MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a60659139ff3a9e6a4a482e060e301c83a25a02227308f6f572d79cc95c63dce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a60659139ff3a9e6a4a482e060e301c83a25a02227308f6f572d79cc95c63dce
SHA3-384 hash: 80ea0f9775f5d359e3c58bbe28f8f8d050ea750f909d8fe073f2433d6b0079757d49fda909a26e1283151873ca0c98ea
SHA1 hash: 8acd24cb9543babc8e9c22f2aafd39e0430a4602
MD5 hash: ab444e67d59822e2db238c4eb8e99d04
humanhash: sixteen-cola-jig-kansas
File name:ab444e67d59822e2db238c4eb8e99d04.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:198'144 bytes
First seen:2021-10-02 15:10:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5fbfc74c3ddccb96d094c58debd98462 (10 x RedLineStealer, 2 x Tofsee, 2 x RaccoonStealer)
ssdeep 6144:gAZlx0jVlWoPr3mRGIuT0diuCM2rAchCb:xZlsbmRGOo9hY
Threatray 2'778 similar samples on MalwareBazaar
TLSH T14214D05232F08A37D7A776384974E3644B3FB9636F72D64BBA04266A4E223C09D34357
File icon (PE):PE icon
dhash icon 93f0ec96b6dcd8a3 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://194.180.174.82/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.82/ https://threatfox.abuse.ch/ioc/229691/

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab444e67d59822e2db238c4eb8e99d04.exe
Verdict:
Malicious activity
Analysis date:
2021-10-02 15:12:20 UTC
Tags:
loader trojan opendir evasion stealer rat redline raccoon
Link:
https://app.any.run/tasks/af9e9233-879d-4df7-800a-a55862d66492

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194196/
Detection(s):
Win.Packed.Fragtor-9896091-0
Create hunting rule

Win.Ransomware.Generic-9896092-0
Create hunting rule

Win.Packed.Generic-9896260-0
Create hunting rule

Win.Packed.Generic-9896477-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
DNS request
Connection attempt
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Searching for the window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file in the Windows subdirectories
Deleting a recently created file
Forced system process termination
Launching a service
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd6a8707-98ed-4123-a5b7-9c0e4cce1ae8
Result
Threat name:
Cryptbot Glupteba Raccoon RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863201
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Internet Explorer form passwords
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses ping.exe to check the status of other devices and networks
Yara detected Autohotkey Downloader Generic
Yara detected Cryptbot
Yara detected Evader
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495629 Sample: 1GkJJ0A1ut.exe Startdate: 02/10/2021 Architecture: WINDOWS Score: 100 189 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->189 191 Found malware configuration 2->191 193 Antivirus detection for URL or domain 2->193 195 15 other signatures 2->195 14 1GkJJ0A1ut.exe 25 2->14         started        19 IntelRapid.exe 2->19         started        21 IntelRapid.exe 2->21         started        23 rundll32.exe 2->23         started        process3 dnsIp4 169 194.145.227.161, 49773, 80 CLOUDPITDE Ukraine 14->169 171 iplogger.org 88.99.66.31, 443, 49782, 49783 HETZNER-ASDE Germany 14->171 173 3 other IPs or domains 14->173 137 C:\Users\user\AppData\...\16122974969.exe, PE32 14->137 dropped 139 C:\Users\user\AppData\...\03499848154.exe, PE32 14->139 dropped 141 C:\Users\user\AppData\...\02219706624.exe, PE32 14->141 dropped 143 6 other files (none is malicious) 14->143 dropped 177 Detected unpacking (changes PE section rights) 14->177 179 Detected unpacking (overwrites its own PE header) 14->179 181 May check the online IP address of the machine 14->181 25 cmd.exe 1 14->25         started        27 cmd.exe 1 14->27         started        29 cmd.exe 1 14->29         started        32 cmd.exe 1 14->32         started        183 Query firmware table information (likely to detect VMs) 19->183 185 Hides threads from debuggers 19->185 187 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->187 file5 signatures6 process7 signatures8 34 16122974969.exe 46 25->34         started        39 conhost.exe 25->39         started        41 03499848154.exe 16 27->41         started        43 conhost.exe 27->43         started        241 Submitted sample is a known malware sample 29->241 243 Obfuscated command line found 29->243 245 Uses ping.exe to check the status of other devices and networks 29->245 45 02219706624.exe 80 29->45         started        47 conhost.exe 29->47         started        49 conhost.exe 32->49         started        51 taskkill.exe 32->51         started        process9 dnsIp10 145 pacnqh62.top 45.140.167.227, 443, 49790, 49791 THEFIRST-ASRU United Kingdom 34->145 147 morime06.top 5.230.67.149, 49792, 80 ASGHOSTNETDE Germany 34->147 157 2 other IPs or domains 34->157 113 C:\Users\user\AppData\Local\Temp\File.exe, PE32 34->113 dropped 115 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 34->115 dropped 203 Detected unpacking (overwrites its own PE header) 34->203 205 Tries to harvest and steal browser information (history, passwords, etc) 34->205 53 File.exe 34->53         started        56 cmd.exe 34->56         started        149 sliderfriday.top 41->149 151 iplogger.org 41->151 117 C:\Users\user\AppData\Roaming\...\monns.exe, PE32 41->117 dropped 207 Detected unpacking (changes PE section rights) 41->207 209 May check the online IP address of the machine 41->209 211 Creates HTML files with .exe extension (expired dropper behavior) 41->211 217 2 other signatures 41->217 58 monns.exe 41->58         started        153 194.180.174.82, 49779, 80 MIVOCLOUDMD unknown 45->153 155 teletop.top 104.21.17.146, 49778, 80 CLOUDFLARENETUS United States 45->155 119 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 45->119 dropped 121 C:\Users\user\AppData\...\vcruntime140.dll, PE32 45->121 dropped 123 C:\Users\user\AppData\...\ucrtbase.dll, PE32 45->123 dropped 125 56 other files (none is malicious) 45->125 dropped 213 Tries to steal Mail credentials (via file access) 45->213 215 Contains functionality to steal Internet Explorer form passwords 45->215 62 cmd.exe 45->62         started        file11 signatures12 process13 dnsIp14 127 C:\Users\user\AppData\Local\...\poteye.exe, PE32+ 53->127 dropped 129 C:\Users\user\AppData\Local\...\kelpie.exe, PE32 53->129 dropped 131 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 53->131 dropped 133 3 other files (none is malicious) 53->133 dropped 64 kelpie.exe 53->64         started        66 poteye.exe 53->66         started        70 conhost.exe 56->70         started        72 timeout.exe 56->72         started        165 185.215.113.15, 49795, 6043 WHOLESALECONNECTIONSNL Portugal 58->165 167 api.ip.sb 58->167 231 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 58->231 233 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 58->233 235 Tries to harvest and steal browser information (history, passwords, etc) 58->235 237 Tries to steal Crypto Currency Wallets 58->237 74 conhost.exe 58->74         started        76 conhost.exe 62->76         started        78 timeout.exe 62->78         started        file15 signatures16 process17 file18 80 cmd.exe 64->80         started        82 dllhost.exe 64->82         started        109 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 66->109 dropped 197 Query firmware table information (likely to detect VMs) 66->197 199 Hides threads from debuggers 66->199 201 Tries to detect sandboxes / dynamic malware analysis system (registry check) 66->201 84 IntelRapid.exe 66->84         started        signatures19 process20 signatures21 87 cmd.exe 80->87         started        90 conhost.exe 80->90         started        219 Query firmware table information (likely to detect VMs) 84->219 221 Hides threads from debuggers 84->221 223 Tries to detect sandboxes / dynamic malware analysis system (registry check) 84->223 process22 signatures23 225 Obfuscated command line found 87->225 92 Ben.exe.com 87->92         started        95 PING.EXE 87->95         started        98 findstr.exe 87->98         started        process24 dnsIp25 239 May check the online IP address of the machine 92->239 101 Ben.exe.com 92->101         started        175 127.0.0.1 unknown unknown 95->175 111 C:\Users\user\AppData\Local\...\Ben.exe.com, Targa 98->111 dropped file26 signatures27 process28 dnsIp29 159 ip-api.com 208.95.112.1, 49879, 80 TUT-ASUS United States 101->159 161 OvGCEgsTUtVWCVwH.OvGCEgsTUtVWCVwH 101->161 135 C:\Users\user\AppData\...\yqkbwcgshrro.vbs, ASCII 101->135 dropped 105 wscript.exe 101->105         started        file30 process31 dnsIp32 163 iplogger.org 105->163 227 System process connects to network (likely due to code injection or exploit) 105->227 229 May check the online IP address of the machine 105->229 signatures33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a60659139ff3a9e6a4a482e060e301c83a25a02227308f6f572d79cc95c63dce/
Threat name:
Win32.Trojan.RaccoonStealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 01:35:58 UTC
AV detection:
25 of 27 (92.59%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uydfse476ou6njfeqlqgbyybza5clibce4yi632xfv44zfoghxha._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0f2e6968f4354610048786db7d9a98b62bf759c46f9922152ea14ab5fe880e33
RaccoonStealer
17a54b98e0fa1559a540e2ec3c30f0c23d8a8cbe7b18c8fe1f4241945f314e5e
RaccoonStealer
255a309aa4ac9d53e3de0f3247b3388d6376af9efb19f8256fd8d1db5bfb2448
RaccoonStealer
377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e
RaccoonStealer
463a368c85c49254ec2a84f7a042c3ec68353b7e0280ba464701ca13a7391c5b
RaccoonStealer
62d42586d48418b0fee5bd7705bb05eb6a2db50327e7b69f2a3f35eb57e80c1b
RaccoonStealer
b2ee06af075bcc9cb66e685417684c91df5cea6679a8ccf6608857dab0a46b50
RaccoonStealer
c5abf55b0591c96c64316cef1b7c5124f3b7ab3d05bc75ab80ae17c53d01dc72
RaccoonStealer
dab1943418275fa0a684702d291fa2fd693bebc19b99f7af9ad8dc3dd0a47cb5
RaccoonStealer
fb5d2b6d9ec1b9c07e64f6b9eb148099f0b43d58dc867102c02b16a9a9152022
RaccoonStealer
+ 2'768 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline botnet:mix02.10 botnet:�u'h�y�����&s҈���kcc d�6�1�>�-� discovery evasion infostealer persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/211002-skleeaedd5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.15:6043
Unpacked files
SH256 hash:
eb4c0951d2bae23fe5610e3cc4d32efdfa39d12fbe4922df1b61340cbda1942e
MD5 hash:
31b9aa52f867c7dd74f5308633ae8fcd
SHA1 hash:
7c16b4d86428e53da0a9a7b71e8c3be56c8cdfbb
Link:
https://www.unpac.me/results/133a1f51-1198-4add-87f8-7c2c4bb96053/
SH256 hash:
a60659139ff3a9e6a4a482e060e301c83a25a02227308f6f572d79cc95c63dce
MD5 hash:
ab444e67d59822e2db238c4eb8e99d04
SHA1 hash:
8acd24cb9543babc8e9c22f2aafd39e0430a4602
Link:
https://www.unpac.me/results/133a1f51-1198-4add-87f8-7c2c4bb96053/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a60659139ff3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a60659139ff3a9e6a4a482e060e301c83a25a02227308f6f572d79cc95c63dce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194196/

Comments