MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6e1d668609e9c3d688d02bdab949ca4ed660f42b09bae1fc1c1ba9a04e1b98c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ServHelper


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6e1d668609e9c3d688d02bdab949ca4ed660f42b09bae1fc1c1ba9a04e1b98c
SHA3-384 hash: e225846b5df78b46241442c951d8c41e166d89f677f40bc65c6f86748c425d99569ae037acfac2110aff7a83981a3f46
SHA1 hash: d3cf3a3f23950b7b37a3c1ca1c8d8790effc3380
MD5 hash: f303ce24dc4412a1853b86112cad0a7b
humanhash: single-high-helium-virginia
File name:f303ce24dc4412a1853b86112cad0a7b
Download: download sample
Signature ServHelper
Create hunting rule
File size:583'680 bytes
First seen:2021-12-05 02:10:53 UTC
Last seen:2021-12-05 04:06:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bbdc5cea7d9bbd6ae9c6a36e9d9fb769 (8 x RedLineStealer, 3 x RaccoonStealer, 1 x Smoke Loader)
ssdeep 12288:q7dW9hnHk7cKup09iyCtu1tWip9d4IkJv5G:Sc9hHOcq9oRi/c
Threatray 4'402 similar samples on MalwareBazaar
TLSH T18BC4D1206BB0C035F5F722F85AB59769BD3E79A2673490CF22D516E946389E0EC3035B
File icon (PE):PE icon
dhash icon e0e8e8e8aa66a499 (32 x RaccoonStealer, 23 x RedLineStealer, 14 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 exe ServHelper

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.40/ https://threatfox.abuse.ch/ioc/259462/

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'042
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f303ce24dc4412a1853b86112cad0a7b
Verdict:
Suspicious activity
Analysis date:
2021-12-05 02:15:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5d88a4f8-0cb6-4650-a1be-6937d60cb565

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211395/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31726.16431.24841.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/857/overview
Behaviour
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61ac1ff7fa72c81b5b0bf55e/reports/5461340b-6f6d-484d-87f0-a03c7c5ac324/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/493a2215-d490-4a85-bf4a-666ecb86cc5e
Result
Threat name:
SERVHELPER Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901547
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Contains functionality to steal Internet Explorer form passwords
Detected SERVHELPER
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534025 Sample: VVl7mkl0fO Startdate: 05/12/2021 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Antivirus detection for URL or domain 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 8 other signatures 2->64 9 VVl7mkl0fO.exe 82 2->9         started        process3 dnsIp4 52 91.219.236.207, 80 SERVERASTRA-ASHU Hungary 9->52 54 91.219.237.227, 80 SERVERASTRA-ASHU Hungary 9->54 56 4 other IPs or domains 9->56 44 C:\Users\user\AppData\...\o1ktkPpyjt.exe, PE32+ 9->44 dropped 46 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 9->46 dropped 48 C:\Users\user\AppData\...\vcruntime140.dll, PE32 9->48 dropped 50 57 other files (none is malicious) 9->50 dropped 68 Detected unpacking (changes PE section rights) 9->68 70 Detected unpacking (overwrites its own PE header) 9->70 72 Tries to steal Mail credentials (via file / registry access) 9->72 74 2 other signatures 9->74 14 o1ktkPpyjt.exe 4 9->14         started        file5 signatures6 process7 signatures8 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->76 78 Bypasses PowerShell execution policy 14->78 80 Queries memory information (via WMI often done to detect virtual machines) 14->80 17 powershell.exe 50 14->17         started        process9 file10 38 C:\Users\user\AppData\...\ven10apc.cmdline, UTF-8 17->38 dropped 66 Detected SERVHELPER 17->66 21 csc.exe 17->21         started        24 csc.exe 17->24         started        26 powershell.exe 17->26         started        28 2 other processes 17->28 signatures11 process12 file13 40 C:\Users\user\AppData\Local\...\ven10apc.dll, PE32 21->40 dropped 30 cvtres.exe 21->30         started        42 C:\Users\user\AppData\Local\...\ymbc5513.dll, PE32 24->42 dropped 32 cvtres.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        process14
Gathering data
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2021-12-04 08:38:05 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3q5m2dat2od22enak62xfe4utwwmd2cwcn24h6byg5jubhbxgga._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
2f895a09ae635487eb6b767e6a95d90efa8d58a9d356229f5ee24f9963ab9e23
ServHelper
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1
ServHelper
919ccc1f90bae8d58cc6ef51359e15af853de90a7083c640b5c2a99eb1a61281
ServHelper
9817fe25bbb0efbe65661bb22fe3d3f43b666f4013a6d2673c6f38b12d3af35e
ServHelper
a68f787d330808769f87c48f03f9da428bba40595757cd045535b20c7d66d53e
ServHelper
d09f1f4d1e5cf1ea2c2ffcf037bb2af20315e592f5c7f6d8692c1b60c2713927
ServHelper
+ 4'392 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:58257e34dab1247554d66f3611bc5701c2b02728 stealer
Link:
https://tria.ge/reports/211205-cmvsvsbhfl/
Behaviour
Raccoon
Unpacked files
SH256 hash:
61e3fb85073048c1c21033af2802b4caca26ec0c97bad386b9ebc38c94ebb731
MD5 hash:
5d440fbf94adf6d90e9e4d0d005d104b
SHA1 hash:
b757d3a5f8ebf50b62e2a84a1ba83984910f3d3d
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/eeab11ba-d14c-4245-9c2e-335a4d747512/
SH256 hash:
c6e1d668609e9c3d688d02bdab949ca4ed660f42b09bae1fc1c1ba9a04e1b98c
MD5 hash:
f303ce24dc4412a1853b86112cad0a7b
SHA1 hash:
d3cf3a3f23950b7b37a3c1ca1c8d8790effc3380
Link:
https://www.unpac.me/results/eeab11ba-d14c-4245-9c2e-335a4d747512/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c6e1d668609e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6e1d668609e9c3d688d02bdab949ca4ed660f42b09bae1fc1c1ba9a04e1b98c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ServHelper

Executable exe c6e1d668609e9c3d688d02bdab949ca4ed660f42b09bae1fc1c1ba9a04e1b98c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1852981/
Cape
Cape
https://www.capesandbox.com/analysis/211395/

Comments


Avatar
zbet commented on 2021-12-05 02:10:55 UTC

url : hxxp://domainmob.com/sosihuy/2.exe