MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 915302500c83a08962b8f217ffc8d091ddcb17529a6a0ab5bd8ba89a2431e7d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	915302500c83a08962b8f217ffc8d091ddcb17529a6a0ab5bd8ba89a2431e7d6
SHA3-384 hash:	7e13df788a779cf433b1bf38b42195cc9d9990dea8905ca546c338f020a881fe688c84b5df648a6e792ffa8f7c6b9d69
SHA1 hash:	164448faa69cfcd500c6ac8d1735493e9e78464e
MD5 hash:	2973bac5c724e940b911d100faff3e77
humanhash:	early-floor-burger-cardinal
File name:	2973bac5c724e940b911d100faff3e77.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	348'672 bytes
First seen:	2021-12-09 06:01:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d9d9fc0ee02596fca6336fbe79f431ee (3 x RaccoonStealer, 1 x Smoke Loader, 1 x ArkeiStealer)
ssdeep	6144:RdjAWZCN5UwXsWbnrgoI363zWKL3NCJTeO:RFTusWbncoI36DWKZCY
Threatray	5'878 similar samples on MalwareBazaar
TLSH	T1F9749E00A6A0D435F5B712F85AB593BDB93E7EA16B3490CF12D416EA1B746E0EC3071B
File icon (PE):
dhash icon	b6dacabecee6baa2 (18 x RedLineStealer, 12 x Stop, 9 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://185.163.204.229/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.163.204.229/	https://threatfox.abuse.ch/ioc/268034/

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/212691/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.31749.19301.2308.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

DNS request

Searching for synchronization primitives

Sending a custom TCP request

Reading critical registry keys

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/1394/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/61b19bdd47ed217c0136b2d2/reports/3fc98f6e-c86e-442c-b57c-249379d06728/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0370fbca-909d-4923-8fed-be3b38448790

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/904387

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/915302500c83a08962b8f217ffc8d091ddcb17529a6a0ab5bd8ba89a2431e7d6/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-12-09 05:05:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

32 of 45 (71.11%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sfjqeuamqoqisyvy6il77sgqsho4wf2stjvavnn5roujujbr47la._file

Verdict:

malicious

RaccoonStealer

6a48349ee2b3ea08a4a5a51aaaa9eef19ce3e5c63289d1d4b50435112e049248

RaccoonStealer

bc62ea77cc11d094fe78b54c1cb4ffde86966f3a4a2d8c7454337fbe995e0cca

RaccoonStealer

c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947

RaccoonStealer

d6b47354dff2693d279b357d0901496908922679207ebef447e78160cd45bdf3

RaccoonStealer

f6401919fd20e698ec964ca0df4eee18c1f13852eef32a9246fe4605cff79969

RaccoonStealer

+ 5'868 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:icedid family:raccoon family:redline family:smokeloader botnet:f797145799b7b1b77b35d81de942eee0908da519 campaign:3489464261 backdoor banker infostealer stealer trojan

Link:

https://tria.ge/reports/211209-grfxqaahd8/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Deletes itself

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

IcedID, BokBot

Raccoon

RedLine

RedLine Payload

SmokeLoader

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/
bgreenglobus.com

Unpacked files

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/13dde059-51b6-43b1-8675-886686693959/

Parent samples :

fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/13dde059-51b6-43b1-8675-886686693959/

Parent samples :

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/13dde059-51b6-43b1-8675-886686693959/

Parent samples :

SH256 hash:

aa58efb332d52ae6ce82e9c4a49c415f6770ac5f507687d9a4e14541b9a24b39

MD5 hash:

5377f00b02da03b3945ec949ed1fc9c8

SHA1 hash:

18fc282399eda6299a62e2fd03025fb8cf37a998

Link:

https://www.unpac.me/results/13dde059-51b6-43b1-8675-886686693959/

SH256 hash:

2de37a8a67a3dcd5d64a6ac9dd181a9103bf990ce805dd5b19c5f52eada89009

MD5 hash:

52805ec9333ba9b2249d21f05125d36f

SHA1 hash:

b23ff72632bcc921036384341e423dda48777c97

Link:

https://www.unpac.me/results/13dde059-51b6-43b1-8675-886686693959/

SH256 hash:

69dc961e913f4fb11d6f4b499bd78110f559141af4b4fc311c9253c332ffcd9e

MD5 hash:

f4ed5b3e4add1ba8ab2f08e664364a26

SHA1 hash:

1a57810d179b68f8c013c09060262bec6838d73d

Link:

https://www.unpac.me/results/13dde059-51b6-43b1-8675-886686693959/

SH256 hash:

915302500c83a08962b8f217ffc8d091ddcb17529a6a0ab5bd8ba89a2431e7d6

MD5 hash:

2973bac5c724e940b911d100faff3e77

SHA1 hash:

164448faa69cfcd500c6ac8d1735493e9e78464e

Link:

https://www.unpac.me/results/13dde059-51b6-43b1-8675-886686693959/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/915302500c83a08962b8f217ffc8d091ddcb17529a6a0ab5bd8ba89a2431e7d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

exe 915302500c83a08962b8f217ffc8d091ddcb17529a6a0ab5bd8ba89a2431e7d6

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1865883/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1856795/

Cape

https://www.capesandbox.com/analysis/212691/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample