MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287
SHA3-384 hash: f5eacbdb50ea52423e81c938331d50ef8525b219ba5fe19fde7f4a2b64545fb03203456490a9b06b6c244bb140ad6f3d
SHA1 hash: 175e355ec278943ce5823f59bb73508c5796d02e
MD5 hash: 0f68c0ac8f874481a85e5d323c84fa63
humanhash: gee-texas-item-virginia
File name:DCF4ECC6D3B70A3E11077862B9E3830806191F0718EEC.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'430'310 bytes
First seen:2021-11-16 23:02:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xCCvLUBsg4lfqcX7l/meJluIN1QjpSRirsrV7fYS33X51wprHU:xzLUCgq11moLNCjpSSEV7fYuZ1cLU
Threatray 222 similar samples on MalwareBazaar
TLSH T1B0263381BEB2CAF3C75220329E156B7470EED3AC4B3848C73794C5596F188E9670FA65
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://postbackstat.biz/check.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.61.213.242:25027 https://threatfox.abuse.ch/ioc/249614/
http://postbackstat.biz/check.php https://threatfox.abuse.ch/ioc/249947/
37.9.13.169:63912 https://threatfox.abuse.ch/ioc/249948/

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DCF4ECC6D3B70A3E11077862B9E3830806191F0718EEC.exe
Verdict:
No threats detected
Analysis date:
2021-11-17 05:39:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/88905c79-3446-4bbd-b006-76fae1af679f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/206669/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Socelars-9901323-1
Create hunting rule

Win.Packed.Socelars-9901373-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys mokes overlay packed
Link:
https://www.filescan.io/uploads/6194386d43e8f62b66960613/reports/70bccc4e-69c6-432d-a741-3ed705707667/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10357dbe-9025-48a5-ac4b-3402795aee1a
Result
Threat name:
RedLine SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/890820
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender real time protection (registry)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 523289 Sample: DCF4ECC6D3B70A3E11077862B9E... Startdate: 17/11/2021 Architecture: WINDOWS Score: 100 58 201.103.204.1 UninetSAdeCVMX Mexico 2->58 60 41.41.255.235 TE-ASTE-ASEG Egypt 2->60 62 14 other IPs or domains 2->62 82 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->82 84 Antivirus detection for URL or domain 2->84 86 Antivirus detection for dropped file 2->86 88 17 other signatures 2->88 9 DCF4ECC6D3B70A3E11077862B9E3830806191F0718EEC.exe 20 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\setup_install.exe, PE32 9->42 dropped 44 C:\Users\user\...\Sat13cae8f0881525bd.exe, PE32 9->44 dropped 46 C:\Users\user\...\Sat13b323fab7a2c.exe, PE32 9->46 dropped 48 15 other files (9 malicious) 9->48 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 78 127.0.0.1 unknown unknown 12->78 80 hsiens.xyz 12->80 118 Performs DNS queries to domains with low reputation 12->118 120 Adds a directory exclusion to Windows Defender 12->120 16 cmd.exe 12->16         started        18 cmd.exe 12->18         started        20 cmd.exe 1 12->20         started        22 11 other processes 12->22 signatures8 process9 signatures10 25 Sat13148a43617c.exe 16->25         started        30 Sat1350f5f1b515f.exe 18->30         started        32 Sat13194a1da9.exe 12 20->32         started        90 Adds a directory exclusion to Windows Defender 22->90 34 Sat1370015d96e424e10.exe 22->34         started        36 Sat13187377203e17f7.exe 22->36         started        38 Sat1342401cf38c36a4.exe 4 22->38         started        40 6 other processes 22->40 process11 dnsIp12 64 212.193.30.21 SPD-NETTR Russian Federation 25->64 68 5 other IPs or domains 25->68 50 C:\Users\...\S6BnYb0dpxUCxp0x6Na82oKu.exe, PE32+ 25->50 dropped 52 C:\Users\user\...52iceProcessX64[1].bmp, PE32+ 25->52 dropped 92 Antivirus detection for dropped file 25->92 94 Multi AV Scanner detection for dropped file 25->94 96 Detected unpacking (creates a PE file in dynamic memory) 25->96 98 Disable Windows Defender real time protection (registry) 25->98 100 Detected unpacking (changes PE section rights) 30->100 102 Machine Learning detection for dropped file 30->102 104 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->104 116 3 other signatures 30->116 70 2 other IPs or domains 32->70 106 May check the online IP address of the machine 32->106 72 2 other IPs or domains 34->72 108 Tries to harvest and steal browser information (history, passwords, etc) 34->108 66 194.145.227.161 CLOUDPITDE Ukraine 36->66 110 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 36->110 74 2 other IPs or domains 38->74 54 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 38->54 dropped 112 Creates processes via WMI 38->112 76 5 other IPs or domains 40->76 56 C:\Users\user\AppData\...\Sat1379092b4ccc.tmp, PE32 40->56 dropped 114 Obfuscated command line found 40->114 file13 signatures14
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-10-03 09:04:21 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3t2ozrwtw4fd4eihpbrlty4dbadbshyhddxmwus2hz6sijdmakdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
59716b314ba0d53b7e8de32a73af01b7b383834bf038c3bcaa8f7d07afc8b280
RaccoonStealer
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
RaccoonStealer
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
RaccoonStealer
a3845d760f3394981f0e9b2330c279db0534befaaa17c67ded9b3dbd7b9e608f
RaccoonStealer
bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c
RaccoonStealer
c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0
RaccoonStealer
d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
RaccoonStealer
f1b2cc9a9fed9992129c1673d423647dd8307aada8ccff1b3d0fea35c2c3e741
RaccoonStealer
+ 212 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:redline family:smokeloader family:socelars botnet:ani botnet:jamesoldd aspackv2 backdoor discovery evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211116-2z5k9scgck/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Arkei Stealer Payload
Arkei
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
65.108.20.195:6774
45.142.215.47:27643
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Unpacked files
SH256 hash:
393447aa843f148cd22e887d1eda74062785f0b4a6f098fbcb0d024b5aa23e4e
MD5 hash:
07f99f9e2df157ae78339603186ac280
SHA1 hash:
cb295687ae130d85061676471abcaa5f60df4198
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
bc945e03237641e79cb1a9b5399fffafce68daa318430e959b701aa3f4628c05
MD5 hash:
5275ae278e347d83fb061a92e979fe86
SHA1 hash:
6c1118b87f366df72a25f1988f740ea6753984cd
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
cc40fc4502d705d9698fd9d9493efdd39f6fcd0f0e03678eef29773b80e51ff9
MD5 hash:
bf8b0c8e992a344ce312c8a939fa1c9e
SHA1 hash:
3e207a18a539ab6ec17737e6fe79562f59502718
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
2cf67278ce63932f7efabdee1be667555c408718fca6622de2456b8e59db69cf
MD5 hash:
7b9e5d37881a3e58e26e22c79de09d47
SHA1 hash:
0cf699c041c6f7ad485b77f25403776aab99c057
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
7cfd084d32117fe237c4de00f149f66453f68184c22ad2a011b24e92a29bcf6f
MD5 hash:
d87c40cd90c98682b8098d2c3dfc2b4d
SHA1 hash:
84a0a5be5a028497c3358a67d049b0610214a835
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
bffb5e0da99f01972d746d4bf68765ca7db0fb32e598f8fd9a92e8389f321c1f
MD5 hash:
417411e71de543ffbe76242943ba5b90
SHA1 hash:
e50f45218c6d01cb67787add25491acfead007fa
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
a8c989b0f1ad161985d64b9b8ddd3af811b755efd1d5fd89dbe950717cf93070
MD5 hash:
824caee8c8b92c2c81cc5036b5754823
SHA1 hash:
b04172ba9aafc6ea2e4586193eb61ec2959193af
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee
MD5 hash:
57e3a53d7576635f94c0b7ea6b9fad43
SHA1 hash:
a43b28cd48d9efcbccc12ad2a644d6186acbd968
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
70f246fd61a27a4e2ffde2357e6c8ebe554a79811a35e7141f747090d05ff7e1
MD5 hash:
51b73b4d3041eb2d32a29dca61059549
SHA1 hash:
9845a8e5716e5e16ffc33ceccae9abf52872a2b5
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
f72a139a7eeb49e2689dd5f89e90374ba440f0f60d0eec92af6e0dcec4a2335d
MD5 hash:
a2d61cc3794edafbf1dfa6097dccc5f5
SHA1 hash:
62732d2511e65429ea40e3b43a1cf2c82081b19d
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
4545ab668c380bb5d3db41d71f89a801803d624afdaa90cc7b821788ac667c89
MD5 hash:
9b718c21138fea666ac4f87b95510fbf
SHA1 hash:
26374295dbe255f2121f61393fc6b2c2abc675ce
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
e44ea3867d4f177bb2a78af566933b4eca8c108231032abc17836c45499f9c7c
MD5 hash:
6fc6f704fc21e2edfdff0408f4b8864a
SHA1 hash:
1e632e628ed41284a1a24d0dc93760f5df036d45
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
b6e6385459dd231051f463e869728cdb35217095421dc18c9c65a54fd2fb7b38
MD5 hash:
3ce7ba291765def0b6c4eba52e124681
SHA1 hash:
a66e39fb18f848e6454f00346bce4c7d74ff026e
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
44cc4495706fedfd3c9ea366b52c0bd2a13f26363857b121ba02730c26369c96
MD5 hash:
7d280daba2056bf62e9eb0752cc1d82f
SHA1 hash:
d2a405a19a98d1b046931a292f92ef5ee127b880
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
178d0d1b17c6c962fe9aae2c5374fc130a8d49936a720913bd72d5ff4e9d304c
MD5 hash:
c50006149fbd676ecc28a8cea629cfab
SHA1 hash:
3bf26f2434d13827caeaeb9e7fc9c651818b930a
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
8f6e699ef130d215fcc001f58edc715c333c808da00e129d91c5f514a4c28777
MD5 hash:
54ca541fcade300512fa62b0b30df752
SHA1 hash:
a82b5fcd86d0ca6b9338344b11384073f4a5f308
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
SH256 hash:
dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287
MD5 hash:
0f68c0ac8f874481a85e5d323c84fa63
SHA1 hash:
175e355ec278943ce5823f59bb73508c5796d02e
Link:
https://www.unpac.me/results/36f291c5-c9f0-491f-ba49-2d3ebbfa84d5/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dcf4ecc6d3b7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/206669/

Comments