MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 843140b0a3f095d74fe2682d3ae029d4da70a5bae79850cf047a72c9d4a882c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 4 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 843140b0a3f095d74fe2682d3ae029d4da70a5bae79850cf047a72c9d4a882c0
SHA3-384 hash: 384aeff08c760762b5de682a95616f085f5452f7eacbd8f9efd234201fe2782a3bb10585a1fb2b88098547f2f2d7b20b
SHA1 hash: 5dba8661b62ac6ef622e7e14678369c1dc94f586
MD5 hash: 2c1a477bf201d3cae1e15c81d164fb05
humanhash: glucose-south-golf-xray
File name:2c1a477bf201d3cae1e15c81d164fb05.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:292'352 bytes
First seen:2021-09-24 16:30:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d63272091af7602d3a8fe5b2f0726122 (6 x RaccoonStealer, 4 x RedLineStealer, 1 x DanaBot)
ssdeep 3072:dshKsHUPjurjKn7vtlyy9VTLVldwu0ay/MPNGGaZKYX+ZEmwCRLtDTc/h+Prm5jS:dEKlarjK7FlyChLsj9Dx0di+
Threatray 4'524 similar samples on MalwareBazaar
TLSH T16C54AF20B7E0C039F4B713FA49BA97B9A92D7AB05B3851CF52D216EA56746E0DC30347
File icon (PE):PE icon
dhash icon aad8ac9cc6a68ee0 (34 x RedLineStealer, 14 x RaccoonStealer, 11 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.204.37/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.204.37/ https://threatfox.abuse.ch/ioc/226142/
109.234.38.212:6677 https://threatfox.abuse.ch/ioc/226259/
135.181.142.223:30397 https://threatfox.abuse.ch/ioc/226444/
65.21.231.57:60751 https://threatfox.abuse.ch/ioc/226446/

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-09-24 14:51:42 UTC
Tags:
trojan rat redline evasion loader stealer vidar opendir
Link:
https://app.any.run/tasks/382869a7-b430-4072-aad3-df1bb0ac7b23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191218/
Detection(s):
Win.Packed.Generic-9896517-0
Create hunting rule

Win.Packed.Generic-9896519-0
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c979f672-acf6-4cfa-bf57-44021f6b3f01
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857471
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 489902 Sample: LRHbd0abK8.exe Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 85 185.163.204.37, 49802, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 2->85 87 t.me 149.154.167.99, 443, 49799 TELEGRAMRU United Kingdom 2->87 89 3 other IPs or domains 2->89 123 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->123 125 System process connects to network (likely due to code injection or exploit) 2->125 127 Multi AV Scanner detection for dropped file 2->127 129 17 other signatures 2->129 11 LRHbd0abK8.exe 2->11         started        14 vhtfhaw 2->14         started        16 svchost.exe 9 1 2->16         started        19 9 other processes 2->19 signatures3 process4 dnsIp5 139 Detected unpacking (changes PE section rights) 11->139 21 LRHbd0abK8.exe 11->21         started        141 Machine Learning detection for dropped file 14->141 24 vhtfhaw 14->24         started        83 127.0.0.1 unknown unknown 16->83 signatures6 process7 signatures8 131 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->131 133 Maps a DLL or memory area into another process 21->133 135 Checks if the current machine is a virtual machine (disk enumeration) 21->135 26 explorer.exe 21 21->26 injected 137 Creates a thread in another existing process (thread injection) 24->137 process9 dnsIp10 93 193.56.146.41, 49758, 9080 LVLT-10753US unknown 26->93 95 216.128.137.31, 49756, 80 AS-CHOOPAUS United States 26->95 97 4 other IPs or domains 26->97 73 C:\Users\user\AppData\Roaming\vhtfhaw, PE32 26->73 dropped 75 C:\Users\user\AppData\Local\Temp\A8E2.exe, PE32 26->75 dropped 77 C:\Users\user\AppData\Local\Temp\9E75.exe, PE32 26->77 dropped 79 8 other malicious files 26->79 dropped 143 System process connects to network (likely due to code injection or exploit) 26->143 145 Benign windows process drops PE files 26->145 147 Deletes itself after installation 26->147 149 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->149 31 68AA.exe 26->31         started        35 73D6.exe 26->35         started        37 51CA.exe 2 26->37         started        39 3 other processes 26->39 file11 signatures12 process13 file14 81 C:\Users\user\AppData\Local\...\qkgmxhzf.exe, PE32 31->81 dropped 99 Detected unpacking (changes PE section rights) 31->99 101 Detected unpacking (overwrites its own PE header) 31->101 103 Machine Learning detection for dropped file 31->103 121 2 other signatures 31->121 41 cmd.exe 31->41         started        44 cmd.exe 31->44         started        46 sc.exe 31->46         started        59 2 other processes 31->59 105 Query firmware table information (likely to detect VMs) 35->105 107 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->107 109 Hides threads from debuggers 35->109 48 conhost.exe 35->48         started        111 Antivirus detection for dropped file 37->111 113 Multi AV Scanner detection for dropped file 37->113 115 Injects a PE file into a foreign processes 37->115 50 51CA.exe 2 37->50         started        53 conhost.exe 37->53         started        117 Contains functionality to inject code into remote processes 39->117 119 Tries to detect sandboxes / dynamic malware analysis system (registry check) 39->119 55 conhost.exe 39->55         started        57 3EDE.exe 39->57         started        signatures15 process16 dnsIp17 71 C:\Windows\SysWOW64\...\qkgmxhzf.exe (copy), PE32 41->71 dropped 61 conhost.exe 41->61         started        63 conhost.exe 44->63         started        65 conhost.exe 46->65         started        91 135.181.142.223 HETZNER-ASDE Germany 50->91 67 conhost.exe 59->67         started        69 conhost.exe 59->69         started        file18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/843140b0a3f095d74fe2682d3ae029d4da70a5bae79850cf047a72c9d4a882c0/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 16:31:06 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qqyubmfd6ck5ot7cnawtvybj2tnhbjn246mfbtyepjzmtvfiqlaa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
2fa3311a001cd0ded00b1bf34f8d64979cefb8903c69a3519da777bb43037539
RaccoonStealer
47ecf9882778e09cd99f29b89aa75d4396e783c1ef5c8e931601d6c1957fb3e5
RaccoonStealer
4ce736beca7ebfdae1fca1c504ef9482ada58dbf573fd57434aef6de2b36c9d6
RaccoonStealer
6232bd70528f163b7aa8e8d76f6c4e63a0660eb112eabf2cc1859cc9e83ca755
RaccoonStealer
73d3930011ac4fb1ac1ec5b4d339c001a9892c152fbc8be47b81d8ff559018ca
RaccoonStealer
79df67c7efab39b9b413c0844b58b8597c32ff7870225bbc1d2e300416ec5b4e
RaccoonStealer
7dc5a00ea0996d4edb8fbee2a9d2caa97ece60b4d5f755c3e82a06205ee2a385
RaccoonStealer
9664922ce8e322f3e2902a458b8a00f19515d2cd9c5802482e4e2d40fce8b861
RaccoonStealer
a98b37b337927ef6cea8a053a4ea676646de4dfbf6ce9619593246a1ecc362b6
RaccoonStealer
fe7e25d0fd410494f9d8299439faf7d89edb627b494c882d2b33c94625c7c35c
RaccoonStealer
+ 4'514 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:servhelper family:smokeloader family:tofsee family:xmrig botnet:5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 botnet:700$ botnet:f6d7183c9e82d2a9b81e6c0608450aa66cefb51f botnet:qq botnet:russianhack backdoor discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210924-t1dvyahcej/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies RDP port number used by Windows
Modifies Windows Firewall
Sets DLL path for service in the registry
Sets service image path in registry
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Raccoon
RedLine
RedLine Payload
ServHelper
SmokeLoader
Tofsee
Windows security bypass
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
xmrig
Malware Config
C2 Extraction:
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
135.181.142.223:30397
178.132.3.103:80
65.21.231.57:60751
109.234.38.212:6677
Unpacked files
SH256 hash:
2fead9437f15e057951fd6a02ab05076e38db13483df0191787c21c79343b9e7
MD5 hash:
1c90f3a3fcd93ee08b2154cbcff49085
SHA1 hash:
73ac881633a13c3c31c1153d8105b8ecbb60961e
Link:
https://www.unpac.me/results/8ebc323b-11a7-482f-b7f0-75e1b94ad1f7/
SH256 hash:
843140b0a3f095d74fe2682d3ae029d4da70a5bae79850cf047a72c9d4a882c0
MD5 hash:
2c1a477bf201d3cae1e15c81d164fb05
SHA1 hash:
5dba8661b62ac6ef622e7e14678369c1dc94f586
Link:
https://www.unpac.me/results/8ebc323b-11a7-482f-b7f0-75e1b94ad1f7/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/843140b0a3f0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/843140b0a3f095d74fe2682d3ae029d4da70a5bae79850cf047a72c9d4a882c0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 843140b0a3f095d74fe2682d3ae029d4da70a5bae79850cf047a72c9d4a882c0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1639930/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191218/

Comments