MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4243a2f49e119acbf11700c1c9f52b01414cbc2e31a60da0492ef984a0c73f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4243a2f49e119acbf11700c1c9f52b01414cbc2e31a60da0492ef984a0c73f9
SHA3-384 hash: 89bb5ed70e40124537907cbc681396052a4938d78c66f36f547256271728d6385b33f403a310a86887f4188bbbd8b925
SHA1 hash: 68bff470ed448ba7be40ac318a81dc8f6d9685c9
MD5 hash: 39338c7d5e43d6ddde8933ab33d5032d
humanhash: six-princess-florida-crazy
File name:e4243a2f49e119acbf11700c1c9f52b01414cbc2e31a6.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:642'069 bytes
First seen:2021-08-31 11:40:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 12288:pANwRo+mv8QD4+0V16sZahjrqwSVupEQ541Xjao1MSTLSoj9z+H:pAT8QE+k5+jrqw/qQ541XmQMSTLSoIH
Threatray 3'900 similar samples on MalwareBazaar
TLSH T118D40235B641857AD1620A368D0FD3B9B536BE042F7D99CF77DD0E1C8D2334A2A2139A
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://5.181.156.120/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.120/ https://threatfox.abuse.ch/ioc/203162/

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184182/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Launching a process
Sending a UDP request
Connection attempt
Sending a custom TCP request
Connection attempt to an infection source
Creating a file in the Windows subdirectories
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Running batch commands
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b4fd381-44b6-40c8-a2b1-ce3d623742a8
Result
Threat name:
Raccoon RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842566
Signature
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 475001 Sample: e4243a2f49e119acbf11700c1c9... Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 70 Multi AV Scanner detection for domain / URL 2->70 72 Antivirus detection for URL or domain 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 7 other signatures 2->76 8 e4243a2f49e119acbf11700c1c9f52b01414cbc2e31a6.exe 18 25 2->8         started        process3 file4 38 C:\Program Files (x86)\...\Spadille.exe, PE32 8->38 dropped 40 9840432e051a6fa119...2b80a4c1fd73456.exe, PE32 8->40 dropped 42 C:\Program Files (x86)\...\Uninstall.exe, PE32 8->42 dropped 11 9840432e051a6fa1192594db02b80a4c1fd73456.exe 80 8->11         started        16 Spadille.exe 1 8->16         started        18 chrome.exe 14 422 8->18         started        process5 dnsIp6 62 5.181.156.120, 49703, 80 MIVOCLOUDMD Moldova Republic of 11->62 64 telete.in 195.201.225.248, 443, 49699 HETZNER-ASDE Germany 11->64 44 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 11->44 dropped 46 C:\Users\user\AppData\...\vcruntime140.dll, PE32 11->46 dropped 48 C:\Users\user\AppData\...\ucrtbase.dll, PE32 11->48 dropped 50 56 other files (none is malicious) 11->50 dropped 78 Tries to steal Mail credentials (via file access) 11->78 80 Tries to harvest and steal browser information (history, passwords, etc) 11->80 20 cmd.exe 11->20         started        82 Sample uses process hollowing technique 16->82 84 Injects a PE file into a foreign processes 16->84 22 Spadille.exe 16->22         started        25 conhost.exe 16->25         started        27 Spadille.exe 16->27         started        32 12 other processes 16->32 66 192.168.2.1 unknown unknown 18->66 68 239.255.255.250 unknown Reserved 18->68 29 chrome.exe 18->29         started        file7 signatures8 process9 dnsIp10 34 conhost.exe 20->34         started        36 timeout.exe 20->36         started        54 87.251.71.14, 49744, 49746, 49747 RMINJINERINGRU Russian Federation 22->54 56 iplogger.com 88.99.66.31, 443, 49704, 49705 HETZNER-ASDE Germany 29->56 58 accounts.google.com 142.250.181.237, 443, 49706 GOOGLEUS United States 29->58 60 6 other IPs or domains 29->60 52 C:\Users\user\AppData\Local\...\Cookies, SQLite 29->52 dropped file11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4243a2f49e119acbf11700c1c9f52b01414cbc2e31a60da0492ef984a0c73f9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 11:41:04 UTC
AV detection:
16 of 39 (41.03%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4qsdul2j4em2zpyroagbzh2swakbjs6c4mngbwqeslxzqsqmop4q._file
Verdict:
malicious
Similar samples:
1e7f2339065e8a6909eea27f090499a1af6427d1563ceac0cd25c916c637d29d
RaccoonStealer
4101bd379660a169d50442c9921d6fb0329620efbc5a163856c2f5e5f41e601c
RaccoonStealer
4728e07dce4743a4b93519c6f612e195dfd6ba9efcc28b261aa50e5e6e1159bc
RaccoonStealer
7e0679077236a08ed74cbdb95bbfcc03243d153250263c3bd7959c6f5c8530f2
RaccoonStealer
a958a5956297e2ff6ebe698756a401563736aa63fd3c44ff0c5e7deb82134740
RaccoonStealer
c62b515006bc08b9c7e66fedb39b4751a20fe34f19a322d7e40447c70937a6d0
RaccoonStealer
cfcb21c8c129c8c2c525ecfac8bd883260eda6038e3991210765e582007451dd
RaccoonStealer
+ 3'890 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline botnet:208cae76e27fe102019484f9b1e2c6db71cd743e botnet:baskar discovery evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210831-ratm15y8ha/
Behaviour
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
NTFS ADS
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
RedLine
RedLine Payload
Malware Config
C2 Extraction:
87.251.71.14:89
Unpacked files
SH256 hash:
2deb798b1b4bf81ae3a88585129b40bf2184d75274e35797df9590e40d9361e0
MD5 hash:
e4900b1a17088672e852bc26d2e8fefa
SHA1 hash:
6162b3681f78522c2fae705f4b3e7a2c7aa5cf9c
Link:
https://www.unpac.me/results/ea4cb47a-f9c9-4335-8c7b-b0796d689e23/
SH256 hash:
ef43e941212e72a903f5c93ed065d6f054c2079e2b7b17a3739a883b514ccd1c
MD5 hash:
c53bb26c2e15cab63f65de0cda477272
SHA1 hash:
93ce723240d01090beae270c2cc161f617092d00
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/ea4cb47a-f9c9-4335-8c7b-b0796d689e23/
SH256 hash:
e4243a2f49e119acbf11700c1c9f52b01414cbc2e31a60da0492ef984a0c73f9
MD5 hash:
39338c7d5e43d6ddde8933ab33d5032d
SHA1 hash:
68bff470ed448ba7be40ac318a81dc8f6d9685c9
Link:
https://www.unpac.me/results/ea4cb47a-f9c9-4335-8c7b-b0796d689e23/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e4243a2f49e1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4243a2f49e119acbf11700c1c9f52b01414cbc2e31a60da0492ef984a0c73f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184182/

Comments