MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 c7df63bd3d9dbd3cbd11e02d0ca6f8988251bf5bea12d6d76c40ba2d33b5468d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RaccoonStealer
Vendor detections: 11
| SHA256 hash: | c7df63bd3d9dbd3cbd11e02d0ca6f8988251bf5bea12d6d76c40ba2d33b5468d |
|---|---|
| SHA3-384 hash: | 6a450bd2c4e395408116e9ab2616ff04fe6e12c53fd133e466022a80e11be18ac866a35bb0896f48fbc11a5e937a876e |
| SHA1 hash: | 37d83a34da50b959759cbb18b01654bbd17bbb3f |
| MD5 hash: | a1a2a0b423349f463d23969864a111c0 |
| humanhash: | uniform-papa-solar-winner |
| File name: | C7DF63BD3D9DBD3CBD11E02D0CA6F8988251BF5BEA12D.exe |
| Download: | download sample |
| Signature | RaccoonStealer |
| File size: | 2'722'205 bytes |
| First seen: | 2021-10-01 23:40:51 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer) |
| ssdeep | 49152:xcBDPkZVi7iKiF8cUvFyPIDRCHpMg2WvPVqa8nP1UGOShPYYyGfIUcpSyEwJ84vN:xbri7ixZUvFyPWvhW3VoFOdYyGUSpCvN |
| Threatray | 443 similar samples on MalwareBazaar |
| TLSH | T194C533107FD6C0FBD65A2236A8083FFAB1EDC7A506350C9737549A0D6F2D9E0D01AE5A |
| File icon (PE): |  |
| dhash icon | 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox) |
| Reporter |  abuse_ch |
| Tags: | exe RaccoonStealer |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| http://91.219.236.63/ | https://threatfox.abuse.ch/ioc/229384/ |
| http://185.215.113.45/g4MbvE/index.php | https://threatfox.abuse.ch/ioc/229555/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C7DF63BD3D9DBD3CBD11E02D0CA6F8988251BF5BEA12D.exe
Verdict:
No threats detected
Analysis date:
2021-10-01 23:43:05 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector04
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Deleting a recently created file
Malware family:
Bsymem
Verdict:
Malicious
Result
Threat name:
Backstage Stealer SmokeLoader Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Allocates many large memory junks
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected Backstage Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Ransomware.Stopcrypt
Status:
Malicious
First seen:
2021-07-24 11:39:05 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 433 additional samples on MalwareBazaar
Result
Malware family:
vidar
Score:
10/10
Tags:
family:redline family:smokeloader family:vidar botnet:933 botnet:first build aspackv2 backdoor discovery evasion infostealer spyware stealer themida trojan
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://shpak125.tumblr.com/
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
asyndenera.xyz:15667
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
asyndenera.xyz:15667
Unpacked files
SH256 hash:
dffe74a0e802160158a562258f6adae3c2daaa229bbf0ab0e7dc1800b748b939
MD5 hash:
9a9c6f09e5ff49134e59ba3eb117a94f
SHA1 hash:
aa7a6bded7a76a1b180b24fa2470e0899b39bec8
Parent samples :
b64ab676ffe01925adc506eebcc62f6edc901e017c339af5d90f6d64292e9822
4ae186f9a645695962b47f37c8b8e64c4d45f2b2a12ae914c01e5ba810a44f00
fe3ae99417e0d632995ad5ceeccc4c0b308b8a30d2c93031f15837b607b8552b
df26b54b984ae1b94fecde99e7b0513a305164f9000929d3467a95d16e33667d
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
e026bc9a0b7ac31a86cdbbd88e2b2be5236ba81b469723007c8b3c1d9461198f
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
8f8b341230323b995c1cde1d534031092bfddb56411dac43d155e5366681e1c7
4ae186f9a645695962b47f37c8b8e64c4d45f2b2a12ae914c01e5ba810a44f00
fe3ae99417e0d632995ad5ceeccc4c0b308b8a30d2c93031f15837b607b8552b
df26b54b984ae1b94fecde99e7b0513a305164f9000929d3467a95d16e33667d
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
e026bc9a0b7ac31a86cdbbd88e2b2be5236ba81b469723007c8b3c1d9461198f
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
8f8b341230323b995c1cde1d534031092bfddb56411dac43d155e5366681e1c7
SH256 hash:
89a0227ef833a2742f7dd46be36e61b178a8b47846fd3cf557c8b9991b7cfb67
MD5 hash:
55bf2bbdd87ec3ac709c6a247f4a28b4
SHA1 hash:
6df7d9af3a7b2da1c91aff955a4c5aadbe2d13cb
Parent samples :
5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
d0037be72720bb05c0207342411a883b883c8f4a371c6c7e6bacd9cff5615df7
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
e026bc9a0b7ac31a86cdbbd88e2b2be5236ba81b469723007c8b3c1d9461198f
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
8f8b341230323b995c1cde1d534031092bfddb56411dac43d155e5366681e1c7
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
d0037be72720bb05c0207342411a883b883c8f4a371c6c7e6bacd9cff5615df7
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
e026bc9a0b7ac31a86cdbbd88e2b2be5236ba81b469723007c8b3c1d9461198f
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
8f8b341230323b995c1cde1d534031092bfddb56411dac43d155e5366681e1c7
SH256 hash:
dedc26a0809c9b2e2b29dd237c717a9b23705646f1e91a9702420eca9214e560
MD5 hash:
6b53da6dd48a20a541325130c54a4dc0
SHA1 hash:
539727c91622de7d8ca5e001d9483fc2b2feb1c6
SH256 hash:
8f3259245b6e3057d83093165a7532ae01ff47827f3a7c0ad3902a3fcc21a5cb
MD5 hash:
4771f72f6d472b99fac5ceeef6e6d061
SHA1 hash:
fcc95c7a996062598b1fb585bcf2efa346485712
SH256 hash:
bdf8cfe485bb5c3541f9909ad999d406d4040a851f2dcc98a9d920d8c743be2b
MD5 hash:
1d9aa25ec4c809538e9de0cd6854cfb0
SHA1 hash:
f19625f374d20ad75c501aecbeffad31bd2de40e
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
SH256 hash:
944d0036c359c3406803a1b8ebb0f434e9a53bf443cce4a92038202cbfd71655
MD5 hash:
e392bc384c98ddd5dd55794a096ab787
SHA1 hash:
afd2c5471065d10ee67d89b037360d80b9474885
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
SH256 hash:
09178780a1df7364d0b38580b40ccaa528c3f309bbc0239c98e61d464e8a32f7
MD5 hash:
d2a0c6939e1be294a7a5a0369438dbc4
SHA1 hash:
734eca2ed021b9cf19ca501a8ddf0aaa15692464
SH256 hash:
dda9f2be90b35400b970665cf7430f90f438b2e63815f6ec9ea2fe8de604dbb3
MD5 hash:
854cd204b1c7bb0ee99d3129345aa401
SHA1 hash:
70d377106c76bd363d73c874e8f539939b55fca7
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
SH256 hash:
e07b79b1482e734a2269a1d8b49e2e4c90c4476e1abf84d133cc0774ca88ae06
MD5 hash:
b8e4a53308d1285df967845e246f51cb
SHA1 hash:
753299c00cc0f86323ca8d6141d727c0ffea895d
SH256 hash:
c7df63bd3d9dbd3cbd11e02d0ca6f8988251bf5bea12d6d76c40ba2d33b5468d
MD5 hash:
a1a2a0b423349f463d23969864a111c0
SHA1 hash:
37d83a34da50b959759cbb18b01654bbd17bbb3f
Malware family:
Mal/HTMLGen-A
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.