MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
SHA3-384 hash: 92c94673cb5533717a8c6b1d21e5005a6e0da9ed3a6b7463fd64734566c51385dc90bda98b478813bbe4fa0486124bf5
SHA1 hash: 5f162b385ea318e517a266af1f92a56e3b561eb0
MD5 hash: bd69802d17c0495539e31d37cad0cbb9
humanhash: bravo-three-hotel-football
File name:BD69802D17C0495539E31D37CAD0CBB9.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:3'594'349 bytes
First seen:2021-08-20 16:20:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:y8s9pUMEDVqWVZ5aa3X4rCkCVIfORksx0H:yhUTXVdX42kAyLt
Threatray 265 similar samples on MalwareBazaar
TLSH T19BF533B488149A83E9F929F3DE1B52C71EB15C471530530B2B2665EF3E026EF168FB52
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.140.147.35/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.140.147.35/ https://threatfox.abuse.ch/ioc/192382/

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
611b30_Watch-Dogs-PC-C.zip
Verdict:
Malicious activity
Analysis date:
2021-08-17 03:42:52 UTC
Tags:
trojan evasion stealer vidar loader rat redline phishing raccoon
Link:
https://app.any.run/tasks/ec20645e-ddb1-410f-83b4-39079725315c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181002/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Sending a UDP request
Creating a window
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7100b17b-6c68-45ec-82c9-e45fe38dc28c
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836551
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 468982 Sample: IWXgoiDvgC.exe Startdate: 20/08/2021 Architecture: WINDOWS Score: 100 72 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->72 74 34.97.69.225 GOOGLEUS United States 2->74 76 2 other IPs or domains 2->76 94 Multi AV Scanner detection for domain / URL 2->94 96 Antivirus detection for URL or domain 2->96 98 Antivirus detection for dropped file 2->98 100 14 other signatures 2->100 10 IWXgoiDvgC.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 17 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\...\Tue0237249404942fe.exe, PE32 13->50 dropped 52 C:\Users\user\AppData\...\Tue022a930da16b.exe, PE32+ 13->52 dropped 54 12 other files (2 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 70 127.0.0.1 unknown unknown 16->70 92 Adds a directory exclusion to Windows Defender 16->92 20 cmd.exe 16->20         started        22 cmd.exe 1 16->22         started        25 cmd.exe 1 16->25         started        27 8 other processes 16->27 signatures10 process11 signatures12 29 Tue021e08b886995.exe 20->29         started        102 Obfuscated command line found 22->102 104 Uses ping.exe to sleep 22->104 106 Uses ping.exe to check the status of other devices and networks 22->106 108 Adds a directory exclusion to Windows Defender 22->108 34 powershell.exe 24 22->34         started        36 Tue022a930da16b.exe 1 14 25->36         started        38 Tue021b99042c7.exe 27->38         started        40 Tue0237249404942fe.exe 27->40         started        42 Tue027536c4694d45.exe 27->42         started        44 4 other processes 27->44 process13 dnsIp14 78 185.233.185.134 YURTEH-ASUA Russian Federation 29->78 80 37.0.10.214 WKD-ASIE Netherlands 29->80 86 14 other IPs or domains 29->86 56 C:\Users\...\z3BWkUy4zDZbIiBqh5ElNdR6.exe, PE32 29->56 dropped 58 C:\Users\...\z00TNStNxvsTwm1PryoZBw4Z.exe, PE32 29->58 dropped 60 C:\Users\...\ugL247Xvb0RXGelM0yVjnczh.exe, PE32 29->60 dropped 68 49 other files (42 malicious) 29->68 dropped 110 Drops PE files to the document folder of the user 29->110 112 Creates HTML files with .exe extension (expired dropper behavior) 29->112 114 Tries to harvest and steal browser information (history, passwords, etc) 29->114 116 Disable Windows Defender real time protection (registry) 29->116 88 5 other IPs or domains 36->88 62 C:\Users\user\AppData\...\fastsystem.exe, PE32+ 36->62 dropped 64 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 36->64 dropped 118 Contains functionality to steal Chrome passwords or cookies 36->118 120 Drops PE files to the startup folder 36->120 122 Machine Learning detection for dropped file 38->122 124 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->124 126 Checks if the current machine is a virtual machine (disk enumeration) 38->126 82 88.99.66.31 HETZNER-ASDE Germany 40->82 128 Detected unpacking (changes PE section rights) 40->128 84 162.159.135.233 CLOUDFLARENETUS United States 42->84 66 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 42->66 dropped 90 3 other IPs or domains 44->90 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 03:50:40 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xoyym5tg3tjytbevunxl5rgzuagfytcrt2vvq72tb5pvy3mazmza._file
Verdict:
malicious
Similar samples:
08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1
RaccoonStealer
186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
RaccoonStealer
2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf
RaccoonStealer
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
RaccoonStealer
450b8f11dfa06aee1def7d2b49c29d670406b765e9900efe7d1e8bb1ffff486f
RaccoonStealer
5ad7bfb790fc652df60360024af60578790930bb78489aabf352eae3fff103fb
RaccoonStealer
663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa
RaccoonStealer
6814143c59108c0010bd29365823a38f61062a1978987b4798671334aa496740
RaccoonStealer
8f2789b6a628a92f9f6313305b255c405f867c49161bb864263dcfef5a6f712d
RaccoonStealer
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
RaccoonStealer
+ 255 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:pab3 aspackv2 backdoor evasion infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210820-9wqsaf7b9n/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
185.215.113.15:61506
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
https://lenak513.tumblr.com/
Unpacked files
SH256 hash:
1ab460eac81001bfa0da8cbadfd4fba0ad0f371742a2c725ff5cf71bdd8e2b9f
MD5 hash:
1dc95107f7dd6d1392bb8d9b53b76916
SHA1 hash:
b26f9c90ad4656d2ddf3e96da967e0f65a9623e1
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
d1ff2f8a510fb4d25dd861e4cd5196585ccdd66cd6e941941e13d634da825f32
MD5 hash:
e3ed5e6a62ece3cf158688bce4161fbf
SHA1 hash:
5a8c4dddf69e8650952b0d29987cc6edfe25fb0b
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
ab9bb888f6235eaee1ad52cd9b4d1f960ea09743ff80919d0095383f3683c583
MD5 hash:
eff546ee925781db419befdf93bd045d
SHA1 hash:
1129b509403fa589b50310f99f77c69ecc7f8314
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
80977bcc232601987d378e1036c07035a1bfe70803072bf497e1a0aead085905
MD5 hash:
bfdd6dc1d021d885606249743f63c43a
SHA1 hash:
a6468c1356edf1a28bdc90f0d7aa30188fc01d48
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
9a1f1a9f448d94c8954b8004a4ff3e8405f8b18139f95d04f8d9b40c483e1b40
MD5 hash:
ce3a49b916b81a7d349c0f8c9f283d34
SHA1 hash:
a04ea42670fcf09fffbf7f4d4ac9c8e3edfc8cf4
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
33bacd4503c7eb17dfd436ee3e4325c53e6e3bc6a974d3e5a0c8966ddb7ce412
MD5 hash:
74717343c962aa2c3794a60bbb19db21
SHA1 hash:
743906e3f246ae89d80c32eda9924e692678faef
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
cb7a6e1af1815d6297b4712937ac632c638fb6a8366a50a5dcbafb16956cbf2f
MD5 hash:
7c8b6ce9eba61338aaa415173c04ca3d
SHA1 hash:
3e2f5edddb7633a09c9342cffdd647e355cf9244
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
67f15ef8791238c0520d74240f69f5cb13adf0ff34d32fab4942d9ef17c38789
MD5 hash:
a13744be8e3927ec25fcc06c8b33bca2
SHA1 hash:
7e71f8ca93cf7872603d0e73d36c9931cac5239c
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
4e2c1c2875a668a6d1c119ce9759bb644331441ecc2b76817afc4bd8fe76cbbd
MD5 hash:
f90f6494a9d13e032a4811fa5220d00a
SHA1 hash:
0c24abc467a84bab464e04176d63922dc9c5b464
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
d40bf16b879784fd6a9df110e5e9e0371ab64fc4be95513c556e4487b6ccba0f
MD5 hash:
1c06505efa9f4d4d7fa1de3745e46698
SHA1 hash:
f3c3c828c1439931acd3d37e8515f2301873e6cd
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
d2d1b1d41c0baa95b8a2325dc845731da2c62ef87576b4f959ef6bf0eec064b1
MD5 hash:
b6e9c12bfe4afa4b9b1bedd823c17c17
SHA1 hash:
da1c710c4a71773f98314d2a2fd794a0cd99fc29
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
245e462288bb72048921176257fdcf0513c9aee18389afffe7c4868fdc5d8ecd
MD5 hash:
54c8b8f4ea73aca75d26c1dfd9a2b42a
SHA1 hash:
0998c203360591206cae31fe95af872c9b6faa15
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
1f9acb6aede1842da38530ebe506c849df3376a96f292787a8476589b1a9037c
MD5 hash:
1b24d271c96a1d34765cab15b1b0b969
SHA1 hash:
cc90e39c02c6ffe265f8be2d26fd4f3ba80d6a28
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
SH256 hash:
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
MD5 hash:
bd69802d17c0495539e31d37cad0cbb9
SHA1 hash:
5f162b385ea318e517a266af1f92a56e3b561eb0
Link:
https://www.unpac.me/results/77639401-1a68-42a2-8040-f29d4f5e111b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/181002/

Comments