MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0ed9b5279618e628f62a80cd1abdd208bdd3899cb6865b51591478ca03e46c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0ed9b5279618e628f62a80cd1abdd208bdd3899cb6865b51591478ca03e46c6
SHA3-384 hash: 2bc9d5055f82f278f8411c230dc529b9eb13afa136e6f9da0074f1234487a6fff156a34c4a5eba38013d88bbc34f7f96
SHA1 hash: 2c38caa9518390d37f17898d5574462e5a3071d0
MD5 hash: c558ed2c819717303c17f6bbd048cf4a
humanhash: ack-solar-mars-fruit
File name:C558ED2C819717303C17F6BBD048CF4A.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'210'035 bytes
First seen:2021-09-07 17:21:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBT/T3YMUjjBzSJo0pGCCX5nVutfRQBuU48SjMLx:xI73hUjlz7IDSxWfaBrpLx
Threatray 520 similar samples on MalwareBazaar
TLSH T12AA533647AF6C2B7CA43E072AD445F7350FEC3481B33995B3354D2482EBC9A4F129A66
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://178.23.190.242/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://178.23.190.242/ https://threatfox.abuse.ch/ioc/216953/

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-09-04 03:28:18 UTC
Tags:
trojan stealer vidar loader evasion rat redline
Link:
https://app.any.run/tasks/506702b3-50d9-44cf-ad08-fae7f4ebf3ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186098/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Launching a process
Deleting a recently created file
Creating a window
Creating a file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Creating a file in the Program Files subdirectories
Sending an HTTP POST request
Moving a file to the Program Files subdirectory
Reading critical registry keys
Creating a file in the %AppData% directory
Replacing files
Possible injection to a system process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Setting a single autorun event
Unauthorized injection to a system process
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba0fd780-c6a4-4cac-a419-442472079788
Result
Threat name:
RedLine Vidar Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846828
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops executable to a common third party application directory
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 479259 Sample: EofbDJ3S2o.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 102 208.95.112.1 TUT-ASUS United States 2->102 104 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->104 106 8 other IPs or domains 2->106 144 Antivirus detection for URL or domain 2->144 146 Antivirus detection for dropped file 2->146 148 Multi AV Scanner detection for dropped file 2->148 150 15 other signatures 2->150 11 EofbDJ3S2o.exe 13 2->11         started        14 rundll32.exe 2->14         started        signatures3 process4 file5 72 C:\Users\user\AppData\...\setup_install.exe, PE32 11->72 dropped 74 C:\Users\user\AppData\...\Fri22fb4ed88b9.exe, PE32 11->74 dropped 76 C:\Users\user\AppData\...\Fri22e9866a3a24.exe, PE32 11->76 dropped 78 8 other files (3 malicious) 11->78 dropped 16 setup_install.exe 1 11->16         started        20 rundll32.exe 14->20         started        process6 dnsIp7 96 8.8.8.8 GOOGLEUS United States 16->96 98 172.67.190.165 CLOUDFLARENETUS United States 16->98 100 127.0.0.1 unknown unknown 16->100 126 Adds a directory exclusion to Windows Defender 16->126 22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        26 cmd.exe 1 16->26         started        28 6 other processes 16->28 128 Writes to foreign memory regions 20->128 130 Allocates memory in foreign processes 20->130 132 Creates a thread in another existing process (thread injection) 20->132 signatures8 process9 signatures10 31 Fri2204c8b2ca47c.exe 22->31         started        36 Fri22fb4ed88b9.exe 2 24->36         started        38 Fri22ab166dee75e0.exe 15 3 26->38         started        154 Adds a directory exclusion to Windows Defender 28->154 40 Fri2283a715835d.exe 4 28->40         started        42 Fri22e9866a3a24.exe 12 28->42         started        44 powershell.exe 25 28->44         started        process11 dnsIp12 116 162.159.135.233 CLOUDFLARENETUS United States 31->116 118 192.168.2.1 unknown unknown 31->118 58 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 31->58 dropped 134 Antivirus detection for dropped file 31->134 136 Multi AV Scanner detection for dropped file 31->136 138 Machine Learning detection for dropped file 31->138 46 LzmwAqmV.exe 31->46         started        60 C:\Users\user\AppData\...\Fri22fb4ed88b9.tmp, PE32 36->60 dropped 50 Fri22fb4ed88b9.tmp 36->50         started        120 88.99.66.31 HETZNER-ASDE Germany 38->120 140 Detected unpacking (changes PE section rights) 38->140 122 172.67.146.70 CLOUDFLARENETUS United States 40->122 62 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 40->62 dropped 142 Creates processes via WMI 40->142 124 74.114.154.22 AUTOMATTICUS Canada 42->124 file13 signatures14 process15 dnsIp16 80 C:\Users\user\AppData\Local\...\Pubdate.exe, PE32 46->80 dropped 82 C:\Users\user\AppData\Local\...\Chrome 5.exe, PE32+ 46->82 dropped 84 C:\Users\user\AppData\Local\...\BearVpn 3.exe, PE32 46->84 dropped 94 6 other files (2 malicious) 46->94 dropped 156 Machine Learning detection for dropped file 46->156 108 162.0.213.132 ACPCA Canada 50->108 86 C:\Users\user\AppData\Local\...\zab2our.exe, PE32 50->86 dropped 88 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 50->88 dropped 90 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 50->90 dropped 92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 50->92 dropped 53 zab2our.exe 50->53         started        file17 signatures18 process19 dnsIp20 110 173.222.108.210 AKAMAI-ASN1EU United States 53->110 112 162.0.210.44 ACPCA Canada 53->112 114 162.0.220.187 ACPCA Canada 53->114 64 C:\Users\user\AppData\...\Fekihaepado.exe, PE32 53->64 dropped 66 C:\Users\user\AppData\...\Byvujytaeshy.exe, PE32 53->66 dropped 68 C:\Program Files\...\ultramediaburner.exe, PE32 53->68 dropped 70 4 other malicious files 53->70 dropped 152 Drops executable to a common third party application directory 53->152 file21 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0ed9b5279618e628f62a80cd1abdd208bdd3899cb6865b51591478ca03e46c6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-04 01:55:27 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2dwzwutzmghgfd3cvagndk65ecf52oezznuglnivsfdyzib6i3da._file
Verdict:
malicious
Similar samples:
051c5d064ba3816e2eb061b2f1b96c8bf3609b038831464596c3a8436d3415eb
RaccoonStealer
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
RaccoonStealer
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
RaccoonStealer
3d7ba99d7b360819146cd6223b2d668e8b1a661023f5b36932860bc84271eecd
RaccoonStealer
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
RaccoonStealer
45c04168fe1e27939f2e08c178279d8c1aca5eba4ed8f6a717eb70b966cc5617
RaccoonStealer
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
RaccoonStealer
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
RaccoonStealer
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
RaccoonStealer
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
RaccoonStealer
+ 510 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar family:xmrig botnet:706 botnet:pub aspackv2 infostealer miner stealer suricata
Link:
https://tria.ge/reports/210907-vxkpragcbp/
Behaviour
Kills process with taskkill
Modifies registry class
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
XMRig Miner Payload
Process spawned unexpected child process
RedLine
RedLine Payload
Vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
xmrig
Malware Config
C2 Extraction:
193.56.146.78:51487
https://romkaxarit.tumblr.com/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/64e763bc-8dab-429b-bfa3-08352698f9af/
SH256 hash:
36d36bf735b2ab1079c6ca72d24f1491d47c122804046f1c7f86f544d09b01cc
MD5 hash:
71cf2841f2e39282e1051510082c4b35
SHA1 hash:
b67839763b177433c86ff9eaaa703c5607d3a843
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/64e763bc-8dab-429b-bfa3-08352698f9af/
Parent samples :
baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15
bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
d0ed9b5279618e628f62a80cd1abdd208bdd3899cb6865b51591478ca03e46c6
5774f205b3abcd5adc225b26b5ce546c2e7eb3490d03aa13c15234370dc42e27
cd7445464e18fd8260e6a924e0795c9b09696eb2dbc7dd9f62794b6530ecca9d
SH256 hash:
b8353735e91be404c294bead1167c136fa5297c1abaecdd18db28dd6d76fdd32
MD5 hash:
0fe46218f985caac68bb2557b14db021
SHA1 hash:
8cd5e8c9aa28b98475ea42a48c7d5f7840bae90c
Link:
https://www.unpac.me/results/64e763bc-8dab-429b-bfa3-08352698f9af/
SH256 hash:
761316153baf7c2fe923963bdd9e4307b7f5781eb678e4163651cbfb6fa3ae06
MD5 hash:
f8fecf6a71e3d23c1ebc8323a527e354
SHA1 hash:
fdbfeeef7cdcb16390254767525cfe72d769f284
Link:
https://www.unpac.me/results/64e763bc-8dab-429b-bfa3-08352698f9af/
SH256 hash:
d11994ba58687b8abc604612c34c2026bf4bc92f496132f564fb4c7c9fa831f9
MD5 hash:
2144318fb3d6de737c2897efbdd5bf22
SHA1 hash:
f4794f8e69eedf46a07d5dccb5f78a7cee5af3a5
Link:
https://www.unpac.me/results/64e763bc-8dab-429b-bfa3-08352698f9af/
SH256 hash:
606d3d9365f40fee12e9fc577ae5bf4cd42d502f4758320cdab01b53a7e0d4b8
MD5 hash:
51894ed4e7fec456b08027e2e6620386
SHA1 hash:
bbffdd90f9a5644086006734e03c15ac28db1ae9
Link:
https://www.unpac.me/results/64e763bc-8dab-429b-bfa3-08352698f9af/
SH256 hash:
f6c0a03aadae904369334e0a3abf77fd19d53a22503ca374ec6c00c5ff373c01
MD5 hash:
15d177197de1775e55045043edd6eddc
SHA1 hash:
77bd9a98694fb32bc0fc320d726164cc009dd53d
Link:
https://www.unpac.me/results/64e763bc-8dab-429b-bfa3-08352698f9af/
SH256 hash:
c6ca7024a78bca82c785d49435d873b724ea4160f19f17bf0b13cb5de1a7007b
MD5 hash:
35ba3811cafeccc5da587ca090eae666
SHA1 hash:
6c956167fca9c251b1d31f1cd5fc51a2ba8f373f
Link:
https://www.unpac.me/results/64e763bc-8dab-429b-bfa3-08352698f9af/
SH256 hash:
9dc77ea1abd72256c2cf906cf433610f48661779a1416b8546d4f9af09f26a5a
MD5 hash:
14d77d404de21055cfaa98fd20623c72
SHA1 hash:
0f32b94e597b1a42e0f5ba36fc8b25c1ee0ef21b
Link:
https://www.unpac.me/results/64e763bc-8dab-429b-bfa3-08352698f9af/
SH256 hash:
73b2d55e6cc22a9894acb3ab8fef9b7cda972620134977b63d39eb218890ad5f
MD5 hash:
fb182844136d55a23374e3fe2cb2e96f
SHA1 hash:
880a47b6adfbb6f11b2ed95eb3a0dc5029b07410
Link:
https://www.unpac.me/results/64e763bc-8dab-429b-bfa3-08352698f9af/
SH256 hash:
972cb0562c3067c619b7e050366242050fe25c0afbdd4faf1b23d49da4f77e4a
MD5 hash:
717f1e339f5ba01535774d0d65891ad5
SHA1 hash:
1671d5d480701e0ff536cf73bd8e6b7a80c2e35b
Link:
https://www.unpac.me/results/64e763bc-8dab-429b-bfa3-08352698f9af/
SH256 hash:
705746e59720a510e3807cb0922a23790b8411b4bb520f8816b2189c516cfadd
MD5 hash:
853184c0cee49be7d68d80070d1aab49
SHA1 hash:
0a5ad05147e87465648258c229f6120e789a6806
Link:
https://www.unpac.me/results/64e763bc-8dab-429b-bfa3-08352698f9af/
SH256 hash:
d0ed9b5279618e628f62a80cd1abdd208bdd3899cb6865b51591478ca03e46c6
MD5 hash:
c558ed2c819717303c17f6bbd048cf4a
SHA1 hash:
2c38caa9518390d37f17898d5574462e5a3071d0
Link:
https://www.unpac.me/results/64e763bc-8dab-429b-bfa3-08352698f9af/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d0ed9b527961/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0ed9b5279618e628f62a80cd1abdd208bdd3899cb6865b51591478ca03e46c6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186098/

Comments