MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56
SHA3-384 hash: 4b6d385cb681f907f2133cda2e49fe7564b442117ca8c8edc0475b9dcde4afd9aa71ce6f7b075a54be2a7db0c14f7726
SHA1 hash: 16209f1b944fbb44ff95bad19b81243cb83d22a8
MD5 hash: 1e3212e4db3b3e3b8ad92c11af64268e
humanhash: washington-winner-kansas-chicken
File name:1e3212e4db3b3e3b8ad92c11af64268e.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:283'136 bytes
First seen:2022-01-13 15:21:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d4af36ccbaddaffd179ef41d42df9cf (3 x RedLineStealer, 2 x RaccoonStealer)
ssdeep 3072:AeCJ66rTZoEPpJMEsAR2/GJXpvMZcyF7cySWrxpzbgqru:AeQPL9R2+jvMCpuzbgwu
Threatray 927 similar samples on MalwareBazaar
TLSH T19054AE3135ECC472C3B31536B861CAA09A39F8312A65D9473754576E6E30EEC8EE631E
File icon (PE):PE icon
dhash icon fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
109.248.11.62:44680

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
109.248.11.62:44680 https://threatfox.abuse.ch/ioc/294699/

Intelligence

File Origin
# of uploads :
1
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1e3212e4db3b3e3b8ad92c11af64268e.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-13 15:35:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c9fa6595-0e49-4c81-afb3-7e7335867016

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219066/
Detection(s):
Win.Trojan.Generic-9935605-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Launching a process
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4087/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware qbot
Link:
https://www.filescan.io/uploads/61e043ade997359713e6b217/reports/0c21ed72-48c5-4325-9e0f-592617c9f972/overview
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d7ea28a-e100-4dd7-abad-a444685eef3d
Result
Threat name:
Amadey RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920253
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Amadey bot
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 552738 Sample: v8YnxUbz23.exe Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 101 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->101 103 Multi AV Scanner detection for domain / URL 2->103 105 Antivirus detection for URL or domain 2->105 107 15 other signatures 2->107 10 v8YnxUbz23.exe 2->10         started        13 fwcefwe 2->13         started        15 fwcefwe 2->15         started        17 5 other processes 2->17 process3 dnsIp4 117 Contains functionality to inject code into remote processes 10->117 119 Injects a PE file into a foreign processes 10->119 20 v8YnxUbz23.exe 10->20         started        121 Multi AV Scanner detection for dropped file 13->121 123 Machine Learning detection for dropped file 13->123 23 fwcefwe 13->23         started        125 Sample uses process hollowing technique 15->125 77 192.168.2.1 unknown unknown 17->77 25 WerFault.exe 17->25         started        signatures5 process6 signatures7 109 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->109 111 Maps a DLL or memory area into another process 20->111 113 Checks if the current machine is a virtual machine (disk enumeration) 20->113 27 explorer.exe 10 20->27 injected 115 Creates a thread in another existing process (thread injection) 23->115 process8 dnsIp9 79 185.233.81.115, 443, 49760 SUPERSERVERSDATACENTERRU Russian Federation 27->79 81 188.166.28.199, 80 DIGITALOCEAN-ASNUS Netherlands 27->81 83 10 other IPs or domains 27->83 69 C:\Users\user\AppData\Roaming\fwcefwe, PE32 27->69 dropped 71 C:\Users\user\AppData\Local\Temp\FF71.exe, PE32 27->71 dropped 73 C:\Users\user\AppData\Local\Temp\F128.exe, PE32 27->73 dropped 75 7 other malicious files 27->75 dropped 127 System process connects to network (likely due to code injection or exploit) 27->127 129 Benign windows process drops PE files 27->129 131 Deletes itself after installation 27->131 133 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->133 32 23F3.exe 27->32         started        35 9647.exe 2 27->35         started        38 6BAB.exe 3 27->38         started        40 54F.exe 27->40         started        file10 signatures11 process12 file13 85 Detected unpacking (changes PE section rights) 32->85 87 Detected unpacking (overwrites its own PE header) 32->87 89 Found evasive API chain (may stop execution after checking mutex) 32->89 99 4 other signatures 32->99 65 C:\Users\user\AppData\Local\...\acpvcviv.exe, PE32 35->65 dropped 91 Machine Learning detection for dropped file 35->91 42 cmd.exe 1 35->42         started        45 cmd.exe 2 35->45         started        47 sc.exe 35->47         started        53 2 other processes 35->53 93 Antivirus detection for dropped file 38->93 95 Multi AV Scanner detection for dropped file 38->95 97 Injects a PE file into a foreign processes 38->97 49 6BAB.exe 2 38->49         started        51 WerFault.exe 3 10 40->51         started        signatures14 process15 file16 67 C:\Windows\SysWOW64\...\acpvcviv.exe (copy), PE32 42->67 dropped 55 conhost.exe 42->55         started        57 conhost.exe 45->57         started        59 conhost.exe 47->59         started        61 conhost.exe 53->61         started        63 conhost.exe 53->63         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 15:22:20 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
25 of 27 (92.59%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6y3nqrrmhmtv3jhfhrpzyznyv3xsm2b4r2vzxvkyqpyyufxnjla._file
Verdict:
malicious
Similar samples:
0dee20eae747781c183499abc341feded87a5a6325f0a9b789067d1b6377ef89
RaccoonStealer
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
RaccoonStealer
26b68718e74708840c2dcb6a54ff5b32a0cbd532e38a646cfb722ff6b2a4daf0
RaccoonStealer
65f908a0dfe5c343457bab4b68004a1b5fceb4e89c28c263ec05479eae182e9a
RaccoonStealer
767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255
RaccoonStealer
8143c63631df50b95ccfc47822f808fbff228f1da4eb5e521c6352fbc678d118
RaccoonStealer
9c94f972ecd60eb36c128c60d918c691af86637919a4ff887d783a1357fbb57f
RaccoonStealer
a70760071dea52443d726965f9feef8a66848b6c6288e9354f8ca1e0e898f624
RaccoonStealer
cd8c1cf2ae3ceb9b9eb7ac717004d4586e491f00cb686047bc128d3ffc1aa89f
RaccoonStealer
e833a4e60afdb1923d7ef837e8333218f82c08bb5de60a3e565c95e5f6c61f2e
RaccoonStealer
+ 917 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:arkei family:smokeloader family:tofsee family:vidar family:xmrig botnet:565 backdoor collection discovery evasion miner persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220113-srzwdabbfn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Arkei Stealer Payload
Vidar Stealer
XMRig Miner Payload
Amadey
Arkei
SmokeLoader
Tofsee
Vidar
Windows security bypass
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
xmrig
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
patmushta.info
parubey.info
https://noc.social/@banda5ker
https://mastodon.social/@banda6ker
185.215.113.35/d2VxjasuwS/index.php
Unpacked files
SH256 hash:
788f723ebfe0110232b52ee15345acc5f74a53ea45e5f422dc5ce2eb5833fadc
MD5 hash:
198ff357daf4345c9fc869616b139381
SHA1 hash:
24c9899b296cf004e400b77e72b89f42bb726f37
Link:
https://www.unpac.me/results/a8916333-655c-4b04-85ff-40df860da21b/
Parent samples :
3c6f5e38acd57a6372e44dc341bf46060fef8c8b0e1dd3ffa38b21ddaddc3773
6861cdee1ee282ee8c69e31503d95291409907d8b27538f8082adb00205ad105
ccf4e081582226315f3a2bc171b604e3911d0225cc85e18188872ea9832a5388
be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005
53bcd8239258dcbb10f9d3b6d057103c18fe3dd614c5809053426b01b741500d
SH256 hash:
87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56
MD5 hash:
1e3212e4db3b3e3b8ad92c11af64268e
SHA1 hash:
16209f1b944fbb44ff95bad19b81243cb83d22a8
Link:
https://www.unpac.me/results/a8916333-655c-4b04-85ff-40df860da21b/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/87b1b6c23161/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1970142/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/219066/

Comments