MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c39b797438914c08509ac8824554a65c0b8c6e44b782ae5a2881c008fb2d8ed8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c39b797438914c08509ac8824554a65c0b8c6e44b782ae5a2881c008fb2d8ed8
SHA3-384 hash: b66cddfb68ef7abcd3ece7c13515a036991e90efc45ad12764e457f9cd7af696a6bc2cbe43e28b55e26eb48228da6724
SHA1 hash: 37dbaada3ed23aee9ba1ed1e7dc810f12444b339
MD5 hash: 94ab9d8ae08a4c57f9520b130b9010fd
humanhash: red-johnny-juliet-triple
File name:94ab9d8ae08a4c57f9520b130b9010fd.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:314'880 bytes
First seen:2022-02-03 09:36:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 58ae3e2040078674fab6cce2e8f4e2cb (1 x RaccoonStealer)
ssdeep 6144:UgKU7NWPZXt5LwPs0MeHn6hxRNRrvUtv2+UhG+FgI:TXav5UUpQ6/RzvUM+U8
Threatray 14 similar samples on MalwareBazaar
TLSH T1AD649D00BB90C035E5B726F8497A936CA53E7EE25B2460CF53D52AEE56346E4EC3131B
File icon (PE):PE icon
dhash icon 25ec137839939b91 (7 x RedLineStealer, 4 x Smoke Loader, 3 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://91.219.236.18/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.18/ https://threatfox.abuse.ch/ioc/378337/

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
94ab9d8ae08a4c57f9520b130b9010fd.exe
Verdict:
Suspicious activity
Analysis date:
2022-02-03 09:41:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5047f375-d272-4565-8d74-5cb30f789d35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/231850/
Detection(s):
Win.Packed.Generic-9938326-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Searching for synchronization primitives
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5849/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61fba21fa0f6a794b336845b/reports/fc1aadb6-a2b2-40e4-b9aa-70143260696e/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2dc48b3-58f8-4879-8692-84878bf6e9ec
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/933176
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c39b797438914c08509ac8824554a65c0b8c6e44b782ae5a2881c008fb2d8ed8/
Threat name:
Win32.Backdoor.Systembc
Create hunting rule
Status:
Malicious
First seen:
2022-02-03 08:14:09 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
29 of 43 (67.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yonxs5bysfgaque2zcbekvfglqfyy3sew6bk4wriqhaar6znr3ma._file
Verdict:
malicious
Similar samples:
386f018af9a7c633ddc450e75491b978ebf22199bf789926b44c62ed0c7ecb6c
RaccoonStealer
5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95
RaccoonStealer
599a59aba0c234edc2c2799a7a06208d3d112438b1bc49ba5292f111429b9102
RaccoonStealer
98ad02342614a473b078f5b12274fa3c9c78779894750fbb7af82664b9e7ffa8
RaccoonStealer
c4720963dc79b14472c8ba7ec4c7863e288cce5632c895434f1d4ecc2de01bee
RaccoonStealer
c53c13aa261fe9d7afe51e88a781264aa8c37639543de2a0dff680b8599dee60
RaccoonStealer
cf320b078c782f90983bf12ee8453c94321326a576336f14ef93c9a2f0badbfd
RaccoonStealer
ee8b0e0f159d28b8bdf306b5ae9fef26379525cb6f8d07d8855963ceb6a9f7d6
RaccoonStealer
f1fe5f2fd945caad71baf13e9e42544c1b2a441ea42391a3a56d2e38dcfe5f50
RaccoonStealer
f2e9475cbf8ad93f5762a2b5c02b552d5afe5247c9c14e2c1e72f507807ffbaa
RaccoonStealer
+ 4 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/220203-lkzhpsfabr/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Unpacked files
SH256 hash:
788f723ebfe0110232b52ee15345acc5f74a53ea45e5f422dc5ce2eb5833fadc
MD5 hash:
198ff357daf4345c9fc869616b139381
SHA1 hash:
24c9899b296cf004e400b77e72b89f42bb726f37
Link:
https://www.unpac.me/results/394d1a25-2a27-4d85-8671-23b5d0f6c5ac/
Parent samples :
3c6f5e38acd57a6372e44dc341bf46060fef8c8b0e1dd3ffa38b21ddaddc3773
6861cdee1ee282ee8c69e31503d95291409907d8b27538f8082adb00205ad105
ccf4e081582226315f3a2bc171b604e3911d0225cc85e18188872ea9832a5388
be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005
53bcd8239258dcbb10f9d3b6d057103c18fe3dd614c5809053426b01b741500d
SH256 hash:
c39b797438914c08509ac8824554a65c0b8c6e44b782ae5a2881c008fb2d8ed8
MD5 hash:
94ab9d8ae08a4c57f9520b130b9010fd
SHA1 hash:
37dbaada3ed23aee9ba1ed1e7dc810f12444b339
Link:
https://www.unpac.me/results/394d1a25-2a27-4d85-8671-23b5d0f6c5ac/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c39b79743891/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c39b797438914c08509ac8824554a65c0b8c6e44b782ae5a2881c008fb2d8ed8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe c39b797438914c08509ac8824554a65c0b8c6e44b782ae5a2881c008fb2d8ed8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2020720/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/231850/

Comments