MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bec2f9c52d746d49dffd22fc0cf217c87970b85d7fb4e19e908edc0eb48c16a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bec2f9c52d746d49dffd22fc0cf217c87970b85d7fb4e19e908edc0eb48c16a
SHA3-384 hash: e1f81016c2a7c5633be3412a09f1a3b07d4ee4312aee8f1b87cc95404f714da2307c843d2ac10a35f2ec4186d3be91f6
SHA1 hash: 14317e9110870d39da6864302fb56e4f073499b5
MD5 hash: 498da76c0b716a75e72b1cd604a1a719
humanhash: stairway-sodium-uncle-shade
File name:SecuriteInfo.com.W32.AIDetect.malware2.21009.30791
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:197'632 bytes
First seen:2021-10-08 12:12:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 452a573570b57080deb33a6b6e9df7c8 (3 x RedLineStealer, 3 x RaccoonStealer, 2 x DanaBot)
ssdeep 3072:mK7Kya3u8MpxyBiwJDX5L4MDO7YhljlqUwP67vy6QrCTZPwaFWnKA2wlSohhgC:mK7su5xyPXpx1hBsUwC7tTXcBl7/
Threatray 5'130 similar samples on MalwareBazaar
TLSH T16514ADA036E5C072F36F59306DB19BA14B3BBC225931858F5FB156BE1E7A2D08B25313
File icon (PE):PE icon
dhash icon 81bcdcac9cccb4a4 (3 x ArkeiStealer, 2 x RaccoonStealer, 2 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware2.21009.30791
Verdict:
Suspicious activity
Analysis date:
2021-10-08 12:15:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/80998c14-3fe6-49aa-bc46-cfecb2ef1a51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196151/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.21009.30791.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867067
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 499491 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 78 microsoft-com.mail.protection.outlook.com 104.47.53.36, 25, 49848, 49902 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->78 80 defeatwax.ru 193.56.146.188, 443, 49857, 49899 LVLT-10753US unknown 2->80 82 5 other IPs or domains 2->82 120 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->120 122 System process connects to network (likely due to code injection or exploit) 2->122 124 Multi AV Scanner detection for submitted file 2->124 126 16 other signatures 2->126 11 SecuriteInfo.com.W32.AIDetect.malware2.21009.exe 2->11         started        14 hderwgd 2->14         started        16 svchost.exe 1 2->16         started        18 3 other processes 2->18 signatures3 process4 signatures5 136 Detected unpacking (changes PE section rights) 11->136 138 Contains functionality to inject code into remote processes 11->138 140 Injects a PE file into a foreign processes 11->140 20 SecuriteInfo.com.W32.AIDetect.malware2.21009.exe 11->20         started        23 hderwgd 14->23         started        process6 signatures7 128 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->128 130 Maps a DLL or memory area into another process 20->130 132 Checks if the current machine is a virtual machine (disk enumeration) 20->132 25 explorer.exe 18 20->25 injected 134 Creates a thread in another existing process (thread injection) 23->134 process8 dnsIp9 84 193.56.146.41, 49798, 9080 LVLT-10753US unknown 25->84 86 privacy-toolz-for-you-5000.top 5.188.88.26, 49776, 49777, 49778 PINDC-ASRU Russian Federation 25->86 88 fazanaharahe10.top 25->88 60 C:\Users\user\AppData\Roaming\hderwgd, PE32 25->60 dropped 62 C:\Users\user\AppData\Local\Temp\C58.exe, PE32 25->62 dropped 64 C:\Users\user\AppData\Local\Temp\C3D4.exe, PE32 25->64 dropped 66 7 other files (4 malicious) 25->66 dropped 142 System process connects to network (likely due to code injection or exploit) 25->142 144 Benign windows process drops PE files 25->144 146 Deletes itself after installation 25->146 148 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->148 30 C3D4.exe 25->30         started        35 30AB.exe 3 25->35         started        37 487.exe 25->37         started        39 2 other processes 25->39 file10 signatures11 process12 dnsIp13 90 91.219.236.103, 49824, 80 SERVERASTRA-ASHU Hungary 30->90 92 teletop.top 104.21.17.146, 49822, 80 CLOUDFLARENETUS United States 30->92 68 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 30->68 dropped 70 C:\Users\user\AppData\...\vcruntime140.dll, PE32 30->70 dropped 72 C:\Users\user\AppData\...\ucrtbase.dll, PE32 30->72 dropped 76 56 other files (none is malicious) 30->76 dropped 98 Detected unpacking (changes PE section rights) 30->98 100 Detected unpacking (overwrites its own PE header) 30->100 102 Tries to steal Mail credentials (via file access) 30->102 104 Tries to harvest and steal browser information (history, passwords, etc) 30->104 94 193.56.146.60, 21821, 49898 LVLT-10753US unknown 35->94 106 Query firmware table information (likely to detect VMs) 35->106 108 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->108 110 Hides threads from debuggers 35->110 112 Tries to detect sandboxes / dynamic malware analysis system (registry check) 35->112 41 conhost.exe 35->41         started        43 487.exe 37->43         started        74 C:\Users\user\AppData\Local\...\vtdbbraq.exe, PE32 39->74 dropped 114 Uses netsh to modify the Windows network and firewall settings 39->114 116 Modifies the windows firewall 39->116 118 Injects a PE file into a foreign processes 39->118 46 C58.exe 2 39->46         started        49 cmd.exe 2 39->49         started        51 cmd.exe 39->51         started        54 conhost.exe 39->54         started        file14 signatures15 process16 dnsIp17 150 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 43->150 152 Maps a DLL or memory area into another process 43->152 154 Checks if the current machine is a virtual machine (disk enumeration) 43->154 156 Creates a thread in another existing process (thread injection) 43->156 96 93.115.20.139, 28978, 49889 MVPShttpswwwmvpsnetEU Romania 46->96 56 conhost.exe 49->56         started        58 C:\Windows\SysWOW64\...\vtdbbraq.exe (copy), PE32 51->58 dropped file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bec2f9c52d746d49dffd22fc0cf217c87970b85d7fb4e19e908edc0eb48c16a/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 12:13:10 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tpwc7hcs25dnjhp72ix4btzbpsdzoc4f275u4gpjbdw4b22iyfva._file
Verdict:
malicious
Similar samples:
1b18ce7b513855676ef76c17fcf6b6d492f20e197fae1090e722b43f7f5ff2df
RaccoonStealer
286b0ce53257e9ce376ceb4a6352392326f4ab868199553fac6b1f90d6a3ed33
RaccoonStealer
4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
RaccoonStealer
63f6a92084e81e72720f6160287e6766e2214f489d11142a9668925c6c4616f2
RaccoonStealer
aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
RaccoonStealer
bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c
RaccoonStealer
c9371cc485825207fe107e6600c14cfd9049c34f74c8c7332f16a20afea88164
RaccoonStealer
d0cfe54414069b464762e74a0e2c4a313e8d53a0524af9cf2c1a90582978ac9d
RaccoonStealer
d6d09e51d2e7eb9f29b4ee44530696f893ba14a7c1d119cb8f1e41cd7861eaa6
RaccoonStealer
f2edf69ca64bb435d61ded2c3ca210d1bd19952c19275b7bd65d0d707fedadaa
RaccoonStealer
+ 5'120 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:smokeloader botnet:8d179b9e611eee525425544ee8c6d77360ab7cd9 backdoor collection discovery spyware stealer trojan
Link:
https://tria.ge/reports/211008-pdr2tsebh2/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
SmokeLoader
Malware Config
C2 Extraction:
http://fazanaharahe10.top/
http://xandelissane20.top/
http://ustiassosale30.top/
http://cytheriata40.top/
http://ggiergionard50.top/
Unpacked files
SH256 hash:
2384bfa55466572c6b776df6d320a761b053c636d9e29d75e2eaae6e12e98119
MD5 hash:
28b14b815891ae62b48159abdfbf4076
SHA1 hash:
53163b6fa19c2446aeaf146f4fb96590cf7e4257
Link:
https://www.unpac.me/results/c15e829c-2a08-43d5-9bd2-de43528b6467/
SH256 hash:
9bec2f9c52d746d49dffd22fc0cf217c87970b85d7fb4e19e908edc0eb48c16a
MD5 hash:
498da76c0b716a75e72b1cd604a1a719
SHA1 hash:
14317e9110870d39da6864302fb56e4f073499b5
Link:
https://www.unpac.me/results/c15e829c-2a08-43d5-9bd2-de43528b6467/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9bec2f9c52d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bec2f9c52d746d49dffd22fc0cf217c87970b85d7fb4e19e908edc0eb48c16a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 9bec2f9c52d746d49dffd22fc0cf217c87970b85d7fb4e19e908edc0eb48c16a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1660824/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196151/

Comments