 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 36->63 dropped 149 Antivirus detection for dropped file 36->149 151 Creates processes via WMI 36->151 95 91.240.85.160, 49710, 49722, 80 THEFIRST-ASRU Russian Federation 38->95 101 3 other IPs or domains 38->101 153 May check the online IP address of the machine 38->153 155 Tries to harvest and steal browser information (history, passwords, etc) 38->155 157 Disable Windows Defender real time protection (registry) 38->157 103 3 other IPs or domains 40->103 65 C:\Users\user\AppData\...\Wed0660009604.tmp, PE32 42->65 dropped 51 Wed0660009604.tmp 42->51         started        97 74.114.154.18 AUTOMATTICUS Canada 44->97 53 Wed069ea7b9fa22d66d.exe 44->53         started        file13 signatures14 process15 dnsIp16 111 185.255.120.26 SVEASE Netherlands 46->111 113 177.133.55.99 TELEFONICABRASILSABR Brazil 46->113 115 31.167.180.141 MOBILY-ASEtihadEtisalatCompanyMobilySA Saudi Arabia 46->115 77 C:\Users\user\AppData\Roaming\suhujgh, PE32 46->77 dropped 123 System process connects to network (likely due to code injection or exploit) 46->123 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 46->125 117 the-flash-man.com 51->117 119 best-link-app.com 51->119 79 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 51->79 dropped 81 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 51->81 dropped 83 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 51->83 dropped 121 a.goatgame.co 172.67.146.70, 443, 49708 CLOUDFLARENETUS United States 53->121 85 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 53->85 dropped 55 conhost.exe 53->55         started        file17 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8303c9a626d7edb090bdd8f0d128fc887b7fa36b0dfc43a7f71dcb5b34b1bbab/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 09:35:27 UTC
AV detection:
22 of 39 (56.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qmb4tjrg27w3bef53dynckh4rb5x7i3lbx6ehj7xdxfvwnfrxovq._file
Verdict:
unknown
Similar samples:
051c5d064ba3816e2eb061b2f1b96c8bf3609b038831464596c3a8436d3415eb
RaccoonStealer
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
RaccoonStealer
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
RaccoonStealer
3d7ba99d7b360819146cd6223b2d668e8b1a661023f5b36932860bc84271eecd
RaccoonStealer
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
RaccoonStealer
45c04168fe1e27939f2e08c178279d8c1aca5eba4ed8f6a717eb70b966cc5617
RaccoonStealer
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
RaccoonStealer
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
RaccoonStealer
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
RaccoonStealer
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
RaccoonStealer
+ 484 additional samples on MalwareBazaar
Result
Malware family:
vkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar family:vkeylogger botnet:706 aspackv2 backdoor infostealer keylogger stealer themida trojan
Link:
https://tria.ge/reports/210905-bmvbnaeeg3/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
VKeylogger
VKeylogger Payload
Vidar
Malware Config
C2 Extraction:
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
https://lenko349.tumblr.com/
Dropper Extraction:
http://shellloader.com/welcome
Unpacked files
SH256 hash:
73275c45c0cf079dae8705b75a706205a9eba2837957d1e7b67008929e7517b6
MD5 hash:
e1024f6828953de98e9c19caeffe7b42
SHA1 hash:
bcb77523d815c96dab29b0e387ccb08835026767
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
c8040666dfc672d25ad082c69e3ba73dd9f012e253a6a3dbb5f24d28ff816575
MD5 hash:
4cd8a3d2d2392735aa89b8d985b479a2
SHA1 hash:
ffde7e9becc0b6ce67829fa8cb7f3d25d44a7028
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
Parent samples :
8303c9a626d7edb090bdd8f0d128fc887b7fa36b0dfc43a7f71dcb5b34b1bbab
ecc23ade7514bff1e172b9a02c27572a66e0d16bb68b4927198dc091abf1c982
f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be
022fc71a6661ab3d6efc0f7d3e560a05cceb22b31081e7cb5d882b01921d5e38
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45
3542020f73e24ff693b50a375bbd366e6b6ca4cd4fd93bd15403e4cc70d91756
9cf8a802217928175088777f3f886dde3cba71c0a5c427ed169e24581e1c7a9b
e63f3efc1462f054169998d9bdb7e5b2ca0cb78b393e978880458965472f76de
8896b158ac271c269cfea637cd9402db48676eeef02b9d694d5c9f0eaeb3dbb0
1f2a3d598734fe566de2054f3c73fd2245fc6023f0740bdbae88a076f508ebd2
18f74890fef60f1e18d5b1d0b43f100c69b430445187d672bbedf46aff687d09
74bafd56c1fb3cdebf0a63de4ffb6f16dc1d5cee38e11ab0d2bc2614538da65f
07c18e8e0f92e75367df02c4114947b038e86fcbc7c8e5a77df739deb955263a
3d898349908143bef8f7652dada13c6075f84af469349be709b1d33d2ddf6672
SH256 hash:
1e47b0a87b714febf0f805a2c319a150cc8bd58d738669c76c975a64d40130ab
MD5 hash:
6cbca955ae2bb778cf9de6cef5d114a7
SHA1 hash:
527feb36a0cbd2c348df1862bb2d4516ed9bad6f
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
73f4dae950ffb81e1639629fde9cdcd372496f27e07a2efffa3063288bd9597d
MD5 hash:
a07c333eea0c9bed3c4cda258e7217b5
SHA1 hash:
a7f02c6bb2f0bab93decc86e58b3502e3bd45217
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
0e4860b4d648c1b797178252ed1470db67dabc4ab77d35f704decdaf03823f48
MD5 hash:
3974ad6e78311194b5ecef34bd80bb49
SHA1 hash:
a3ec802074092afa6a233dcb7a027fbe53e3a183
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
2c25be1b33d7ca3cb5111575b7e38af9b004c5472a6bbff3b58257d9e9789a51
MD5 hash:
36a63a0cb330d5c267f86c017f53ae8c
SHA1 hash:
318a7d00be84cc62b1f191bb7ce30c4e88be356d
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
8fbba2964fc691ecb1355b8ff2c5c1712c4f8d937550d132a69f55f3c726d417
MD5 hash:
19f0bd0511600055d123269dd9185bbe
SHA1 hash:
27bf4df55f89b26b026ccd8212c8aa5e8c057cae
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
8fdfaa3e5cda057c8736c72c5e124f37801e7bf2f25c0c8d37f8351cc42224e5
MD5 hash:
369bff77587fc199940a3ad5050398b1
SHA1 hash:
21a75c9856c57d71d0435e72b6439d935aeb695d
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
60bc5b74b4cfbbe71736aef4ff5a5460911fb80f4b15ee2427a8eb4ff6f97401
MD5 hash:
20980f33b35db665353104cfd321cdf8
SHA1 hash:
1aeeb56683c6acf2527446b35e37100d49c888f8
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
a783269f7f7a53304d672c09bb993168d824f0c4fc6b98a7bec1913ef8812290
MD5 hash:
bbf5987e16bec2dad97252d2fc67d375
SHA1 hash:
13b7773aae7778d74dd4f7b7e2dccbaaf8a44210
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
bcb39f7cf009ff86e79fa71681e8231d347716a5f3c7bc10a4377bcf45b47df2
MD5 hash:
a3eeec877799405077fdaa433c84f252
SHA1 hash:
e2f3668ebf929f42b220089b3ce67bc5b460c091
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
a66be2db03e98e6e42da47b134d4e524f44bc3b32ffeca31f1f600ec2a629eaa
MD5 hash:
dee86bc0556b9458669a825e510df784
SHA1 hash:
8e67ff85f7d68465eb440db76f3bdf94e629ba91
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
31d39820ec657a12beb4f8f77533d29a38569d1a683ad7fddfd63fd14f4f16e5
MD5 hash:
a24abcc2717a203be7e7f50acc83430e
SHA1 hash:
8f4fedb27e16fda650ef72c239e452a6f477c56d
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
53a45ce5392b36ee7c7a7730da6ede26d98c8ab7c9c7f3072f562df06ad345f3
MD5 hash:
7701a671ca59de4b545663a7a7cef873
SHA1 hash:
2052d1a5b9abd2833cf66917dd9d0e5e61d86c3b
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
SH256 hash:
8303c9a626d7edb090bdd8f0d128fc887b7fa36b0dfc43a7f71dcb5b34b1bbab
MD5 hash:
a75ffc6ab58574119e960ec0b1f72bfd
SHA1 hash:
f7addaaf851436721919294927253726b67ce17b
Link:
https://www.unpac.me/results/c1b8659a-09db-4574-be6d-0831325923fd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8303c9a626d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8303c9a626d7edb090bdd8f0d128fc887b7fa36b0dfc43a7f71dcb5b34b1bbab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185355/

Comments