MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb7dead4d3da28e16ef45d0019cd42bbd3c4e3454c3042867e7f64aee2439912. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 2 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb7dead4d3da28e16ef45d0019cd42bbd3c4e3454c3042867e7f64aee2439912
SHA3-384 hash: 789a3133f1e847b52eee4b573a270a9e45f7cc232c27ad6e45132425640734da24b4419213de2eae25860cf4265f43fa
SHA1 hash: 993ab6ddf0f3dfa349ef7ad4e3a44d0fc2a15a0a
MD5 hash: a0e87c4b9483fae95f6f57946023d3e7
humanhash: east-vegan-arkansas-triple
File name:a0e87c4b9483fae95f6f57946023d3e7.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'916'403 bytes
First seen:2021-07-27 22:55:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:EgGeCFEEIxWoH57jp49GfCZHw7DhSZ2eGIxy2FKVqrZix9zSlbtcUw5:JHCG+0Zja9sCZzZnGWdF+wZixpebeU8
Threatray 246 similar samples on MalwareBazaar
TLSH T188D5331D7F22DAABC1226D3245317BE187F13343354C9A6F5724A629ACD6F702D9EA02
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
185.228.233.5:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.228.233.5:80 https://threatfox.abuse.ch/ioc/163171/
87.251.71.145:58198 https://threatfox.abuse.ch/ioc/163172/

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://ijicrack.com/soundpad-crack-license-key-download/
Verdict:
Malicious activity
Analysis date:
2021-07-25 21:00:55 UTC
Tags:
evasion trojan stealer vidar loader rat redline phishing raccoon
Link:
https://app.any.run/tasks/d5f35a1c-7244-430a-8873-db8bab1174d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Sharik
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174543/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Malware.Jaik-9878603-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/77c8c08e-0e66-4418-ac1f-1d8c626577f8
Result
Threat name:
Backstage Stealer RedLine SmokeLoader So
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822803
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Backstage Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455215 Sample: pMVkvSyeIy.exe Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 96 127.0.0.1 unknown unknown 2->96 98 ip-api.com 208.95.112.1, 49734, 80 TUT-ASUS United States 2->98 100 10 other IPs or domains 2->100 142 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->142 144 Antivirus detection for URL or domain 2->144 146 Antivirus detection for dropped file 2->146 148 17 other signatures 2->148 11 pMVkvSyeIy.exe 10 2->11         started        signatures3 process4 file5 80 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->80 dropped 14 setup_installer.exe 16 11->14         started        process6 file7 82 C:\Users\user\AppData\...\setup_install.exe, PE32 14->82 dropped 84 C:\Users\user\AppData\Local\...\sahiba_8.txt, PE32+ 14->84 dropped 86 C:\Users\user\AppData\Local\...\sahiba_7.txt, PE32 14->86 dropped 88 11 other files (none is malicious) 14->88 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 94 watira.xyz 172.67.170.195, 49721, 80 CLOUDFLARENETUS United States 17->94 72 C:\Users\user\AppData\...\sahiba_8.exe (copy), PE32+ 17->72 dropped 74 C:\Users\user\AppData\...\sahiba_6.exe (copy), PE32 17->74 dropped 76 C:\Users\user\AppData\...\sahiba_5.exe (copy), PE32 17->76 dropped 78 5 other files (4 malicious) 17->78 dropped 150 Detected unpacking (changes PE section rights) 17->150 152 Performs DNS queries to domains with low reputation 17->152 22 cmd.exe 17->22         started        24 cmd.exe 1 17->24         started        26 cmd.exe 1 17->26         started        29 6 other processes 17->29 file10 signatures11 process12 signatures13 31 sahiba_6.exe 22->31         started        36 sahiba_3.exe 90 24->36         started        154 Obfuscated command line found 26->154 156 Uses ping.exe to sleep 26->156 158 Uses ping.exe to check the status of other devices and networks 26->158 38 sahiba_1.exe 2 26->38         started        40 sahiba_2.exe 1 29->40         started        42 sahiba_5.exe 29->42         started        44 sahiba_4.exe 14 2 29->44         started        46 sahiba_7.exe 29->46         started        process14 dnsIp15 102 www.renximy.com 31->102 104 i.spesgrt.com 31->104 112 15 other IPs or domains 31->112 52 C:\Users\...\x8D66y2ShTkGxVsMBVT__fge.exe, PE32+ 31->52 dropped 54 C:\Users\...\stJzphl7KZrdSK2Johlv703k.exe, PE32 31->54 dropped 56 C:\Users\...\j288QGO7MxVhNwwpl2SwQhN3.exe, PE32 31->56 dropped 64 25 other files (20 malicious) 31->64 dropped 116 Drops PE files to the document folder of the user 31->116 118 May check the online IP address of the machine 31->118 120 Creates HTML files with .exe extension (expired dropper behavior) 31->120 140 2 other signatures 31->140 106 116.202.183.50, 49770, 80 HETZNER-ASDE Germany 36->106 108 shpak125.tumblr.com 74.114.154.18, 443, 49757 AUTOMATTICUS Canada 36->108 66 12 other files (none is malicious) 36->66 dropped 122 Detected unpacking (changes PE section rights) 36->122 124 Detected unpacking (overwrites its own PE header) 36->124 126 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->126 128 Tries to steal Crypto Currency Wallets 36->128 130 Creates processes via WMI 38->130 48 sahiba_1.exe 38->48         started        58 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 40->58 dropped 132 DLL reload attack detected 40->132 134 Renames NTDLL to bypass HIPS 40->134 136 Checks if the current machine is a virtual machine (disk enumeration) 40->136 114 2 other IPs or domains 42->114 60 C:\Users\user\AppData\Roaming\4067942.exe, PE32 42->60 dropped 62 C:\Users\user\AppData\Roaming\3657116.exe, PE32 42->62 dropped 68 2 other files (none is malicious) 42->68 dropped 138 Performs DNS queries to domains with low reputation 42->138 110 cdn.discordapp.com 162.159.135.233, 443, 49723, 49728 CLOUDFLARENETUS United States 44->110 file16 signatures17 process18 dnsIp19 90 live.goatgame.live 104.21.70.98, 443, 49726 CLOUDFLARENETUS United States 48->90 92 192.168.2.1 unknown unknown 48->92 70 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 48->70 dropped file20
Gathering data
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-07-25 21:38:37 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xn66vvgt3iuoc3xuluabttkcxpj4jy2fjqyefbt6p5sk5ysdteja._file
Verdict:
unknown
Similar samples:
0bfeff80f0a3f724a9ed3d36d1ae8f957a2df82e778e31203421dece1af586b9
RaccoonStealer
1c5088ac5461153a35eaf852a6fee84df1a6e32277426844c0cc5593ed6670b4
RaccoonStealer
2263fd1332612187cb951793ae3b34b74bd815da95d82b9d04d1fd6facb8311b
RaccoonStealer
510d3eadc5652908d47db79067009b04cf4e9234720f052e90cc7d18ffad0b20
RaccoonStealer
6bb22351b0b468f3b05880df6e8a61f7ed792d90af19163e703a2c649b53cb14
RaccoonStealer
85d8cd417a894c7c1a719251b626f9e038410a009f6d2a1a6b820a64d6e6ed2d
RaccoonStealer
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
RaccoonStealer
a651672f98fba458ca8b6861557119c81d12afcb705c457d65dd2b44dcc499fe
RaccoonStealer
d09cb69744c809f1e48fda7e9ab5623852a42fc6f2cf79547ecc3329871e84ca
RaccoonStealer
f783fddd213ea27df398d887e7dadecc3ff7a60f4dff68254581a1d2c02a8291
RaccoonStealer
+ 236 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 aspackv2 backdoor discovery evasion infostealer persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210727-p6w22w36f2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Download via BitsAdmin
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks for any installed AV software in registry
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE DTLoader Binary Request M2
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
https://shpak125.tumblr.com/
Unpacked files
SH256 hash:
89a0227ef833a2742f7dd46be36e61b178a8b47846fd3cf557c8b9991b7cfb67
MD5 hash:
55bf2bbdd87ec3ac709c6a247f4a28b4
SHA1 hash:
6df7d9af3a7b2da1c91aff955a4c5aadbe2d13cb
Link:
https://www.unpac.me/results/e8818349-3bda-4d80-a1a5-450b88c42aab/
Parent samples :
5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
d0037be72720bb05c0207342411a883b883c8f4a371c6c7e6bacd9cff5615df7
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
e026bc9a0b7ac31a86cdbbd88e2b2be5236ba81b469723007c8b3c1d9461198f
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
8f8b341230323b995c1cde1d534031092bfddb56411dac43d155e5366681e1c7
SH256 hash:
c204948f88c6d384b39069c2c5c69ed62105ee73f391ff105b3e36081f12fc5d
MD5 hash:
cd8b4ea3aa92a0ed9eee929b3585c711
SHA1 hash:
da430a7a38bd3c7ad75ab6e9ed4a4ca6a077ac54
Link:
https://www.unpac.me/results/e8818349-3bda-4d80-a1a5-450b88c42aab/
Parent samples :
5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
SH256 hash:
df1dffba0d6afbae8f31cc1718ac915fdf2e69a1976e9675d151905215a71baa
MD5 hash:
ecd0d55656ad734d4900826de9a4614a
SHA1 hash:
49e2196d7f33c068f90d727a3276ab16b621aafc
Link:
https://www.unpac.me/results/e8818349-3bda-4d80-a1a5-450b88c42aab/
SH256 hash:
c5e89d85fd1c330cefc690010e21e692229fa5d0d0f6862246e9be2c689301eb
MD5 hash:
cff0d42710c0f56601e1322157fa5483
SHA1 hash:
cd78de49a689157fbea5ba1cfe70c8f7803443f2
Link:
https://www.unpac.me/results/e8818349-3bda-4d80-a1a5-450b88c42aab/
SH256 hash:
7b8be831bf781741f6945f4eba81055c5c66bb0c37ea29f10dafd7002bc49946
MD5 hash:
6b143d8c4bf42fbb7e3fcbbc07c77056
SHA1 hash:
de516772cdfe8634537350a098abdcd5d93fc6f4
Link:
https://www.unpac.me/results/e8818349-3bda-4d80-a1a5-450b88c42aab/
SH256 hash:
944d0036c359c3406803a1b8ebb0f434e9a53bf443cce4a92038202cbfd71655
MD5 hash:
e392bc384c98ddd5dd55794a096ab787
SHA1 hash:
afd2c5471065d10ee67d89b037360d80b9474885
Link:
https://www.unpac.me/results/e8818349-3bda-4d80-a1a5-450b88c42aab/
SH256 hash:
f08faa7ff270d4dd074c9fd8966674580e1e545ba72414b07942fe3b01f28296
MD5 hash:
7154363f6af0bfafe02f1ed75d45ba1e
SHA1 hash:
4da75746e4f21e312430c6b455ec30f6888e342b
Link:
https://www.unpac.me/results/e8818349-3bda-4d80-a1a5-450b88c42aab/
SH256 hash:
c3759b2ce602b3575af5ba376446815a132f77e4b05c48f12ef0b512f9025bc4
MD5 hash:
a30209d1cbb79a6af44aaa3f0240bfac
SHA1 hash:
34a71c0dc1a837ba78aa86f9dc3dde6fa8570eda
Link:
https://www.unpac.me/results/e8818349-3bda-4d80-a1a5-450b88c42aab/
SH256 hash:
6ea92579c10ff6128399ec8092b44388da56b89e83103797601d334d6c866ca0
MD5 hash:
f14bcba48fb3817154228ed4cf9df6cb
SHA1 hash:
26ae758142d6dd0d69d5f4ff127a0d9c633b6690
Link:
https://www.unpac.me/results/e8818349-3bda-4d80-a1a5-450b88c42aab/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/e8818349-3bda-4d80-a1a5-450b88c42aab/
SH256 hash:
75a20613e623f5f96f4e68dc4fe9407818ad9aed01b88a5884aad482947aabb9
MD5 hash:
d02edd28739d212eaaebb58bf0506f60
SHA1 hash:
534823b410b0afb65df95e378717ffed2ae96e2a
Link:
https://www.unpac.me/results/e8818349-3bda-4d80-a1a5-450b88c42aab/
SH256 hash:
11a4ab8ad866983ad1a27527322baec321fbed78bb379c9026adc516a01c395b
MD5 hash:
3d5f20ea826a9ed2b064bf455533ce20
SHA1 hash:
36c2bf9f1b2267c8146bb2c3d559ed467df97eee
Link:
https://www.unpac.me/results/e8818349-3bda-4d80-a1a5-450b88c42aab/
SH256 hash:
bb7dead4d3da28e16ef45d0019cd42bbd3c4e3454c3042867e7f64aee2439912
MD5 hash:
a0e87c4b9483fae95f6f57946023d3e7
SHA1 hash:
993ab6ddf0f3dfa349ef7ad4e3a44d0fc2a15a0a
Link:
https://www.unpac.me/results/e8818349-3bda-4d80-a1a5-450b88c42aab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb7dead4d3da28e16ef45d0019cd42bbd3c4e3454c3042867e7f64aee2439912

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174543/

Comments