MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6de29a2b2c97ee198fefce3fdc5d4d61f5d25d0985bb1f1a423e58ed54bdc0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 4 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6de29a2b2c97ee198fefce3fdc5d4d61f5d25d0985bb1f1a423e58ed54bdc0f
SHA3-384 hash: 01db6449d083074180831858c48eda904391ea087249c1b7d1a8bc5ebef0623c878dfb2baa2124e64b12ae8b6027e344
SHA1 hash: 41d290b0a4f7c60c7b037fbac3bb345dc378c89c
MD5 hash: 21a0dbfd7390af7cf0c45599fd64f7b0
humanhash: lemon-fifteen-don-october
File name:21a0dbfd7390af7cf0c45599fd64f7b0.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'365'324 bytes
First seen:2021-10-28 10:51:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xOCvLUBsguGVMo0X9xvjykn0I49EyobZ5IVQ3/z:xHLUCgn/0X9fv49ExAVQPz
Threatray 659 similar samples on MalwareBazaar
TLSH T13816334073F18B7AD84265348D69BBBA25ECA350493381637BA0864EDF3B595C23FF19
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
94.103.9.151:31261

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.103.9.151:31261 https://threatfox.abuse.ch/ioc/239225/
18.118.197.60:18345 https://threatfox.abuse.ch/ioc/239226/
185.183.32.161:80 https://threatfox.abuse.ch/ioc/239227/
185.183.32.183:55694 https://threatfox.abuse.ch/ioc/239228/

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Main-Installer.exe
Verdict:
Malicious activity
Analysis date:
2021-10-25 11:44:05 UTC
Tags:
trojan rat redline evasion loader opendir kelihos stealer
Link:
https://app.any.run/tasks/1ad7cb26-235b-4602-b30f-15e7c8e32097

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200897/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys dopu overlay packed
Link:
https://www.filescan.io/uploads/617a80d5a9d585e6d53d0afe/reports/077d7b9d-2406-4226-b739-c583ce98aaca/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33029911-b5bc-4b23-b478-f4ec47b635cf
Result
Threat name:
Backstage Stealer FormBook RedLine Smoke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878491
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected FormBook
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510921 Sample: w7sv8lYxDe.exe Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 60 50.116.86.88 UNIFIEDLAYER-AS-1US United States 2->60 62 185.43.6.152 THEFIRST-ASRU Russian Federation 2->62 64 8 other IPs or domains 2->64 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 88 Antivirus detection for dropped file 2->88 90 19 other signatures 2->90 9 w7sv8lYxDe.exe 16 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\setup_install.exe, PE32 9->42 dropped 44 C:\Users\user\AppData\...\Mon06f1bd5ab4.exe, PE32 9->44 dropped 46 C:\Users\user\...\Mon06e045d9cb57c.exe, PE32 9->46 dropped 48 11 other files (6 malicious) 9->48 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 80 172.67.196.33 CLOUDFLARENETUS United States 12->80 82 127.0.0.1 unknown unknown 12->82 112 Adds a directory exclusion to Windows Defender 12->112 114 Disables Windows Defender (via service or powershell) 12->114 16 cmd.exe 12->16         started        18 cmd.exe 1 12->18         started        20 cmd.exe 12->20         started        22 8 other processes 12->22 signatures8 process9 signatures10 25 Mon067e404f357.exe 16->25         started        30 Mon06f1bd5ab4.exe 2 18->30         started        32 Mon062197bc8a7f.exe 20->32         started        92 Adds a directory exclusion to Windows Defender 22->92 94 Disables Windows Defender (via service or powershell) 22->94 34 Mon06c1f5a2fa012.exe 4 22->34         started        36 Mon06d69217b5de6.exe 1 22->36         started        38 Mon06e045d9cb57c.exe 7 22->38         started        40 4 other processes 22->40 process11 dnsIp12 66 45.142.182.152 XSSERVERNL Germany 25->66 68 103.155.92.29 TWIDC-AS-APTWIDCLimitedHK unknown 25->68 74 8 other IPs or domains 25->74 50 C:\Users\...\vkWDCOZxAiqeGTDYZjn5_VGO.exe, PE32 25->50 dropped 52 C:\Users\...\nn6XFf7Qi0c92kUDJk66uLpq.exe, PE32 25->52 dropped 54 C:\Users\user\...54iceProcessX64[1].bmp, PE32+ 25->54 dropped 58 27 other files (9 malicious) 25->58 dropped 96 Antivirus detection for dropped file 25->96 98 Tries to harvest and steal browser information (history, passwords, etc) 25->98 100 Disable Windows Defender real time protection (registry) 25->100 102 Machine Learning detection for dropped file 30->102 104 Injects a PE file into a foreign processes 30->104 106 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 32->106 108 Checks if the current machine is a virtual machine (disk enumeration) 32->108 76 2 other IPs or domains 34->76 56 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 34->56 dropped 110 Creates processes via WMI 34->110 70 208.95.112.1 TUT-ASUS United States 36->70 72 8.8.8.8 GOOGLEUS United States 36->72 78 2 other IPs or domains 36->78 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6de29a2b2c97ee198fefce3fdc5d4d61f5d25d0985bb1f1a423e58ed54bdc0f/
Threat name:
Win32.Trojan.Cryprar
Create hunting rule
Status:
Malicious
First seen:
2021-10-25 21:38:48 UTC
AV detection:
29 of 44 (65.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3pctivszf7odgh67tr73rou2ypv2joqtbn3d4neepsy5vkl3qhq._file
Verdict:
malicious
Similar samples:
096fc162ed138cc3d9ee62631325c0d7d2957d6a1b7eec705da59004b83fd6c8
RaccoonStealer
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
RaccoonStealer
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
RaccoonStealer
80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e
RaccoonStealer
941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
RaccoonStealer
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
RaccoonStealer
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
RaccoonStealer
f5f477d945634e37e1abca7c1390e03a7535005c9ff071a191f4d24274bdf075
RaccoonStealer
+ 649 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:vidar family:xloader botnet:media24 campaign:s0iw aspackv2 backdoor discovery evasion infostealer loader rat spyware stealer themida trojan
Link:
https://tria.ge/reports/211028-myeacscbg4/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Xloader Payload
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Xloader
Malware Config
C2 Extraction:
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
91.121.67.60:23325
http://www.kyiejenner.com/s0iw/
Unpacked files
SH256 hash:
dc1112feaaeb9c2145098c2664b7cc7540b4b2561d1afd555198a1ca8032124d
MD5 hash:
f35a4046014aace5b828f1574f8d99be
SHA1 hash:
5c791a8c7e3623959307b90e2107b6bd950194db
Link:
https://www.unpac.me/results/d3da0e2d-13c1-45a2-9e9e-21ec305c6596/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/d3da0e2d-13c1-45a2-9e9e-21ec305c6596/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
6cd587ecdd136bd1fcba0693ca65c8217eef048350b9033278d0df0d71f7a309
MD5 hash:
a6f7a7ba19a4174ef29c87d6a68739e5
SHA1 hash:
ca4b8f9471997e8bee613d7f124d1dbfc1d105d3
Link:
https://www.unpac.me/results/d3da0e2d-13c1-45a2-9e9e-21ec305c6596/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/d3da0e2d-13c1-45a2-9e9e-21ec305c6596/
SH256 hash:
5b26c8c728ca52f19740782587b97e4464e8c044ac9aac5134bbec625eb0f91c
MD5 hash:
7f93743f8aee89675172eda746f3acb3
SHA1 hash:
da9b0d21fe8e5815578bc7b2eea55f3864fa76f6
Link:
https://www.unpac.me/results/d3da0e2d-13c1-45a2-9e9e-21ec305c6596/
SH256 hash:
226481abdebe331ffb5c0bfe0b9f06f8b87d91d6ec2120f08a9eb109fcb45716
MD5 hash:
6aca4dc0de5bbecfc3f73ac4cd000f58
SHA1 hash:
d911bdc1bda6b60f4fcec4348c6cc42596a5c192
Link:
https://www.unpac.me/results/d3da0e2d-13c1-45a2-9e9e-21ec305c6596/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/d3da0e2d-13c1-45a2-9e9e-21ec305c6596/
SH256 hash:
82013e99c0b901564e47b03d15c36f1602edf26bd4db55bbf4a02af97e8ad1c1
MD5 hash:
55a67b0d4d9b6be40b6267f1def96c4b
SHA1 hash:
4f9ba46bf3714f4031e1183adaa5aad0d9a94586
Link:
https://www.unpac.me/results/d3da0e2d-13c1-45a2-9e9e-21ec305c6596/
SH256 hash:
b1d728e208d9822e37d8dd42d5f7e463ae4fe0646b2c46d37fef09ce0fe939f6
MD5 hash:
3d8d8ebea1dda8513a22e3429efbffcc
SHA1 hash:
2eeb3f834da1295636ec8cc48fefb9b04f398215
Link:
https://www.unpac.me/results/d3da0e2d-13c1-45a2-9e9e-21ec305c6596/
SH256 hash:
647b33c29f43fc27269434b98b91e4ef2fe2572bd3b41cab55475149f6c92f48
MD5 hash:
e11fc831e80b2ae905cd2391fc559f30
SHA1 hash:
0d9913e650c4e14ecdd90ec154d47677dfc9da07
Link:
https://www.unpac.me/results/d3da0e2d-13c1-45a2-9e9e-21ec305c6596/
SH256 hash:
eb45f0d19856a41bbbc3409c0514114c0a042f7c6a3e38e9edb745ec8840b9bc
MD5 hash:
991e12126afa420612f7e92fcbfcb668
SHA1 hash:
15c5efb9c0a442c103c0323559ff6dfb4333a21c
Link:
https://www.unpac.me/results/d3da0e2d-13c1-45a2-9e9e-21ec305c6596/
SH256 hash:
2bac32fbdf3f2fc2db845bb1cadb133e40b3b32e92e81e9eb39d94143908d1f7
MD5 hash:
6f89db2151c8b90c15dcf3ca689fc9cb
SHA1 hash:
2e1bb45bb0c33b9b1abee162005b2626577d529a
Link:
https://www.unpac.me/results/d3da0e2d-13c1-45a2-9e9e-21ec305c6596/
SH256 hash:
c6de29a2b2c97ee198fefce3fdc5d4d61f5d25d0985bb1f1a423e58ed54bdc0f
MD5 hash:
21a0dbfd7390af7cf0c45599fd64f7b0
SHA1 hash:
41d290b0a4f7c60c7b037fbac3bb345dc378c89c
Link:
https://www.unpac.me/results/d3da0e2d-13c1-45a2-9e9e-21ec305c6596/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c6de29a2b2c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6de29a2b2c97ee198fefce3fdc5d4d61f5d25d0985bb1f1a423e58ed54bdc0f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/200897/

Comments