MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af6355e9d23ab7ede7f7163c3e4a57a77683aeeb262df643dd0c010339cc0997. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af6355e9d23ab7ede7f7163c3e4a57a77683aeeb262df643dd0c010339cc0997
SHA3-384 hash: 43459e22bd8e2e1bd1edaa9f57d830fafe38e9a52c26c1384febb87e1621bb8e36447908a2b96d22b2ae7c376fdb558c
SHA1 hash: ca20249940c509ceca3273ce4bb563474a03293d
MD5 hash: 3a7ec50b3c48596288bac9c22417a59b
humanhash: seven-sad-autumn-red
File name:ca20249940c509ceca3273ce4bb563474a03293d.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:542'208 bytes
First seen:2021-09-19 17:26:00 UTC
Last seen:2021-09-19 17:51:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fa60387d0028b4d3797a377f8f49d1bf (1 x RaccoonStealer, 1 x GCleaner)
ssdeep 12288:VIWpmGcWBCu+m8jhqb7/J2xnwIjmTbpq:VIWpCtqb7CwDM
Threatray 88 similar samples on MalwareBazaar
TLSH T1A4B43960A350E3B1F19709FE11A65FB939281838CB98FCEBAF905D05E6241DD727127E
File icon (PE):PE icon
dhash icon e8d959ccc866e6c3 (3 x RaccoonStealer, 2 x CoinMiner, 1 x Tofsee)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.67.231.60/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.67.231.60/ https://threatfox.abuse.ch/ioc/223520/

Intelligence

File Origin
# of uploads :
2
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cracknet.net
Verdict:
Malicious activity
Analysis date:
2021-09-18 13:42:20 UTC
Tags:
evasion trojan rat azorult stealer fareit pony redline raccoon loader opendir vidar
Link:
https://app.any.run/tasks/f78f30fa-6ce0-4e48-9c08-eebf630b890f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189140/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37592604.24129.9641.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b8b3088a-f92a-47de-9c56-c7b8484bb476
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853602
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the document folder of the user
Encrypted powershell cmdline option found
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Schedule system process
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 486029 Sample: oqYSjv0q9v.exe Startdate: 19/09/2021 Architecture: WINDOWS Score: 100 117 www.testupdate.info 2->117 119 tracemonitor-1495159681.us-west-2.elb.amazonaws.com 2->119 121 10 other IPs or domains 2->121 137 Multi AV Scanner detection for domain / URL 2->137 139 Antivirus detection for URL or domain 2->139 141 Antivirus detection for dropped file 2->141 143 13 other signatures 2->143 13 oqYSjv0q9v.exe 4 21 2->13         started        18 tLOgYhg.exe 2->18         started        20 powershell.exe 2->20         started        signatures3 process4 dnsIp5 123 51.178.186.149, 49740, 49747, 49760 OVHFR France 13->123 125 37.0.10.244, 49739, 49746, 80 WKD-ASIE Netherlands 13->125 127 4 other IPs or domains 13->127 99 C:\Users\...\vlREaHt69eLP5uYi5ut4OPCk.exe, PE32 13->99 dropped 101 C:\Users\...\vRRzwaEGCTkKUAOCiadGvYed.exe, PE32+ 13->101 dropped 103 C:\Users\...\1szjZxgXolmV9mDBjEB2Yqfn.exe, PE32 13->103 dropped 109 3 other malicious files 13->109 dropped 165 Drops PE files to the document folder of the user 13->165 167 May check the online IP address of the machine 13->167 169 Tries to harvest and steal browser information (history, passwords, etc) 13->169 171 Disable Windows Defender real time protection (registry) 13->171 22 vlREaHt69eLP5uYi5ut4OPCk.exe 13->22         started        25 1szjZxgXolmV9mDBjEB2Yqfn.exe 7 13->25         started        28 vRRzwaEGCTkKUAOCiadGvYed.exe 1 13->28         started        105 C:\Windows\Temp\...\vMYQGtD.exe, PE32 18->105 dropped 107 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 18->107 dropped 173 Antivirus detection for dropped file 18->173 175 Multi AV Scanner detection for dropped file 18->175 177 Very long command line found 18->177 30 conhost.exe 20->30         started        file6 signatures7 process8 file9 145 Detected unpacking (changes PE section rights) 22->145 147 Machine Learning detection for dropped file 22->147 149 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->149 151 3 other signatures 22->151 32 explorer.exe 8 22->32 injected 95 C:\Users\user\AppData\Local\...\Install.exe, PE32 25->95 dropped 37 Install.exe 4 25->37         started        97 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 28->97 dropped signatures10 process11 dnsIp12 111 103.169.90.205, 49812, 49822, 80 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 32->111 113 fernandomayol.com 187.190.48.60, 49807, 49828, 49830 TOTALPLAYTELECOMUNICACIONESSADECVMX Mexico 32->113 115 7 other IPs or domains 32->115 83 C:\Users\user\AppData\Roaming\vdrevbe, PE32 32->83 dropped 85 C:\Users\user\AppData\Local\Temp\6408.exe, PE32 32->85 dropped 87 C:\Users\user\AppData\Local\Temp\4BCC.exe, PE32 32->87 dropped 89 C:\Users\user\AppData\Local\Temp\20D3.exe, PE32 32->89 dropped 129 System process connects to network (likely due to code injection or exploit) 32->129 131 Benign windows process drops PE files 32->131 133 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->133 91 C:\Users\user\AppData\Local\...\Install.exe, PE32 37->91 dropped 135 Multi AV Scanner detection for dropped file 37->135 39 Install.exe 10 37->39         started        file13 signatures14 process15 file16 93 C:\Users\user\AppData\Local\...\tLOgYhg.exe, PE32 39->93 dropped 153 Antivirus detection for dropped file 39->153 155 Multi AV Scanner detection for dropped file 39->155 157 Uses schtasks.exe or at.exe to add and modify task schedules 39->157 159 Modifies Group Policy settings 39->159 43 cmd.exe 1 39->43         started        46 forfiles.exe 1 39->46         started        48 forfiles.exe 1 39->48         started        50 4 other processes 39->50 signatures17 process18 signatures19 163 Uses cmd line tools excessively to alter registry or file data 43->163 52 forfiles.exe 1 43->52         started        54 conhost.exe 43->54         started        56 cmd.exe 1 46->56         started        59 conhost.exe 46->59         started        61 cmd.exe 1 48->61         started        63 conhost.exe 48->63         started        65 conhost.exe 50->65         started        67 conhost.exe 50->67         started        69 2 other processes 50->69 process20 signatures21 71 cmd.exe 1 52->71         started        161 Uses cmd line tools excessively to alter registry or file data 56->161 73 reg.exe 1 1 56->73         started        75 reg.exe 56->75         started        77 reg.exe 61->77         started        79 reg.exe 61->79         started        process22 process23 81 powershell.exe 8 71->81         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af6355e9d23ab7ede7f7163c3e4a57a77683aeeb262df643dd0c010339cc0997/
Threat name:
Win32.Trojan.Drerasteel
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 20:07:18 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5rvl2oshk363z7xcy6d4ssxu53ihlxleyw7mq65bqaqgoombglq._file
Verdict:
malicious
Similar samples:
1169aa40b39712cd78f3bba1509b3a5864752c534497431180eb752015d2d482
RaccoonStealer
11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
RaccoonStealer
1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0
RaccoonStealer
2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324
RaccoonStealer
401bbd8d6f3e957749b523d8e9477005eaa8c9ff20aea6c32bee59fdeaa2c766
RaccoonStealer
4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
RaccoonStealer
847a38c590090d40f07ba44dd60592cd40fe1d37e5f3b65bd6c980be752faafa
RaccoonStealer
b7915e2c423abfd40c013439cc726587a44fc207696637b2a431abce68963dd4
RaccoonStealer
bda2b27d917dc919d2df7f2768a5d20f4f554e6f0eeb687f5ac45b53aecbb2f3
RaccoonStealer
c9371cc485825207fe107e6600c14cfd9049c34f74c8c7332f16a20afea88164
RaccoonStealer
+ 78 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:raccoon family:redline family:smokeloader family:vidar botnet:517 botnet:6e76410dbdf2085ebcf2777560bd8cb0790329c9 botnet:sewpalpadin backdoor discovery evasion infostealer persistence ransomware spyware stealer themida trojan
Link:
https://tria.ge/reports/210919-vzvmqsccd3/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops desktop.ini file(s)
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Vidar
Windows security bypass
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
185.215.113.29:18087
https://petrenko96.tumblr.com/
Unpacked files
SH256 hash:
af6355e9d23ab7ede7f7163c3e4a57a77683aeeb262df643dd0c010339cc0997
MD5 hash:
3a7ec50b3c48596288bac9c22417a59b
SHA1 hash:
ca20249940c509ceca3273ce4bb563474a03293d
Link:
https://www.unpac.me/results/44acc306-b38d-4ddf-aec1-7023822b22df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af6355e9d23ab7ede7f7163c3e4a57a77683aeeb262df643dd0c010339cc0997

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189140/

Comments