MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
SHA3-384 hash: ece99130f1477893dba5e3a522b0526ecf0324c9d1601e6aedb10f00cf48fe0a9b66a8a40e0f13ad7ed5a649e3c086cb
SHA1 hash: 493600901a6b74b217a5c886c403d9bedb3c126f
MD5 hash: 852157fbd89ccae5baff8172e7bbbe6e
humanhash: floor-maryland-florida-football
File name:852157FBD89CCAE5BAFF8172E7BBBE6E.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'960'311 bytes
First seen:2021-09-01 16:26:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yXmTuJH5FPywbQ/zpgXGfVfhYB726W9B/VIPGbgKVZ13:yXmqRPYppdfZfVIPE3
Threatray 465 similar samples on MalwareBazaar
TLSH T10D3633B5B1658A6AD429C8B3677277EE2EF4C15312826728B3624E8C3F41501FC1FE76
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.142.215.144/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.144/ https://threatfox.abuse.ch/ioc/204183/

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184520/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Sending a UDP request
Deleting a recently created file
Launching a process
Creating a window
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Creating a process with a hidden window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3be14ef9-f549-4830-9887-90725b60a150
Result
Threat name:
RedLine Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843508
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 475939 Sample: XqmbyBO3Da.exe Startdate: 01/09/2021 Architecture: WINDOWS Score: 100 72 104.21.77.209 CLOUDFLARENETUS United States 2->72 74 172.67.146.70 CLOUDFLARENETUS United States 2->74 76 3 other IPs or domains 2->76 94 Multi AV Scanner detection for domain / URL 2->94 96 Antivirus detection for URL or domain 2->96 98 Antivirus detection for dropped file 2->98 100 13 other signatures 2->100 10 XqmbyBO3Da.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 17 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\AppData\...\Sun04dac6d7a0.exe, PE32 13->50 dropped 52 C:\Users\user\...\Sun047089ae5093c14.exe, PE32 13->52 dropped 54 12 other files (5 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 68 104.21.87.76 CLOUDFLARENETUS United States 16->68 70 127.0.0.1 unknown unknown 16->70 92 Adds a directory exclusion to Windows Defender 16->92 20 cmd.exe 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        26 6 other processes 16->26 signatures10 process11 signatures12 29 Sun043e60205beb4f.exe 20->29         started        34 Sun047089ae5093c14.exe 22->34         started        36 Sun041024b30f4a0.exe 1 24->36         started        102 Adds a directory exclusion to Windows Defender 26->102 38 Sun045118d0261f811cc.exe 3 26->38         started        40 Sun04637c853e.exe 26->40         started        42 Sun043bec3ec581a9.exe 12 26->42         started        44 powershell.exe 25 26->44         started        process13 dnsIp14 78 37.0.10.214 WKD-ASIE Netherlands 29->78 80 37.0.10.237 WKD-ASIE Netherlands 29->80 88 10 other IPs or domains 29->88 56 C:\Users\...\rlvFIHXcgSbRLTu4Ecaf_IW_.exe, PE32 29->56 dropped 58 C:\Users\user\AppData\...\zf-game[1].exe, PE32 29->58 dropped 60 C:\Users\user\AppData\...\help01_1[1].bmp, PE32 29->60 dropped 66 41 other files (20 malicious) 29->66 dropped 104 Machine Learning detection for dropped file 29->104 106 Tries to harvest and steal browser information (history, passwords, etc) 29->106 108 Disable Windows Defender real time protection (registry) 29->108 110 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->110 112 Maps a DLL or memory area into another process 34->112 114 Checks if the current machine is a virtual machine (disk enumeration) 34->114 82 208.95.112.1 TUT-ASUS United States 36->82 90 2 other IPs or domains 36->90 116 Contains functionality to steal Chrome passwords or cookies 36->116 84 8.8.8.8 GOOGLEUS United States 38->84 86 104.21.79.144 CLOUDFLARENETUS United States 38->86 62 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 38->62 dropped 118 Creates processes via WMI 38->118 64 C:\Users\user\AppData\...\Sun04637c853e.tmp, PE32 40->64 dropped 120 Antivirus detection for dropped file 40->120 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 00:42:16 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x4gbd2xj3ykce4kbsao77r55xupmxgykfsy6m5px2nwol37qm6pa._file
Verdict:
unknown
Similar samples:
3febf03463e0e65ef9d0fc4e8a38f01dd7c6dfee10258876981539b7a319a620
RaccoonStealer
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
RaccoonStealer
6e67e541d5801d97cb6fc3ec483b7b9dc302506c0f3a1ef0942ea3f7126e9e87
RaccoonStealer
a2f15b4e843483e292e4c2f29cdd09a87081d7f158c0e860c88b211b2ad0a348
RaccoonStealer
bda2b27d917dc919d2df7f2768a5d20f4f554e6f0eeb687f5ac45b53aecbb2f3
RaccoonStealer
c33789989d58fce9bbde8cdd23576c881b5ed0c329dce641567db6ad9f10a1ed
RaccoonStealer
+ 455 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:vidar botnet:706 aspackv2 backdoor dropper infostealer loader stealer trojan
Link:
https://tria.ge/reports/210901-nh6jjn8vys/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Vidar
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Dropper Extraction:
http://shellloader.com/welcome
Unpacked files
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
aafc69d03ed7357afe5ace72217e769a49791b0d275fe5e432180903cce805be
MD5 hash:
5491cf213d898b6e6b0addbd4dc4f073
SHA1 hash:
138528e384217d5cecf44cb12fc29a8d77bbfbd6
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
64ffc8a9ef49470c23de2952972cf796f9a081f902e0b35f7bdc270a9784f06a
MD5 hash:
5f61cabf346884d12876eaefad9da7ba
SHA1 hash:
f18ea2dfe4e3e5e3a803c5d08945a1200ed84130
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
Parent samples :
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
SH256 hash:
de776a861c0437152110af6c8587371652700b593aba04570845b1f43354d48e
MD5 hash:
5760f92ffa3e901f79ba5a228da4ffb4
SHA1 hash:
c835255267fbeffd5acfe441a970b1b9ad57f9ae
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
b5864940981481cef770a0a09268cb5aaf63a86d32fa7ff980dc22a72f855697
MD5 hash:
f2a75bdb477dbc61a40c582493f91599
SHA1 hash:
822664f9040b7a38cf64a943973196e7b418e936
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
24da4be8c1d9ca77f30cfea2e4fa4113d2be3497a1efba8c2465605dccf20166
MD5 hash:
698f103458a664e57eae14b914673934
SHA1 hash:
71f6f414b92fc5daf178e5b0d49a24fd4890439b
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
eb97bd9ab0539b21f0be447002d004efeec3133811022f73516cb7627f3b5fc1
MD5 hash:
ab73cc413405209fcf52577c34c2c8a3
SHA1 hash:
6bb120fa23e1198528f251efe74bdd27f67c47d2
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
603c61184bc21390d64d8fe234f3b5928bb38384bd382aa0466980909b7ed60b
MD5 hash:
427aa284f4b287435f555b948ea061ce
SHA1 hash:
3d087b25e1fedf107abb78c337b965a9bdea8c1d
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
9791a7cf7065aefbb1b011c11e9f4de289cbea1133bb21c6f5b8016a883a4ee9
MD5 hash:
be4e6f7c03e32f970bc232e50ef94a12
SHA1 hash:
023f5aa8d4ac88edee4133dc192515fee662b0e2
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
0494a98b9f818f7f7d2f53d144c71459b9eb9172d1376f98446adcf103ebacda
MD5 hash:
541c7ead79ff830914ac821d2d8a1f4e
SHA1 hash:
d584863568f5ebef076fec9517175e237f691753
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
13f073d92379b2e0705ee4cf529012c789bb2f9c713877816e575d7e2221383e
MD5 hash:
651503f57f7618f9e2519df70139c2b8
SHA1 hash:
0554c50508efc86f6038b1aacd3ec43672ae8bc8
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
79125bf88e26fda71a9fe44f7a799794d5fcafe2c4ee1f1710b31a761c12bb68
MD5 hash:
dddc9e658a15ae98e411d84db80d5690
SHA1 hash:
1434594fd301306fc17156b003183761390c7a49
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
fa90bfa06ececa2fc532eaf1dcff29213cb1eac69ae0714452da05f39ac1859c
MD5 hash:
fb063b5170fa92c24f5874c3ab695dd9
SHA1 hash:
942b224a9d02a184400052fd1decc84c2951a174
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
SH256 hash:
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
MD5 hash:
852157fbd89ccae5baff8172e7bbbe6e
SHA1 hash:
493600901a6b74b217a5c886c403d9bedb3c126f
Link:
https://www.unpac.me/results/ecf7ba0e-c1b0-4783-8247-70003fdc1da1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bf0c11eae9de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184520/

Comments