MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad609feb61006710a2e85c11ddf17586c59ad11a84fb0099c8ec0bad100682b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad609feb61006710a2e85c11ddf17586c59ad11a84fb0099c8ec0bad100682b0
SHA3-384 hash: 3ef24c560e9d3e0943414b10def8752d826d50faeb4309e33c45b336a884e344741469dec5ce9ce72c5775a1656b63d9
SHA1 hash: cb495f1d738540fe5a55c52c843b2fed84bc1439
MD5 hash: b7d61bf5420aca3559a44cfd8c113cc6
humanhash: pip-table-king-oranges
File name:b7d61bf5420aca3559a44cfd8c113cc6.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:216'576 bytes
First seen:2021-08-30 12:40:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be3932e3a098cfda071ebaa81fe7e38a (10 x RaccoonStealer, 4 x ArkeiStealer, 2 x RedLineStealer)
ssdeep 3072:KxQIfLJ7qLWCRe40qxuWx5TOBg1ojmHd7cxatBgGgS/lPYxAxAj:KQULJ70Js4RwLGogFVg8FY6xA
Threatray 10'491 similar samples on MalwareBazaar
TLSH T1CA24BD103261F4BEDC4B55314A75EAA3562AAC706960D773360727AE1F312C0BF26FE6
dhash icon fcfcf4f4d4dcd8c0 (26 x RaccoonStealer, 11 x RedLineStealer, 9 x Stop)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://193.38.54.196/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://193.38.54.196/ https://threatfox.abuse.ch/ioc/202296/

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b7d61bf5420aca3559a44cfd8c113cc6.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-30 12:43:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea10e764-a205-4b71-b784-0d56a7094567

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183740/
Detection(s):
Win.Packed.Generic-9889498-0
Create hunting rule

Win.Packed.Generic-9889505-0
Create hunting rule

Win.Packed.Generic-9889576-0
Create hunting rule

Win.Packed.Generic-9889668-0
Create hunting rule

Win.Packed.Filerepmalware-9889679-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Moving a file to the Windows subdirectory
Launching a process
Creating a service
Launching a service
Searching for analyzing tools
Searching for the window
Reading critical registry keys
Deleting a recently created file
Launching the process to change the firewall settings
Setting browser functions hooks
Enabling autorun for a service
Deleting of the original file
Enabling autorun by creating a file
Unauthorized injection to a system process
Unauthorized injection to a browser process
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1328382c-fd02-4084-913d-19f1c91791e8
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee Vidar
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841900
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Send many emails (e-Mail Spam)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 474328 Sample: lrnHH6LHW3.exe Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 75 microsoft-com.mail.protection.outlook.com 2->75 77 41.52.17.84.zen.spamhaus.org 2->77 79 63 other IPs or domains 2->79 101 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->101 103 Multi AV Scanner detection for domain / URL 2->103 105 Antivirus detection for URL or domain 2->105 111 18 other signatures 2->111 11 lrnHH6LHW3.exe 2->11         started        14 gjhtgeh 2->14         started        16 svchost.exe 34 2->16         started        18 3 other processes 2->18 signatures3 107 System process connects to network (likely due to code injection or exploit) 77->107 109 Tries to resolve many domain names, but no domain seems valid 77->109 process4 signatures5 121 Detected unpacking (changes PE section rights) 11->121 20 lrnHH6LHW3.exe 11->20         started        123 Machine Learning detection for dropped file 14->123 23 gjhtgeh 14->23         started        25 WerFault.exe 16->25         started        process6 signatures7 113 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->113 115 Maps a DLL or memory area into another process 20->115 117 Checks if the current machine is a virtual machine (disk enumeration) 20->117 27 explorer.exe 15 20->27 injected 119 Creates a thread in another existing process (thread injection) 23->119 process8 dnsIp9 81 readinglistforaugust8.xyz 27->81 83 readinglistforaugust7.xyz 27->83 85 11 other IPs or domains 27->85 61 C:\Users\user\AppData\Roaming\gjhtgeh, PE32 27->61 dropped 63 C:\Users\user\AppData\Local\Temp\900D.exe, PE32 27->63 dropped 65 C:\Users\user\AppData\Local\Temp\8CB0.exe, PE32 27->65 dropped 67 5 other files (4 malicious) 27->67 dropped 125 System process connects to network (likely due to code injection or exploit) 27->125 127 Benign windows process drops PE files 27->127 129 Performs DNS queries to domains with low reputation 27->129 133 4 other signatures 27->133 32 883B.exe 127 27->32         started        37 8481.exe 2 27->37         started        39 900D.exe 27->39         started        41 3 other processes 27->41 file10 131 Tries to resolve many domain names, but no domain seems valid 83->131 signatures11 process12 dnsIp13 69 159.69.246.184, 49718, 49719, 80 HETZNER-ASDE Germany 32->69 49 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 32->49 dropped 51 C:\ProgramData\sqlite3.dll, PE32 32->51 dropped 87 Detected unpacking (changes PE section rights) 32->87 89 Machine Learning detection for dropped file 32->89 91 Tries to harvest and steal browser information (history, passwords, etc) 32->91 99 2 other signatures 32->99 53 C:\Users\user\AppData\Local\...\tfaxeddr.exe, PE32 37->53 dropped 93 Uses netsh to modify the Windows network and firewall settings 37->93 95 Modifies the windows firewall 37->95 43 cmd.exe 37->43         started        55 C:\Users\user\AppData\Local\Temp\3008.exe, PE32 39->55 dropped 57 C:\Users\user\AppData\Local\Temp\123.exe, PE32 39->57 dropped 97 Antivirus detection for dropped file 39->97 71 5.181.156.120, 49948, 80 MIVOCLOUDMD Moldova Republic of 41->71 73 telete.in 195.201.225.248, 443, 49888 HETZNER-ASDE Germany 41->73 59 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 41->59 dropped 45 conhost.exe 41->45         started        file14 signatures15 process16 process17 47 conhost.exe 43->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad609feb61006710a2e85c11ddf17586c59ad11a84fb0099c8ec0bad100682b0/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 12:41:04 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvqj723babtrbixilqi534lvq3czvui2qt5qbgoi5qf22eagqkya._file
Verdict:
suspicious
Similar samples:
0b57a9ec21d243df448008de2329afddcb907a5b7e0c56b2af876a00771546e9
RaccoonStealer
1e39513b16501c1ff55a8a9d4c7b4b27ad067f3063002541b74b43e547ca8bf8
RaccoonStealer
28f5fa7118d4f1866643d781c3fee5cb4507f3d268c263ef40551d527da2c330
RaccoonStealer
493c4a7f6cdc0c6b3388b268aa38975c1bb52ea67f6415723a06a14213ee5d14
RaccoonStealer
5d372a19bbdae072e4fb4ff9deded30dbb40f4a74b54fbf77888a1523e864129
RaccoonStealer
61cafe16ef316179718e8827d2c0d37604639050956b95d1167ce4b1ac601948
RaccoonStealer
7e92233d9ad854b672068825a64c442ed8e6f4f283729c874296278e235d7241
RaccoonStealer
d620056c5defae218de13235fc4a509d968bd55469092aa00095ff94a0246b7f
RaccoonStealer
f6a8aa29264495625e7a74ada5f3a792c06c3f9ef472e01c4761bed7d1e4ff96
RaccoonStealer
+ 10'481 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:fe582536ec580228180f270f7cb80a867860e010 backdoor discovery evasion infostealer persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/210830-w5efgyf2n2/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
RedLine
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
Unpacked files
SH256 hash:
0a9a7acf77fe4f890fe2acf761fa7f369418bb1f733504acd0792f589ccc7b15
MD5 hash:
ad94a86355be2ad9348b88e8972e8320
SHA1 hash:
8c7ff71739a5194efc5c7bee9c37ad92a9e72646
Link:
https://www.unpac.me/results/b6aff2e4-1e15-4dc0-b181-47a65277082d/
SH256 hash:
ad609feb61006710a2e85c11ddf17586c59ad11a84fb0099c8ec0bad100682b0
MD5 hash:
b7d61bf5420aca3559a44cfd8c113cc6
SHA1 hash:
cb495f1d738540fe5a55c52c843b2fed84bc1439
Link:
https://www.unpac.me/results/b6aff2e4-1e15-4dc0-b181-47a65277082d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ad609feb6100/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad609feb61006710a2e85c11ddf17586c59ad11a84fb0099c8ec0bad100682b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe ad609feb61006710a2e85c11ddf17586c59ad11a84fb0099c8ec0bad100682b0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1558724/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/183740/

Comments