MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96ec0b44a4d0f2fa0dac3e5dccd700a6360f04ff4a44a8fbda6b5509ba6358f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96ec0b44a4d0f2fa0dac3e5dccd700a6360f04ff4a44a8fbda6b5509ba6358f7
SHA3-384 hash: 9a14e1b64b02b1ea6d4bc3bd950fcce03b46b090272f190473df6d418864e9ce9bbed845c2bd60fc6743fdab5e0a265e
SHA1 hash: 65116078fd279a40a6807f2b5db6633b69b4dbd4
MD5 hash: e063dcb77a9d10b2a1eafc8af5e2a122
humanhash: floor-magazine-november-nine
File name:E063DCB77A9D10B2A1EAFC8AF5E2A122.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:5'989'378 bytes
First seen:2021-08-14 16:21:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yDA+zXfW3hs4QBYP0P43lTcyDUDuUdNG65uLp9/KASx5IYM1EmCsrh3tJ7hyde4f:y/vWxrPyGeDuOudhSaYo1xP7hyde8
Threatray 342 similar samples on MalwareBazaar
TLSH T101563301F602B310CEB5063154BE267EABDB972B6541F3CE4AFA36DCE191254691F3CA
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.153.230.19/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.153.230.19/ https://threatfox.abuse.ch/ioc/185490/
135.181.123.52:52101 https://threatfox.abuse.ch/ioc/186204/

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E063DCB77A9D10B2A1EAFC8AF5E2A122.exe
Verdict:
No threats detected
Analysis date:
2021-08-14 16:23:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/55aec827-db1f-451b-9319-7957cbc8af55

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179267/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Connection attempt
Sending a custom TCP request
DNS request
Running batch commands
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad471dad-5a2a-4cb2-8fc6-f165a946c462
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832950
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465381 Sample: zBrLL6Zeuv.exe Startdate: 14/08/2021 Architecture: WINDOWS Score: 100 137 172.67.222.125 CLOUDFLARENETUS United States 2->137 153 Antivirus detection for URL or domain 2->153 155 Antivirus detection for dropped file 2->155 157 Multi AV Scanner detection for dropped file 2->157 159 12 other signatures 2->159 13 zBrLL6Zeuv.exe 10 2->13         started        16 svchost.exe 1 2->16         started        signatures3 process4 file5 121 C:\Users\user\AppData\...\setup_installer.exe, PE32 13->121 dropped 18 setup_installer.exe 8 13->18         started        process6 file7 75 C:\Users\user\AppData\...\setup_install.exe, PE32 18->75 dropped 77 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 18->77 dropped 79 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 18->79 dropped 81 3 other files (none is malicious) 18->81 dropped 21 setup_install.exe 9 18->21         started        process8 dnsIp9 139 172.67.170.195 CLOUDFLARENETUS United States 21->139 141 127.0.0.1 unknown unknown 21->141 111 C:\Users\user\AppData\...\dc56b88fa7bd64.exe, PE32 21->111 dropped 113 C:\Users\user\AppData\...\d8209827f876d25.exe, PE32+ 21->113 dropped 115 C:\Users\user\AppData\...\ae53a1dbd6.exe, PE32 21->115 dropped 117 5 other files (4 malicious) 21->117 dropped 25 cmd.exe 21->25         started        27 cmd.exe 1 21->27         started        29 cmd.exe 1 21->29         started        31 6 other processes 21->31 file10 process11 process12 33 ae53a1dbd6.exe 25->33         started        38 dc56b88fa7bd64.exe 90 27->38         started        40 38a72d1941.exe 14 3 29->40         started        42 d8209827f876d25.exe 31->42         started        44 b7816bfa03.exe 31->44         started        46 2e80f89eab2.exe 15 8 31->46         started        48 2 other processes 31->48 dnsIp13 123 37.0.10.236 WKD-ASIE Netherlands 33->123 125 37.0.11.8 WKD-ASIE Netherlands 33->125 129 12 other IPs or domains 33->129 83 C:\Users\...\za_RjvLAgEu8IaJ49mU4Voxn.exe, PE32+ 33->83 dropped 85 C:\Users\...\xvGtkDdD96zhcXNVMQ5bCiyS.exe, PE32 33->85 dropped 87 C:\Users\...\x4GY7hLPct14aZ1dkKqmsIB4.exe, PE32 33->87 dropped 95 41 other files (34 malicious) 33->95 dropped 161 Drops PE files to the document folder of the user 33->161 163 Creates HTML files with .exe extension (expired dropper behavior) 33->163 181 2 other signatures 33->181 131 3 other IPs or domains 38->131 97 12 other files (none is malicious) 38->97 dropped 165 Detected unpacking (changes PE section rights) 38->165 167 Detected unpacking (overwrites its own PE header) 38->167 169 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 38->169 171 Tries to steal Crypto Currency Wallets 38->171 173 Query firmware table information (likely to detect VMs) 40->173 175 Tries to detect sandboxes and other dynamic analysis tools (window names) 40->175 183 2 other signatures 40->183 133 3 other IPs or domains 42->133 89 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 42->89 dropped 91 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 42->91 dropped 177 Contains functionality to steal Chrome passwords or cookies 42->177 179 Drops PE files to the startup folder 42->179 135 2 other IPs or domains 44->135 93 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 44->93 dropped 50 LzmwAqmV.exe 44->50         started        127 104.21.92.87 CLOUDFLARENETUS United States 46->127 99 4 other files (none is malicious) 46->99 dropped 185 3 other signatures 48->185 53 72a3df5b6765f57.exe 48->53         started        56 explorer.exe 48->56 injected file14 signatures15 process16 dnsIp17 101 C:\Users\user\AppData\...\askinstall54.exe, PE32 50->101 dropped 103 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 50->103 dropped 105 C:\Users\user\AppData\Local\Temp\jhuuee.exe, PE32+ 50->105 dropped 109 5 other files (none is malicious) 50->109 dropped 58 chrome2.exe 50->58         started        61 3002.exe 50->61         started        63 askinstall54.exe 50->63         started        66 dcc7975c8a99514da06323f0994cd79b.exe 50->66         started        143 104.21.70.98 CLOUDFLARENETUS United States 53->143 107 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 53->107 dropped 68 conhost.exe 53->68         started        file18 process19 dnsIp20 119 C:\Users\user\AppData\...\services64.exe, PE32+ 58->119 dropped 70 cmd.exe 58->70         started        73 conhost.exe 61->73         started        145 88.99.66.31 HETZNER-ASDE Germany 63->145 147 144.202.76.47 AS-CHOOPAUS United States 63->147 149 104.21.20.198 CLOUDFLARENETUS United States 66->149 151 172.67.199.196 CLOUDFLARENETUS United States 66->151 file21 process22 signatures23 187 Uses schtasks.exe or at.exe to add and modify task schedules 70->187
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96ec0b44a4d0f2fa0dac3e5dccd700a6360f04ff4a44a8fbda6b5509ba6358f7/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 02:27:32 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s3wawrfe2dzpudnmhzo4zvyauy3a6bh7jjckr662nnkqtotdld3q._file
Verdict:
unknown
Similar samples:
088559f2192fe04ad85f83e1a3ac931f2bdbb5a88b4146154858d00c40b4b551
RaccoonStealer
0df9cc018e5258e289ffea0bb4137ae6f0bc8fe85b48b544520c7dae95453f68
RaccoonStealer
205b3ed8bb5aaa874ef73d4a47206b16a42397e7d77422936dfa6eb39f038ab6
RaccoonStealer
486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
RaccoonStealer
c767c0c438dd1a2bfb6d14e35c30b24971b9a2db90748177ee23959b7b6b22ed
RaccoonStealer
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
RaccoonStealer
f7f5898bbed2b677a52a031071110b8aebb4b3eba2669703f6dd60e6953dc2a2
RaccoonStealer
+ 332 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:916 aspackv2 backdoor evasion infostealer persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210814-z88j51j8jj/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Unpacked files
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/feb897cd-cddc-4646-865a-66a680f6baa8/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/feb897cd-cddc-4646-865a-66a680f6baa8/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/feb897cd-cddc-4646-865a-66a680f6baa8/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
0d017311cfc1554b76481b6b0d40d1c150c1a0aedcda302f513c01de0b1f4e4c
MD5 hash:
fcce864840d6700d71a8d68668d7a538
SHA1 hash:
fef82b13a6565e5da4eaf24ce6566c513c6a58fd
Link:
https://www.unpac.me/results/feb897cd-cddc-4646-865a-66a680f6baa8/
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/feb897cd-cddc-4646-865a-66a680f6baa8/
SH256 hash:
aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409
MD5 hash:
181f1849ccb484af2eebb90894706150
SHA1 hash:
45dee946a7abc9c1c05d158a05e768e06a0d2cdc
Link:
https://www.unpac.me/results/feb897cd-cddc-4646-865a-66a680f6baa8/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/feb897cd-cddc-4646-865a-66a680f6baa8/
SH256 hash:
0cce0abd453bacf4c279dca615309ff86b2d9fab334eb1c03c8ab6a133f7a541
MD5 hash:
033b50c3ee8901aa17c1230b61e5df17
SHA1 hash:
8cb76d3a22030f8d872b3e7478302e1b76c82bd8
Link:
https://www.unpac.me/results/feb897cd-cddc-4646-865a-66a680f6baa8/
SH256 hash:
45b394c9e821ee4c6bad3d3c0ed53f41439b1f68486f0943beb0dbf880b6e88b
MD5 hash:
30dd971efae3df99ad2bf6fea7cc5125
SHA1 hash:
5c3897c04d74d1178c40919fc65e21c09282d51a
Link:
https://www.unpac.me/results/feb897cd-cddc-4646-865a-66a680f6baa8/
SH256 hash:
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
MD5 hash:
83cc20c8d4dd098313434b405648ebfd
SHA1 hash:
59b99c73776d555a985b2f2dcc38b826933766b3
Link:
https://www.unpac.me/results/feb897cd-cddc-4646-865a-66a680f6baa8/
SH256 hash:
8ce4ec3896d4106a1c265497d4d0c4675a0904e4e84bf40526efc07c06fbdc79
MD5 hash:
f660623c8baf5ee21a93cb15f5541113
SHA1 hash:
393a08e1cd745c5454c2d7aa2772ed090859ca4a
Link:
https://www.unpac.me/results/feb897cd-cddc-4646-865a-66a680f6baa8/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/feb897cd-cddc-4646-865a-66a680f6baa8/
SH256 hash:
063d7e5c229d67493efb9d389ae87624fe8fae65ff1faefb9cf9a5ec9dc3ba12
MD5 hash:
e8e08544f4898f0e0e5f89fd38c2a65e
SHA1 hash:
f1f1281fc62dffa7eb55c1160b23a2d5bae87a4e
Link:
https://www.unpac.me/results/feb897cd-cddc-4646-865a-66a680f6baa8/
SH256 hash:
96ec0b44a4d0f2fa0dac3e5dccd700a6360f04ff4a44a8fbda6b5509ba6358f7
MD5 hash:
e063dcb77a9d10b2a1eafc8af5e2a122
SHA1 hash:
65116078fd279a40a6807f2b5db6633b69b4dbd4
Link:
https://www.unpac.me/results/feb897cd-cddc-4646-865a-66a680f6baa8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/96ec0b44a4d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96ec0b44a4d0f2fa0dac3e5dccd700a6360f04ff4a44a8fbda6b5509ba6358f7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179267/

Comments