MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d94a67d52526006c2cf1ff40a181b1b6a763cda06513c3f8051e9a29c208b1f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs 3 YARA File information Comments

SHA256 hash:	d94a67d52526006c2cf1ff40a181b1b6a763cda06513c3f8051e9a29c208b1f8
SHA3-384 hash:	a362487e76a1769ce85ca1768ab3ad8db5a236e30ccd100a779aa373878f694c581d1c0fb42434c45562c77e5c227a2a
SHA1 hash:	29d953e9c622ec70ed72f04b42e1062bf217272b
MD5 hash:	9a691622fc030fe16d5b27a86d233020
humanhash:	foxtrot-finch-two-comet
File name:	9a691622fc030fe16d5b27a86d233020.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	237'056 bytes
First seen:	2022-02-09 08:45:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	27406334f4caa542732eb5bb11e8b72f (1 x RaccoonStealer)
ssdeep	3072:bnWhxZCTL4MrTyxD1Sljasj6QfwWJr3BEtyaaC:bnW/Zx+T2SljBIYGyN
TLSH	T12D34BE1172D0D432C89769708838CBE65EBBF87259B0954B37683B2E6F702E15B76353
File icon (PE):
dhash icon	38b078cccacccc43 (123 x Smoke Loader, 83 x Stop, 63 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://139.162.146.59/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://139.162.146.59/	https://threatfox.abuse.ch/ioc/383112/
86.107.197.196:63065	https://threatfox.abuse.ch/ioc/384489/
194.163.144.67:21227	https://threatfox.abuse.ch/ioc/384490/

Intelligence

File Origin

# of uploads :

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/239311/

Detection(s):

Win.Packed.Filerepmalware-9938574-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

DNS request

Searching for synchronization primitives

Reading critical registry keys

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6442/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware

Link:

https://www.filescan.io/uploads/62037f58845a69d77350ccfc/reports/17653281-e316-4a49-adcd-bdf13d89004f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f10e2bcc-dc92-4070-83c2-f07537b5795c

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/936647

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d94a67d52526006c2cf1ff40a181b1b6a763cda06513c3f8051e9a29c208b1f8/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-02-09 04:04:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3ffgpvjfeyagylhr75akdanrw2twhtnamuj4h6afd2nctqqiwh4a._file

Verdict:

malicious

Label(s):

ryuk

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/220209-kpbf1ahff5/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/

Unpacked files

SH256 hash:

721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589

MD5 hash:

b984a027c8a2abf874f3eb306a831613

SHA1 hash:

d3b3f8890adc840b0bd411cf304eef15d415ed48

Link:

https://www.unpac.me/results/e95f7ce8-e36a-4029-b2bc-fc00551fef91/

Parent samples :

fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a

SH256 hash:

d94a67d52526006c2cf1ff40a181b1b6a763cda06513c3f8051e9a29c208b1f8

MD5 hash:

9a691622fc030fe16d5b27a86d233020

SHA1 hash:

29d953e9c622ec70ed72f04b42e1062bf217272b

Link:

https://www.unpac.me/results/e95f7ce8-e36a-4029-b2bc-fc00551fef91/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d94a67d52526/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

exe d94a67d52526006c2cf1ff40a181b1b6a763cda06513c3f8051e9a29c208b1f8

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2013897/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/239311/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample