MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afdbdff7a2510b208b5ebc47ac621ff14a15aa5673ed6cdf7f7f0f8ad4c1e1fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afdbdff7a2510b208b5ebc47ac621ff14a15aa5673ed6cdf7f7f0f8ad4c1e1fb
SHA3-384 hash: 3de912dbf7699f52f0084dbf9f6cb45848b3bf6003bb86b38415378ff56dc1286b9b872fa6331392def04543510a4a58
SHA1 hash: 46141e70b28544d6c3cccca56e35a52f3cb4671d
MD5 hash: a0398eaee184bdd5da2ded03fd02e598
humanhash: mars-autumn-missouri-mike
File name:a0398eaee184bdd5da2ded03fd02e598.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:3'177'829 bytes
First seen:2021-06-26 08:40:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UbUQ1ztF+NEGSK9KVELOIsZXOt1hizE4vM:UwQYEGg+iROgooM
Threatray 1'993 similar samples on MalwareBazaar
TLSH 4CE533417CC195F1E5676932457CEE11283DBC246F78CABF63985A0EAA322C1EE34763
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.141.128.39/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.141.128.39/ https://threatfox.abuse.ch/ioc/153871/

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a0398eaee184bdd5da2ded03fd02e598.exe
Verdict:
Malicious activity
Analysis date:
2021-06-26 08:42:43 UTC
Tags:
evasion autoit trojan stealer vidar loader
Link:
https://app.any.run/tasks/0a568e23-91a0-4663-8688-569aaed694cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168455/
Detection(s):
Win.Malware.Generic-9866235-0
Create hunting rule

Win.Malware.Nymeria-9873414-0
Create hunting rule

Win.Malware.SmokeLoader-9874090-1
Create hunting rule

Win.Malware.Generic-9874384-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/29b9e724-9181-4a4a-840f-fa35c892d723
Result
Threat name:
SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808431
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
DLL reload attack detected
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sets debug register (to hijack the execution of another thread)
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440842 Sample: 6nNxvZ2syK.exe Startdate: 26/06/2021 Architecture: WINDOWS Score: 100 115 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->115 117 Found malware configuration 2->117 119 Antivirus detection for dropped file 2->119 121 14 other signatures 2->121 10 6nNxvZ2syK.exe 1 12 2->10         started        13 svchost.exe 2->13         started        16 iexplore.exe 1 54 2->16         started        18 3 other processes 2->18 process3 file4 91 C:\Users\user\Desktop\pub2.exe, PE32 10->91 dropped 93 C:\Users\user\Desktop\jg3_3uag.exe, PE32 10->93 dropped 95 C:\Users\user\Desktop\KRSetp.exe, PE32 10->95 dropped 97 3 other files (none is malicious) 10->97 dropped 20 Files.exe 10 10->20         started        23 Folder.exe 10->23         started        25 pub2.exe 10->25         started        35 3 other processes 10->35 157 System process connects to network (likely due to code injection or exploit) 13->157 159 Sets debug register (to hijack the execution of another thread) 13->159 161 Modifies the context of a thread in another process (thread injection) 13->161 28 svchost.exe 13->28         started        31 iexplore.exe 38 16->31         started        33 iexplore.exe 16->33         started        signatures5 process6 dnsIp7 67 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 20->67 dropped 37 File.exe 3 20 20->37         started        69 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 23->69 dropped 42 rundll32.exe 23->42         started        44 conhost.exe 23->44         started        71 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 25->71 dropped 143 DLL reload attack detected 25->143 145 Renames NTDLL to bypass HIPS 25->145 147 Checks if the current machine is a virtual machine (disk enumeration) 25->147 105 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 28->105 149 Query firmware table information (likely to detect VMs) 28->149 107 iplogger.org 88.99.66.31, 443, 49722, 49723 HETZNER-ASDE Germany 31->107 109 topnewsdesign.xyz 35->109 111 101.36.107.74, 49724, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 35->111 113 5 other IPs or domains 35->113 73 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 35->73 dropped 75 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 35->75 dropped 77 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 35->77 dropped 151 Drops PE files to the document folder of the user 35->151 153 Performs DNS queries to domains with low reputation 35->153 155 Tries to harvest and steal browser information (history, passwords, etc) 35->155 46 jfiag3g_gg.exe 35->46         started        48 jfiag3g_gg.exe 35->48         started        50 jfiag3g_gg.exe 35->50         started        file8 signatures9 process10 dnsIp11 103 newja.webtm.ru 92.53.96.150, 49720, 80 TIMEWEB-ASRU Russian Federation 37->103 87 C:\Users\Public\run2.exe, PE32 37->87 dropped 89 C:\Users\Public\run.exe, PE32 37->89 dropped 131 Binary is likely a compiled AutoIt script file 37->131 133 Drops PE files to the user root directory 37->133 52 run.exe 37->52         started        57 run2.exe 37->57         started        135 Writes to foreign memory regions 42->135 137 Allocates memory in foreign processes 42->137 139 Creates a thread in another existing process (thread injection) 42->139 141 Antivirus detection for dropped file 46->141 file12 signatures13 process14 dnsIp15 99 159.69.20.131, 49742, 80 HETZNER-ASDE Germany 52->99 101 sergeevih43.tumblr.com 74.114.154.18, 443, 49739 AUTOMATTICUS Canada 52->101 79 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 52->79 dropped 81 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 52->81 dropped 83 C:\Users\user\AppData\...\mozglue[1].dll, PE32 52->83 dropped 85 9 other files (none is malicious) 52->85 dropped 123 Multi AV Scanner detection for dropped file 52->123 125 Detected unpacking (changes PE section rights) 52->125 127 Detected unpacking (overwrites its own PE header) 52->127 129 4 other signatures 52->129 59 cmd.exe 52->59         started        file16 signatures17 process18 process19 61 conhost.exe 59->61         started        63 taskkill.exe 59->63         started        65 timeout.exe 59->65         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/afdbdff7a2510b208b5ebc47ac621ff14a15aa5673ed6cdf7f7f0f8ad4c1e1fb/
Threat name:
Win32.Trojan.CookiesStealer
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 05:14:29 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v7n5755ckefsbc26xrd2yyq76ffblkswopwwzx37p4hyvvgb4h5q._file
Verdict:
malicious
Similar samples:
2263fd1332612187cb951793ae3b34b74bd815da95d82b9d04d1fd6facb8311b
RaccoonStealer
22811245067eb0e6e0a6a0696a69a02679221e02e41193939699e6657be11f6c
RaccoonStealer
3c167530a131f9dc899b73b9eac971b38e44d41cf291893fde8e575602c2b846
RaccoonStealer
421b0a7152dfe73bcaae17fa1b6efa1ea2778f6428bb15938dcd4e3be5690c2d
RaccoonStealer
46836190326258f65c9dbc1930b01e9d3de04996a1a2c79e39a36c281d79fe0a
RaccoonStealer
48643d9ccc694960fb84f505524d0f148a0331a7e2569171ff3999dd60bc7154
RaccoonStealer
510d3eadc5652908d47db79067009b04cf4e9234720f052e90cc7d18ffad0b20
RaccoonStealer
8b720f6963165f9aca1600e2e3efb04a7162014d0d738fb7f8b9872019f49bd5
RaccoonStealer
af350212764e6304bf417e81cf0009b494119670e4bc1b187cd79cf4c487c7b6
RaccoonStealer
efea5e4af45434b028bbb6f0f45e57d74cc37a0d46ba85921f456806d48bc97c
RaccoonStealer
+ 1'983 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:plugx family:raccoon family:smokeloader family:vidar backdoor discovery evasion persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210626-absv57wxvn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
autoit_exe
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Vidar Stealer
PlugX
Raccoon
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Unpacked files
SH256 hash:
8ac07124315f36db78c157ed5d2c3d7ed75120ecc4d0d4a6622de2a98f587c16
MD5 hash:
2f1ae78cae116a020760f54479c3e9b3
SHA1 hash:
433fe2252e21043a302af27a6a0741499cefd4ed
Link:
https://www.unpac.me/results/18108d49-3168-4970-84aa-782334c3ca28/
SH256 hash:
55361941ab12c7edd987c706d25423d868f756fab1028d99eeffacdabf3da4ca
MD5 hash:
4de4b7bc0a92902422c4204fcfa58150
SHA1 hash:
587e0299ea32cc836281998941daa60f471e3480
Link:
https://www.unpac.me/results/18108d49-3168-4970-84aa-782334c3ca28/
SH256 hash:
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
MD5 hash:
7165e9d7456520d1f1644aa26da7c423
SHA1 hash:
177f9116229a021e24f80c4059999c4c52f9e830
Link:
https://www.unpac.me/results/18108d49-3168-4970-84aa-782334c3ca28/
SH256 hash:
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
MD5 hash:
89c739ae3bbee8c40a52090ad0641d31
SHA1 hash:
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
Link:
https://www.unpac.me/results/18108d49-3168-4970-84aa-782334c3ca28/
SH256 hash:
12b2a34db1f822c089218f1b46c1870462a0afb65ff0364e0f0ba043e93c1e5a
MD5 hash:
a7732204d9c883a4373c8b615c97de43
SHA1 hash:
017de30fc0647908eb8dd532982ce6644fb13e59
Link:
https://www.unpac.me/results/18108d49-3168-4970-84aa-782334c3ca28/
SH256 hash:
82d7b59c0c54c374e0932fdb281ed773c28d7f14da8c190d92cfc97eb211ab0d
MD5 hash:
abc690c2e6be1207ec435e38588f2183
SHA1 hash:
f67deaa155d11b142d9d0b030a323cb71abeb311
Link:
https://www.unpac.me/results/18108d49-3168-4970-84aa-782334c3ca28/
SH256 hash:
f19cedc4d26fdcd670ba8a6abec1b2b72ddfa8dfcb866d9f30f245ed3342648e
MD5 hash:
a8cc04b8453445b20b796fab64f34fd4
SHA1 hash:
63d533d514ab121372e2cda7847cb1d8db1134b0
Link:
https://www.unpac.me/results/18108d49-3168-4970-84aa-782334c3ca28/
SH256 hash:
3f4b117d2d74ff2b870c0772c3452e4601b81181efed2b7ae000be09f5a835f8
MD5 hash:
30bf36c232806c3945de803163a0dbbb
SHA1 hash:
43b264ad16d814ace4ddceac20699073ffa16900
Link:
https://www.unpac.me/results/18108d49-3168-4970-84aa-782334c3ca28/
SH256 hash:
f5813f691b81fbe12b0251d1443d9a8b8629eb31a699677f11895b56cc06ca09
MD5 hash:
a873beab29359a313a1d0ba8c2760354
SHA1 hash:
3b13a73adf54d84fc0ac7555b6a9caaf7a488f00
Link:
https://www.unpac.me/results/18108d49-3168-4970-84aa-782334c3ca28/
SH256 hash:
9850e3869f9ecfadbfa9002b0fcbc4ccc332af61a2e779173f2fe6e1856470d0
MD5 hash:
c6faafec725e9036d0a8e1e2b288d1c8
SHA1 hash:
f98a01ebe6dcee3c0f994d8dbaa2f04ddc113a9b
Link:
https://www.unpac.me/results/18108d49-3168-4970-84aa-782334c3ca28/
SH256 hash:
f3f4cab85bfc9794646d2a7a770e45a3da7c69afa16cee9411df858a3c8f6fd8
MD5 hash:
9afae5f14434de594e6b879d67cccb4d
SHA1 hash:
924189917ac5fc5078f2aa4dab0a04286254e3b6
Link:
https://www.unpac.me/results/18108d49-3168-4970-84aa-782334c3ca28/
SH256 hash:
55cdb9054f66ed88b8215d9f981efd7421c6f50dc9285140ec5ff591e34121bd
MD5 hash:
5631522a0758055c133e7966c1948802
SHA1 hash:
90caf8180bf43727fc490ffa34b1d578833aad7f
Link:
https://www.unpac.me/results/18108d49-3168-4970-84aa-782334c3ca28/
SH256 hash:
afdbdff7a2510b208b5ebc47ac621ff14a15aa5673ed6cdf7f7f0f8ad4c1e1fb
MD5 hash:
a0398eaee184bdd5da2ded03fd02e598
SHA1 hash:
46141e70b28544d6c3cccca56e35a52f3cb4671d
Link:
https://www.unpac.me/results/18108d49-3168-4970-84aa-782334c3ca28/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/afdbdff7a2510b208b5ebc47ac621ff14a15aa5673ed6cdf7f7f0f8ad4c1e1fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168455/

Comments