MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c767c0c438dd1a2bfb6d14e35c30b24971b9a2db90748177ee23959b7b6b22ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 4 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c767c0c438dd1a2bfb6d14e35c30b24971b9a2db90748177ee23959b7b6b22ed
SHA3-384 hash: bcad9268ed427b62426308c8e31fa3b9d790456c64571174b789724bc8a39de51cee77ad0c548ee0b3b1d204ce0912fa
SHA1 hash: 062f9ab3533df764cebb4df4e09c15b0a154a977
MD5 hash: 0a7b9a3a120d129f53edd0c6fa2564b2
humanhash: kentucky-winner-oklahoma-burger
File name:0A7B9A3A120D129F53EDD0C6FA2564B2.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:5'955'823 bytes
First seen:2021-08-13 18:10:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xRCvLUBsg5qofeZPTS8u5u3hnN0sdnB4cY/TUwHOAU68+ociP88W5BzXq7lB:x6LUCg5qoZsRN0q0xLc+APE5BLq7P
Threatray 318 similar samples on MalwareBazaar
TLSH T1BC5633C1B746D9FBC203597209C83BB15FF9828C0B1528F3A7F59F286B1D4A3E11A665
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://ggc-partners.info/stats/remember.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ggc-partners.info/stats/remember.php https://threatfox.abuse.ch/ioc/184297/
http://ggc-partners.info/dlc/distribution.php https://threatfox.abuse.ch/ioc/184298/
65.21.228.92:46802 https://threatfox.abuse.ch/ioc/184313/
http://34.77.115.2/ https://threatfox.abuse.ch/ioc/185163/

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179070/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7dd56770-28d0-4476-9c48-9168a3738b60
Result
Threat name:
Raccoon RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832620
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465049 Sample: 2IQh4S6VDY.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 105 23.254.202.116 HOSTWINDSUS United States 2->105 107 195.201.225.248 HETZNER-ASDE Germany 2->107 109 9 other IPs or domains 2->109 131 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->131 133 Antivirus detection for URL or domain 2->133 135 Antivirus detection for dropped file 2->135 137 16 other signatures 2->137 11 2IQh4S6VDY.exe 8 2->11         started        signatures3 process4 file5 59 C:\Users\user\AppData\...\setup_install.exe, PE32 11->59 dropped 61 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 11->61 dropped 63 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 11->63 dropped 65 3 other files (none is malicious) 11->65 dropped 14 setup_install.exe 9 11->14         started        process6 dnsIp7 125 watira.xyz 104.21.47.76, 49736, 80 CLOUDFLARENETUS United States 14->125 127 127.0.0.1 unknown unknown 14->127 95 C:\Users\user\AppData\...\dc56b88fa7bd64.exe, PE32 14->95 dropped 97 C:\Users\user\AppData\...\d8209827f876d25.exe, PE32+ 14->97 dropped 99 C:\Users\user\AppData\...\ae53a1dbd6.exe, PE32 14->99 dropped 101 5 other files (3 malicious) 14->101 dropped 129 Performs DNS queries to domains with low reputation 14->129 19 cmd.exe 14->19         started        21 cmd.exe 1 14->21         started        23 cmd.exe 1 14->23         started        25 6 other processes 14->25 file8 signatures9 process10 process11 27 ae53a1dbd6.exe 19->27         started        32 dc56b88fa7bd64.exe 90 21->32         started        34 38a72d1941.exe 14 3 23->34         started        36 d8209827f876d25.exe 25->36         started        38 b7816bfa03.exe 25->38         started        40 0c1a94348.exe 25->40         started        42 2 other processes 25->42 dnsIp12 111 newsrus.wiki 27->111 113 37.0.10.236, 49745, 80 WKD-ASIE Netherlands 27->113 115 15 other IPs or domains 27->115 67 C:\Users\...\u_GojnKoXAgvFJJfgBk_4Hod.exe, PE32 27->67 dropped 69 C:\Users\...\uYq1ZsWgohpSEFB3Q9mumCS2.exe, PE32 27->69 dropped 71 C:\Users\...\uMDRF6P3k29LpH4niOzPtM6v.exe, PE32 27->71 dropped 81 35 other files (29 malicious) 27->81 dropped 139 Drops PE files to the document folder of the user 27->139 141 May check the online IP address of the machine 27->141 159 2 other signatures 27->159 117 2 other IPs or domains 32->117 73 C:\Users\user\AppData\...\softokn3[1].dll, PE32 32->73 dropped 75 C:\Users\user\AppData\...\freebl3[1].dll, PE32 32->75 dropped 83 10 other files (none is malicious) 32->83 dropped 143 Detected unpacking (changes PE section rights) 32->143 145 Detected unpacking (overwrites its own PE header) 32->145 147 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->147 149 Tries to steal Crypto Currency Wallets 32->149 151 Query firmware table information (likely to detect VMs) 34->151 161 3 other signatures 34->161 119 3 other IPs or domains 36->119 77 C:\Users\user\AppData\...\aaa_011[1].dll, DOS 36->77 dropped 153 Tries to harvest and steal browser information (history, passwords, etc) 36->153 121 2 other IPs or domains 38->121 79 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 38->79 dropped 44 LzmwAqmV.exe 38->44         started        163 2 other signatures 40->163 47 explorer.exe 40->47 injected 123 2 other IPs or domains 42->123 155 Creates processes via WMI 42->155 49 72a3df5b6765f57.exe 42->49         started        file13 157 Performs DNS queries to domains with low reputation 111->157 signatures14 process15 dnsIp16 85 C:\Users\user\AppData\...\askinstall54.exe, PE32 44->85 dropped 87 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 44->87 dropped 89 C:\Users\user\AppData\Local\Temp\jhuuee.exe, PE32+ 44->89 dropped 93 5 other files (none is malicious) 44->93 dropped 52 chrome2.exe 44->52         started        103 live.goatgame.live 104.21.70.98, 443, 49746 CLOUDFLARENETUS United States 49->103 91 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 49->91 dropped 55 conhost.exe 49->55         started        file17 process18 file19 57 C:\Users\user\AppData\...\services64.exe, PE32+ 52->57 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c767c0c438dd1a2bfb6d14e35c30b24971b9a2db90748177ee23959b7b6b22ed/
Threat name:
Win32.Trojan.ArkeiStealer
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 02:30:04 UTC
AV detection:
17 of 47 (36.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y5t4brby3uncx63nctrvymfsjfy3tiw3sb2ic57oeokzw63lelwq._file
Verdict:
unknown
Similar samples:
088559f2192fe04ad85f83e1a3ac931f2bdbb5a88b4146154858d00c40b4b551
RaccoonStealer
0df9cc018e5258e289ffea0bb4137ae6f0bc8fe85b48b544520c7dae95453f68
RaccoonStealer
486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
RaccoonStealer
65624215e9613e4922c32eb184b75ea1334a6a2fa32d45ef535918ef7b9a9eca
RaccoonStealer
82e531dd4163ca5716a8b2f3feb188fc7fdbf8cac0270aa76664925fdd5124e2
RaccoonStealer
befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec
RaccoonStealer
cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3
RaccoonStealer
f7f5898bbed2b677a52a031071110b8aebb4b3eba2669703f6dd60e6953dc2a2
RaccoonStealer
+ 308 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:916 botnet:937 botnet:93d3ccba4a3cbd5e268873fc1760b2335272e198 aspackv2 backdoor dropper evasion infostealer loader persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210813-2nrxpmbhee/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
https://lenak513.tumblr.com/
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Unpacked files
SH256 hash:
207056003b4b6e55dfe2557a2d1ca119c7785cfe626328a4a8c74323238933e9
MD5 hash:
4955a27a03f35933fdbd801f425b6c58
SHA1 hash:
97f3b8f33fd1a49cf9db5a246d996047beef3c12
Link:
https://www.unpac.me/results/ff49d075-38b3-4c9f-af8d-4e5fc21dcf39/
Parent samples :
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
f1e1b516a83f303659e53d513c9c3da9dfd466f40b96f8de86ca37ce9544d234
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
6fe608e07ec1a73a9fa3e1457078afd907810f1faba32666786d141af3be0568
MD5 hash:
6e088927a17d87c498f7011b1e26fa3a
SHA1 hash:
7f58e9a788c520a7c299af00f97252ce3c4d7131
Link:
https://www.unpac.me/results/ff49d075-38b3-4c9f-af8d-4e5fc21dcf39/
Parent samples :
365f984abe68ddd398d7b749fb0e69b0f29daf86f0e3e39af3573bb78a265eb9
ab948f038175411dc326a1aad83df48d6b656325015518b07535d22e3dae8bbb
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
SH256 hash:
87eb74021153f648bb975e6d715ea2dd4800a85d8a1a3208ea25b2544a55be3e
MD5 hash:
170524de76af5329d0fcfc11209d75b8
SHA1 hash:
f4dd14d658ee4f689ee687d282468c5095be9360
Link:
https://www.unpac.me/results/ff49d075-38b3-4c9f-af8d-4e5fc21dcf39/
SH256 hash:
bd63cda547353a5b469d23ecae78105948287812d3f290dd3ebe3ca93a883e54
MD5 hash:
d3cba1cdea5c2c94909a14238f3a2f57
SHA1 hash:
c361e0d74339bd4d9318aee02d1294dc1f6de2d0
Link:
https://www.unpac.me/results/ff49d075-38b3-4c9f-af8d-4e5fc21dcf39/
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/ff49d075-38b3-4c9f-af8d-4e5fc21dcf39/
SH256 hash:
0d017311cfc1554b76481b6b0d40d1c150c1a0aedcda302f513c01de0b1f4e4c
MD5 hash:
fcce864840d6700d71a8d68668d7a538
SHA1 hash:
fef82b13a6565e5da4eaf24ce6566c513c6a58fd
Link:
https://www.unpac.me/results/ff49d075-38b3-4c9f-af8d-4e5fc21dcf39/
SH256 hash:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
MD5 hash:
0965da18bfbf19bafb1c414882e19081
SHA1 hash:
e4556bac206f74d3a3d3f637e594507c30707240
Link:
https://www.unpac.me/results/ff49d075-38b3-4c9f-af8d-4e5fc21dcf39/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/ff49d075-38b3-4c9f-af8d-4e5fc21dcf39/
SH256 hash:
bed609b08ad35c72e3d62f79c6db8676855e8d599b19738125e085d117688fcf
MD5 hash:
8854ea4add5305e4648b9810fcc52e4f
SHA1 hash:
bbd6e97875ba1e73d520c6a2f9dea4bf8ce9f9a3
Link:
https://www.unpac.me/results/ff49d075-38b3-4c9f-af8d-4e5fc21dcf39/
SH256 hash:
0cce0abd453bacf4c279dca615309ff86b2d9fab334eb1c03c8ab6a133f7a541
MD5 hash:
033b50c3ee8901aa17c1230b61e5df17
SHA1 hash:
8cb76d3a22030f8d872b3e7478302e1b76c82bd8
Link:
https://www.unpac.me/results/ff49d075-38b3-4c9f-af8d-4e5fc21dcf39/
SH256 hash:
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
MD5 hash:
83cc20c8d4dd098313434b405648ebfd
SHA1 hash:
59b99c73776d555a985b2f2dcc38b826933766b3
Link:
https://www.unpac.me/results/ff49d075-38b3-4c9f-af8d-4e5fc21dcf39/
SH256 hash:
8ce4ec3896d4106a1c265497d4d0c4675a0904e4e84bf40526efc07c06fbdc79
MD5 hash:
f660623c8baf5ee21a93cb15f5541113
SHA1 hash:
393a08e1cd745c5454c2d7aa2772ed090859ca4a
Link:
https://www.unpac.me/results/ff49d075-38b3-4c9f-af8d-4e5fc21dcf39/
SH256 hash:
c5208ca0a1e07ff80a716cbeb7b80452e94722d719e1a895c259cfdcfbc5df40
MD5 hash:
05601761a434a57295feed280f7a0d36
SHA1 hash:
2bd003a0508656411be39b1ca19f05012c16095f
Link:
https://www.unpac.me/results/ff49d075-38b3-4c9f-af8d-4e5fc21dcf39/
SH256 hash:
c767c0c438dd1a2bfb6d14e35c30b24971b9a2db90748177ee23959b7b6b22ed
MD5 hash:
0a7b9a3a120d129f53edd0c6fa2564b2
SHA1 hash:
062f9ab3533df764cebb4df4e09c15b0a154a977
Link:
https://www.unpac.me/results/ff49d075-38b3-4c9f-af8d-4e5fc21dcf39/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c767c0c438dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c767c0c438dd1a2bfb6d14e35c30b24971b9a2db90748177ee23959b7b6b22ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179070/

Comments