MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 daefeb507a2c5ede48dd01032ccc8361b2a084f45cc9e3f33b5e506a8cb353e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 4 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: daefeb507a2c5ede48dd01032ccc8361b2a084f45cc9e3f33b5e506a8cb353e0
SHA3-384 hash: 1715ce5d28e124bd2f4ae843a12179e411be3a839ddf9100c83dad75769f18fc2148201d19d98bec35fdf8d48c80e1d6
SHA1 hash: 03d73476925bf493a5f72c4638be1ba5f8a8f239
MD5 hash: 3d6d5b0e97f6a4e7891b0a01b63f0a8e
humanhash: hamper-muppet-uniform-stairway
File name:3D6D5B0E97F6A4E7891B0A01B63F0A8E.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'999'546 bytes
First seen:2021-07-23 04:25:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:EgPRSyAFZJUysHo7WoiW+add9u2QHKdOYhcBA493+Lm:JPoJUxHYesO2cBJ9Mm
Threatray 214 similar samples on MalwareBazaar
TLSH T1CD95338CA35448A1D7CBC7335D12BA9BD96D86476C6FB78A5B03CB87B0AD110E3C661C
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
77.220.213.35:52349

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.220.213.35:52349 https://threatfox.abuse.ch/ioc/162067/
http://188.119.112.73/ https://threatfox.abuse.ch/ioc/162168/
185.244.182.34:22602 https://threatfox.abuse.ch/ioc/162201/
45.14.49.23:32246 https://threatfox.abuse.ch/ioc/162226/

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173490/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bac9d212-af3f-4736-90c3-9ae3480dda8b
Result
Threat name:
Backstage Stealer Cookie Stealer Ficker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820531
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected Cookie Stealer
Yara detected Ficker Stealer
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452942 Sample: y4gZKfc1Pd.exe Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 90 37.0.8.225 WKD-ASIE Netherlands 2->90 92 91.241.19.12 REDBYTES-ASRU Russian Federation 2->92 94 4 other IPs or domains 2->94 112 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->112 114 Antivirus detection for URL or domain 2->114 116 Antivirus detection for dropped file 2->116 118 20 other signatures 2->118 12 y4gZKfc1Pd.exe 10 2->12         started        signatures3 process4 file5 72 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->72 dropped 15 setup_installer.exe 10 12->15         started        process6 file7 82 C:\Users\user\AppData\...\setup_install.exe, PE32 15->82 dropped 84 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 15->84 dropped 86 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 15->86 dropped 88 5 other files (none is malicious) 15->88 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 96 wxkeww.xyz 104.21.56.66, 49715, 80 CLOUDFLARENETUS United States 18->96 98 127.0.0.1 unknown unknown 18->98 120 Detected unpacking (changes PE section rights) 18->120 122 Performs DNS queries to domains with low reputation 18->122 22 cmd.exe 1 18->22         started        24 cmd.exe 1 18->24         started        26 conhost.exe 18->26         started        signatures10 process11 process12 28 karotima_1.exe 4 55 22->28         started        33 karotima_2.exe 2 24->33         started        dnsIp13 100 37.0.11.41, 49719, 80 WKD-ASIE Netherlands 28->100 102 136.144.41.201, 49720, 49721, 80 WORLDSTREAMNL Netherlands 28->102 104 10 other IPs or domains 28->104 74 C:\Users\...\xmCbDij5uOXdkce92y2cWWLK.exe, PE32 28->74 dropped 76 C:\Users\...\vgkvD5oEoj1yxTpyFyVANeRe.exe, PE32 28->76 dropped 78 C:\Users\...\fByg9sZvtx4COoHEIPpAfT7O.exe, PE32 28->78 dropped 80 33 other files (31 malicious) 28->80 dropped 142 Drops PE files to the document folder of the user 28->142 144 May check the online IP address of the machine 28->144 146 Disable Windows Defender real time protection (registry) 28->146 35 Ru7YlAC1btGWqlGrKcBKaGMC.exe 28->35         started        38 fByg9sZvtx4COoHEIPpAfT7O.exe 28->38         started        40 MYtt6ruGaabZETOb7OhpuPmX.exe 28->40         started        45 12 other processes 28->45 148 Creates processes via WMI 33->148 42 karotima_2.exe 5 33->42         started        file14 signatures15 process16 dnsIp17 124 Query firmware table information (likely to detect VMs) 35->124 126 Tries to detect virtualization through RDTSC time measurements 35->126 128 Hides threads from debuggers 35->128 130 Tries to detect sandboxes / dynamic malware analysis system (registry check) 38->130 132 Tries to detect sandboxes and other dynamic analysis tools (window names) 40->132 58 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 42->58 dropped 60 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 42->60 dropped 62 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 42->62 dropped 48 conhost.exe 42->48         started        106 208.95.112.1 TUT-ASUS United States 45->106 108 128.1.32.84 HINETDataCommunicationBusinessGroupTW United States 45->108 110 5 other IPs or domains 45->110 64 C:\Users\...\3la67y9uglaaeiWd0kCK2hMd.exe, PE32 45->64 dropped 66 C:\Users\user\Documents\d, SQLite 45->66 dropped 68 C:\Users\user\AppData\Local\Temp\22222.exe, PE32 45->68 dropped 70 2 other files (none is malicious) 45->70 dropped 134 Drops PE files to the document folder of the user 45->134 136 Tries to harvest and steal browser information (history, passwords, etc) 45->136 138 Sample uses process hollowing technique 45->138 140 Injects a PE file into a foreign processes 45->140 50 conhost.exe 45->50         started        52 conhost.exe 45->52         started        54 conhost.exe 45->54         started        56 conhost.exe 45->56         started        file18 signatures19 process20
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/daefeb507a2c5ede48dd01032ccc8361b2a084f45cc9e3f33b5e506a8cb353e0/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 06:06:05 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3lx6wud2frpn4sg5aebsztedmgzkbbhulte6h4z3lzigvdftkpqa._file
Verdict:
unknown
Similar samples:
08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1
RaccoonStealer
11296d96cfdba7c5323c3d0167bfb7d9d84b39757f58f2e6581cac42cbb0fcbc
RaccoonStealer
161127df64e41b5ccce3553ec1f4ca9fcf1cfe5b0faf8a8d38043e53f2b4c4dc
RaccoonStealer
2916c38c3ff4c0e36fbf895409db7b41fd9555cebf6a33cbf5867be8b54e73db
RaccoonStealer
30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e
RaccoonStealer
36ae4637dfb47d17615a49a16a8eadeb29eb5ad5357ae86bad683402a4b0993d
RaccoonStealer
3a9e17be4ef9e2cd297c58f11abcd72f0b3c2c18e9ef581e1990ec9b9dfd6498
RaccoonStealer
a16ed450732a91d7e929fa2ff06158c7160e3201123469e99abc0bd026dad44f
RaccoonStealer
d6db191fc2aa0285fe4036d91817fa468e688823d90c9134a59b7e257e956040
RaccoonStealer
+ 204 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:fickerstealer family:glupteba family:metasploit family:redline family:socelars family:vidar botnet:865 botnet:neuwikkks123 botnet:sel19 botnet:z0rm1on aspackv2 backdoor discovery dropper evasion infostealer loader spyware stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/210723-bwp38tj6ka/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Gathers network information
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Win32/Ficker Stealer Activity M3
Fickerstealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
Malware Config
C2 Extraction:
dwarimlari.xyz:80
37.0.8.225:80
zasavaucov.xyz:80
77.220.213.35:52349
185.244.182.34:22602
https://shpak125.tumblr.com/
Unpacked files
SH256 hash:
ae029f26b1144ba9dafae4364f962aeb03074daf53c783531febdccbaa8bfd3e
MD5 hash:
bad5b3ebc7a2657ecc0e838915d86f12
SHA1 hash:
463bfd426033862713e4fef0c1c20f98451ec42d
Link:
https://www.unpac.me/results/60d7ecc1-f9e7-4f74-969f-f498657c6e9c/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/60d7ecc1-f9e7-4f74-969f-f498657c6e9c/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/60d7ecc1-f9e7-4f74-969f-f498657c6e9c/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/60d7ecc1-f9e7-4f74-969f-f498657c6e9c/
SH256 hash:
a1d82cc7d4af1c8584f909c36b8b2cc8bd5d68791a5c9af0940e36a9887538f6
MD5 hash:
953230955b0863d81f382d5163a4badc
SHA1 hash:
9c3fd08863f631a2e8aa921ff4d299105e085460
Link:
https://www.unpac.me/results/60d7ecc1-f9e7-4f74-969f-f498657c6e9c/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/60d7ecc1-f9e7-4f74-969f-f498657c6e9c/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/60d7ecc1-f9e7-4f74-969f-f498657c6e9c/
SH256 hash:
ba0b0874119cc29f009b4a113087d550284d8f66bb5ae5c0b45f0afa389a0fa6
MD5 hash:
2030b43ce25a0a46db74da14da222544
SHA1 hash:
c883abf6e3c91ea8f91f019d1f2ddbb219eee973
Link:
https://www.unpac.me/results/60d7ecc1-f9e7-4f74-969f-f498657c6e9c/
SH256 hash:
daefeb507a2c5ede48dd01032ccc8361b2a084f45cc9e3f33b5e506a8cb353e0
MD5 hash:
3d6d5b0e97f6a4e7891b0a01b63f0a8e
SHA1 hash:
03d73476925bf493a5f72c4638be1ba5f8a8f239
Link:
https://www.unpac.me/results/60d7ecc1-f9e7-4f74-969f-f498657c6e9c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/daefeb507a2c5ede48dd01032ccc8361b2a084f45cc9e3f33b5e506a8cb353e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICOIUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173490/

Comments