MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bff4375a0d35102b53ca3dbc8811638091b9b2df65bec2b7fc6a38cbf50d0a45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 2 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bff4375a0d35102b53ca3dbc8811638091b9b2df65bec2b7fc6a38cbf50d0a45
SHA3-384 hash: 23236c8305fd031d3e47524a132b47cf48e6a04f0058858d738dd227df89a062a815349caf6ae5c292c2dcd6129b911b
SHA1 hash: bc12c5f4d4c9f4f92e12fa898b9da311b89e04dd
MD5 hash: 909f0e599dd9314cf8d3bc1d771fed09
humanhash: charlie-illinois-venus-spring
File name:bc12c5f4d4c9f4f92e12fa898b9da311b89e04dd.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:247'808 bytes
First seen:2021-07-05 17:25:53 UTC
Last seen:2021-07-05 17:34:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0f90179ec6bf3f7ebe81d80ed546954c (1 x Glupteba, 1 x CryptBot, 1 x RaccoonStealer)
ssdeep 3072:kCYve7m4rfAtNMZo9LEww6dkk1O2CMfrDpgrQJRqLXeR5/HsS2T:knW7mcUgmMOOqfxgrQJRqLubMS2
Threatray 319 similar samples on MalwareBazaar
TLSH F534E0223791C037C04325701DB4E7722BAE6A326BB0DA477795176D4F323E2A97935B
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://alemed12.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://alemed12.top/index.php https://threatfox.abuse.ch/ioc/157600/
http://mordmy01.top/index.php https://threatfox.abuse.ch/ioc/157601/

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://freecrackdownload.com/bandicam-crack-download-free/
Verdict:
Malicious activity
Analysis date:
2021-07-04 04:11:57 UTC
Tags:
autoit trojan stealer vidar evasion rat redline loader phishing raccoon
Link:
https://app.any.run/tasks/6720092d-ea5c-4feb-9036-33de7a4a59fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169769/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.76229.3718.9140.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/658fad2b-d0cf-4034-967a-8a371101756a
Result
Threat name:
Clipboard Hijacker Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811927
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 444338 Sample: ibj3mCisBP.exe Startdate: 05/07/2021 Architecture: WINDOWS Score: 100 141 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->141 143 Multi AV Scanner detection for domain / URL 2->143 145 Found malware configuration 2->145 147 14 other signatures 2->147 14 ibj3mCisBP.exe 25 2->14         started        19 SmartClock.exe 2->19         started        21 SmartClock.exe 2->21         started        process3 dnsIp4 107 g-partners.live 159.65.63.164, 49742, 49743, 49745 DIGITALOCEAN-ASNUS United States 14->107 109 lopevh09.top 47.243.129.23, 49750, 49754, 49758 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 14->109 111 3 other IPs or domains 14->111 93 C:\Users\user\AppData\...\70823487739.exe, PE32 14->93 dropped 95 C:\Users\user\AppData\...\24084489354.exe, PE32 14->95 dropped 97 C:\Users\user\AppData\Local\...\file[1].exe, PE32 14->97 dropped 99 3 other files (2 malicious) 14->99 dropped 123 Detected unpacking (changes PE section rights) 14->123 125 Detected unpacking (overwrites its own PE header) 14->125 127 May check the online IP address of the machine 14->127 23 cmd.exe 1 14->23         started        25 cmd.exe 1 14->25         started        28 cmd.exe 1 14->28         started        file5 signatures6 process7 signatures8 30 24084489354.exe 48 23->30         started        35 conhost.exe 23->35         started        157 Submitted sample is a known malware sample 25->157 159 Obfuscated command line found 25->159 161 Uses ping.exe to sleep 25->161 163 Uses ping.exe to check the status of other devices and networks 25->163 37 70823487739.exe 25->37         started        39 conhost.exe 25->39         started        41 taskkill.exe 1 28->41         started        43 conhost.exe 28->43         started        process9 dnsIp10 113 mordmy01.top 178.62.84.251, 49787, 80 DIGITALOCEAN-ASNUS European Union 30->113 115 alemed12.top 165.232.181.86, 49786, 80 ALLEGHENYHEALTHNETWORKUS United States 30->115 117 otiasc01.top 30->117 101 C:\Users\user\AppData\Local\...\jNSgyDAY.exe, PE32 30->101 dropped 129 Multi AV Scanner detection for dropped file 30->129 131 Detected unpacking (changes PE section rights) 30->131 133 Detected unpacking (overwrites its own PE header) 30->133 135 Tries to harvest and steal browser information (history, passwords, etc) 30->135 45 cmd.exe 1 30->45         started        47 cmd.exe 1 30->47         started        119 iplogger.org 88.99.66.31, 443, 49752, 49753 HETZNER-ASDE Germany 37->119 121 192.168.2.1 unknown unknown 37->121 137 May check the online IP address of the machine 37->137 139 Machine Learning detection for dropped file 37->139 file11 signatures12 process13 process14 49 jNSgyDAY.exe 25 45->49         started        53 conhost.exe 45->53         started        55 conhost.exe 47->55         started        57 timeout.exe 47->57         started        file15 83 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 49->83 dropped 85 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 49->85 dropped 87 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 49->87 dropped 89 3 other files (none is malicious) 49->89 dropped 149 Multi AV Scanner detection for dropped file 49->149 151 Machine Learning detection for dropped file 49->151 59 vpn.exe 7 49->59         started        61 4.exe 4 49->61         started        signatures16 process17 file18 64 cmd.exe 59->64         started        91 C:\Users\user\AppData\...\SmartClock.exe, PE32 61->91 dropped 66 SmartClock.exe 61->66         started        process19 process20 68 cmd.exe 64->68         started        71 conhost.exe 64->71         started        signatures21 153 Obfuscated command line found 68->153 155 Uses ping.exe to sleep 68->155 73 PING.EXE 68->73         started        76 Viscere.exe.com 68->76         started        78 findstr.exe 68->78         started        process22 dnsIp23 105 127.0.0.1 unknown unknown 73->105 80 Viscere.exe.com 76->80         started        process24 dnsIp25 103 lkjDaQipBFIwqjSQiKtVGjMrK.lkjDaQipBFIwqjSQiKtVGjMrK 80->103
Detection:
cryptbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bff4375a0d35102b53ca3dbc8811638091b9b2df65bec2b7fc6a38cbf50d0a45/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-07-03 09:42:50 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x72dowqnguicwu6khw6iqeldqci3tmw7mw7mfn74ni4mx5inbjcq._file
Verdict:
malicious
Similar samples:
29e9301a2a4536910df563d965e6f7017786f229133c19b925216b0c056423b9
RaccoonStealer
5ae829af19623394beedd713e57223f23f48463195eb3ff0251be90d5a18f9f9
RaccoonStealer
65ab84623b8caddbaf3e6819675b14f4e66da969cf580c46d1e559deb03bd89a
RaccoonStealer
65cb803d8339bc32863bd557a882cf2016ad7945b18f344aeb94860ca8f6b235
RaccoonStealer
8a9ed010aa3db217f81dfa4d928863eef5cac1165dab6c03258948b8ef019435
RaccoonStealer
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
RaccoonStealer
acf5a0702538d69871c917a13a45effbcc2dd9161578b270a6b56f8447062dbf
RaccoonStealer
aef5d4d5dc8d4c03c42af785cf547f7e43ebc256a15e013cca7561355b27c824
RaccoonStealer
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
RaccoonStealer
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
RaccoonStealer
+ 309 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:vidar discovery spyware stealer
Link:
https://tria.ge/reports/210705-2tlcfg4g1j/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
CryptBot
CryptBot Payload
Vidar
Malware Config
C2 Extraction:
alemed12.top
mordmy01.top
Unpacked files
SH256 hash:
7b1ef6c61323a6076695edf21148770c44b933dec04d8dfd0c65117f45b1913b
MD5 hash:
a8ee28b573bf5a0243113d49bbb290ac
SHA1 hash:
2cdfc942efc80d45e7e55c47af5f9de53d08a2c4
Link:
https://www.unpac.me/results/c13cb524-1682-4804-a2cb-bf1b918ee65d/
SH256 hash:
bff4375a0d35102b53ca3dbc8811638091b9b2df65bec2b7fc6a38cbf50d0a45
MD5 hash:
909f0e599dd9314cf8d3bc1d771fed09
SHA1 hash:
bc12c5f4d4c9f4f92e12fa898b9da311b89e04dd
Link:
https://www.unpac.me/results/c13cb524-1682-4804-a2cb-bf1b918ee65d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bff4375a0d35102b53ca3dbc8811638091b9b2df65bec2b7fc6a38cbf50d0a45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169769/

Comments