MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb
SHA3-384 hash: adf5451b876724466c7124c46aaca7a6abc42ce1b006bb8e5e5e9ef0ec3a699818398404bf8422dda9e993a50275a90d
SHA1 hash: f89b2639344b438d9f20d9f6c88ec7333e9d6060
MD5 hash: 70d323a19c27af9c38bbda35359fd92f
humanhash: early-vermont-friend-quiet
File name:70d323a19c27af9c38bbda35359fd92f.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:218'112 bytes
First seen:2021-08-30 01:16:18 UTC
Last seen:2021-08-30 02:24:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f047c2672b00c79ca70d8f2e6ab5c3f9 (17 x RaccoonStealer, 2 x Amadey, 2 x RedLineStealer)
ssdeep 3072:ni3HZ3GCilelJqe9BkoKhOWOMqO0LBFhle1+VXfVRSP7lyzg0sI5/DuT61m:AViwqeHkalzO+FXe1+VXfVRSP7EsI5/
TLSH T18924AED53270C072F4C256318849EAA0572BBD607E6095B73A5F279EFF35D80922E2B7
dhash icon fcfcf4f4d4dcd8c0 (26 x RaccoonStealer, 11 x RedLineStealer, 9 x Stop)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://5.181.156.252/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.252/ https://threatfox.abuse.ch/ioc/201911/

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
70d323a19c27af9c38bbda35359fd92f.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-30 01:17:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cbda4829-f70f-43d7-b8a9-fc9c5b832215

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183353/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.10573.2377.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for analyzing tools
Searching for the window
Sending a custom TCP request
Creating a file in the Windows subdirectories
Launching a process
Launching the default Windows debugger (dwwin.exe)
Changing a file
Unauthorized injection to a recently created process
Deleting of the original file
Enabling autorun by creating a file
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/474f6541-aea9-4ecf-8e5e-6624ab59ef80
Result
Threat name:
Raccoon RedLine SmokeLoader Zeppelin
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841180
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Yara detected Zeppelin Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473611 Sample: fzUNUBx4wC.exe Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 54 www.geodatatool.com 2->54 56 telete.in 2->56 58 4 other IPs or domains 2->58 72 Multi AV Scanner detection for domain / URL 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for URL or domain 2->76 78 17 other signatures 2->78 10 fzUNUBx4wC.exe 2->10         started        13 cbfejbe 2->13         started        signatures3 process4 signatures5 104 Detected unpacking (changes PE section rights) 10->104 106 Contains functionality to inject code into remote processes 10->106 108 Injects a PE file into a foreign processes 10->108 15 fzUNUBx4wC.exe 10->15         started        110 Machine Learning detection for dropped file 13->110 18 cbfejbe 13->18         started        process6 signatures7 112 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->112 114 Maps a DLL or memory area into another process 15->114 116 Checks if the current machine is a virtual machine (disk enumeration) 15->116 20 explorer.exe 18 15->20 injected 118 Creates a thread in another existing process (thread injection) 18->118 process8 dnsIp9 60 185.49.70.90, 2080 LEASEWEB-DE-FRA-10DE United Kingdom 20->60 62 readinglistforaugust2.xyz 95.213.224.6, 49707, 80 SELECTELRU Russian Federation 20->62 64 7 other IPs or domains 20->64 42 C:\Users\user\AppData\Roaming\cbfejbe, PE32 20->42 dropped 44 C:\Users\user\AppData\Local\Temp\BF4C.exe, PE32 20->44 dropped 46 C:\Users\user\AppData\Local\Temp\86F6.exe, PE32 20->46 dropped 48 6 other malicious files 20->48 dropped 80 System process connects to network (likely due to code injection or exploit) 20->80 82 Benign windows process drops PE files 20->82 84 Performs DNS queries to domains with low reputation 20->84 86 4 other signatures 20->86 25 658F.exe 3 20->25         started        28 7FF0.exe 20->28         started        32 4FE3.exe 1 20->32         started        34 3 other processes 20->34 file10 signatures11 process12 dnsIp13 88 Multi AV Scanner detection for dropped file 25->88 90 Detected unpacking (changes PE section rights) 25->90 92 Query firmware table information (likely to detect VMs) 25->92 102 3 other signatures 25->102 36 conhost.exe 25->36         started        66 www.geodatatool.com 158.69.65.151, 443, 49714, 49715 OVHFR Canada 28->66 68 192.168.2.1 unknown unknown 28->68 70 geoiptool.com 28->70 50 C:\Users\user\...\TrustedInstaller.exe, PE32 28->50 dropped 94 May check the online IP address of the machine 28->94 96 Machine Learning detection for dropped file 28->96 98 Sample uses process hollowing technique 32->98 100 Injects a PE file into a foreign processes 32->100 38 4FE3.exe 2 32->38         started        40 conhost.exe 32->40         started        52 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 34->52 dropped file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb/
Threat name:
Win32.Infostealer.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 01:17:05 UTC
AV detection:
19 of 41 (46.34%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zboe4lr7dy45vxxpfkbmj6vp4rp3kcmcg23c3hecdoi4sfnwn25q._file
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader botnet:d02c5d65069fc7ce1993e7c52edf0c9c4c195c81 botnet:fe582536ec580228180f270f7cb80a867860e010 botnet:nn botnet:zz backdoor discovery evasion infostealer persistence ransomware spyware stealer themida trojan
Link:
https://tria.ge/reports/210830-cw98x3tt1s/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Modifies Windows Defender Real-time Protection settings
Raccoon
RedLine
RedLine Payload
SmokeLoader
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
185.167.97.37:30902
135.181.49.56:47634
Unpacked files
SH256 hash:
0a9a7acf77fe4f890fe2acf761fa7f369418bb1f733504acd0792f589ccc7b15
MD5 hash:
ad94a86355be2ad9348b88e8972e8320
SHA1 hash:
8c7ff71739a5194efc5c7bee9c37ad92a9e72646
Link:
https://www.unpac.me/results/6a003601-1ab7-4e81-aab7-ef30ee5774e2/
SH256 hash:
c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb
MD5 hash:
70d323a19c27af9c38bbda35359fd92f
SHA1 hash:
f89b2639344b438d9f20d9f6c88ec7333e9d6060
Link:
https://www.unpac.me/results/6a003601-1ab7-4e81-aab7-ef30ee5774e2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c85c4e2e3f1e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe c85c4e2e3f1e39dadeef2a82c4faafe45fb5098236b62d9c821b91c915b66ebb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1558724/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/183353/

Comments