MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f21a2fa48b72b3bf5876cc3ba39ded1e5891d32d403ef424407f1dc96cdddc65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f21a2fa48b72b3bf5876cc3ba39ded1e5891d32d403ef424407f1dc96cdddc65
SHA3-384 hash: 7e766ce7fd4c459ba10b0aac428ac70ba68ca41f0910ce02b9582b207128172381976110d85482d219d6fc7cf56cd6eb
SHA1 hash: 7f1341dd37f153febb7028f6aae997524de39864
MD5 hash: 0b24fbcfbed6516dae6cc97e8459f13a
humanhash: music-berlin-network-twenty
File name:0b24fbcfbed6516dae6cc97e8459f13a.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:16'573'704 bytes
First seen:2021-12-13 20:05:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 393216:JMELGt0KM7q+hKydWIYMPz/TWmhDMNWQTPtK3huS7Yj:JMEKt0KM7wxWz/TBoNWt3hq
Threatray 805 similar samples on MalwareBazaar
TLSH T1E0F63380DD65AD16CC153FF3F8B2EAD309EA598610665B362BC1188CF29BDC357C9392
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
89.223.69.92:9295

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
89.223.69.92:9295 https://threatfox.abuse.ch/ioc/275401/

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0b24fbcfbed6516dae6cc97e8459f13a.exe
Verdict:
No threats detected
Analysis date:
2021-12-13 21:36:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/30db81ed-a72b-42d0-97cd-bdac12b95412

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
DNS request
Launching a process
Creating a window
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61b7a7bc47bb875c085b3d68/reports/e12137ad-775a-4b17-b9a5-438e2ca097a1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3de917df-3f95-4e6c-9fea-aa9bd8f825e7
Result
Threat name:
SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/906633
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Execution Of Other File Type Than .exe
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 539116 Sample: wX4OAXVFec.exe Startdate: 13/12/2021 Architecture: WINDOWS Score: 100 67 149.154.167.99 TELEGRAMRU United Kingdom 2->67 69 91.219.236.207 SERVERASTRA-ASHU Hungary 2->69 71 4 other IPs or domains 2->71 89 Antivirus detection for dropped file 2->89 91 Antivirus / Scanner detection for submitted sample 2->91 93 Multi AV Scanner detection for submitted file 2->93 95 19 other signatures 2->95 11 wX4OAXVFec.exe 10 2->11         started        signatures3 process4 file5 57 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->57 dropped 14 setup_installer.exe 29 11->14         started        process6 file7 59 C:\Users\user\AppData\...\setup_install.exe, PE32 14->59 dropped 61 C:\Users\user\AppData\...\Thu22fb5dfa4242.exe, PE32 14->61 dropped 63 C:\Users\user\...\Thu22de947fed806c262.exe, PE32 14->63 dropped 65 24 other files (14 malicious) 14->65 dropped 17 setup_install.exe 1 14->17         started        process8 signatures9 85 Adds a directory exclusion to Windows Defender 17->85 87 Disables Windows Defender (via service or powershell) 17->87 20 cmd.exe 1 17->20         started        22 cmd.exe 17->22         started        24 cmd.exe 17->24         started        27 10 other processes 17->27 process10 signatures11 29 Thu22aa61d2460f7038.exe 20->29         started        32 Thu22867efe978a8a2b2.exe 1 22->32         started        97 Adds a directory exclusion to Windows Defender 24->97 99 Disables Windows Defender (via service or powershell) 24->99 34 powershell.exe 12 24->34         started        36 Thu22fb5dfa4242.exe 27->36         started        38 Thu229e58ed27.exe 27->38         started        40 Thu221a99cfcfb55c847.exe 27->40         started        44 5 other processes 27->44 process12 dnsIp13 101 Machine Learning detection for dropped file 29->101 103 Injects a PE file into a foreign processes 29->103 105 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 29->105 46 Thu22aa61d2460f7038.exe 1 29->46         started        107 Antivirus detection for dropped file 32->107 109 Sample uses process hollowing technique 32->109 111 Query firmware table information (likely to detect VMs) 36->111 113 Tries to evade analysis by execution special instruction which cause usermode exception 36->113 73 51.91.13.105 OVHFR France 40->73 75 159.69.92.223 HETZNER-ASDE Germany 40->75 49 C:\Users\user\AppData\...\softokn3[1].dll, PE32 40->49 dropped 51 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 40->51 dropped 53 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 40->53 dropped 55 6 other files (none is malicious) 40->55 dropped 77 148.251.234.83 HETZNER-ASDE Germany 44->77 79 149.28.253.196 AS-CHOOPAUS United States 44->79 81 192.168.2.1 unknown unknown 44->81 file14 signatures15 process16 dnsIp17 83 8.8.8.8 GOOGLEUS United States 46->83
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f21a2fa48b72b3bf5876cc3ba39ded1e5891d32d403ef424407f1dc96cdddc65/
Threat name:
Win32.Trojan.Antiloadr
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 10:02:39 UTC
File Type:
PE (Exe)
Extracted files:
446
AV detection:
30 of 45 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6inc7jelokz36wdwzq52hhpndzmjduznia7pijcap4o4s3g53rsq._file
Verdict:
malicious
Similar samples:
22ebb950592ccc987fd1dab9ddcd34c4fc519975dc1b82e4a793dc038d2d8e41
RaccoonStealer
5b77e331ff166d24ccaf781b84705bb6afcceaaa708024d54efc2a10f515c32a
RaccoonStealer
87a0e76ffaebb434696dff4449ad27f6912937899749b7d8eb3b623615176a78
RaccoonStealer
981b90f1d189a21e3b3cc5363f369aa6534614cb63dc76de811aacd583a43b30
RaccoonStealer
e88ecbbe677d8cfb97ba9a42db6f8b038aa96526b283b9de8635a80dd25790dd
RaccoonStealer
f5b716c1a860c94a7720b3f9995e92b39fa068bdc14179e6d2f897d0bc494c45
RaccoonStealer
+ 795 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:915 botnet:e01406cf9a804c70b4a66c9ff45ad42151469416 aspackv2 backdoor evasion infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211213-yve82aebe2/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
NirSoft WebBrowserPassView
Nirsoft
Vidar Stealer
Amadey
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
http://www.wgqpw.com/
185.215.113.35/d2VxjasuwS/index.php
https://qoto.org/@mniami
https://noc.social/@menaomi
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Unpacked files
SH256 hash:
fef7035989f56b8ab573adb9d3d91363668af7b0b71d4cb44d52f941fde3ad4f
MD5 hash:
b712d9cd25656a5f61990a394dc71c8e
SHA1 hash:
f981a7bb6085d3b893e140e85f7df96291683dd6
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
e668c883a9d45987689a62b2fb859df8e3fb614bf92cb3a90452f72c17fb4f87
MD5 hash:
dffa5d6909142b984045784f39599ab3
SHA1 hash:
df8f19c5f265ccc702d013b549af93059d009fb7
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
ee3f9178db420242904907580f747192d070ba5f893bc24d7cdc9e2d68df0f8a
MD5 hash:
0a95d1e59bd1fa933d9e7d74a0635532
SHA1 hash:
dcd82a0d49126a118cabea10eca518ba41422e5c
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
fd9f4e21de9b2572e10b18845e76bd926d855a439adaa6ee22ac63bf4f9c2cf7
MD5 hash:
c4204e50683d6075226e5dc5f799f9a0
SHA1 hash:
d8f6678e42c49fe416881a5f4cb8ded586d95308
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
ee2cc85a8e1972a29ce67ab0218d5daa8fc9b67f36111c71eccaf6da05219d19
MD5 hash:
f6271f82a952f96ba9271a4a27c9f22f
SHA1 hash:
d12708b9e39a0cd06add96316b65f1668d6a1246
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
451c693481de62b1a2768050df0e7aba4d7eaa2c70ef924ccc5992f947d27b70
MD5 hash:
2fa2b1760a549b8a8988fbf66c0204ab
SHA1 hash:
cf0a32127dd6d688fbebd56f6c2b672455b5683d
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
48e4f2723df4ba78e1773a91924f7b32d92b5c92add721fc23733c8e9e0acdb6
MD5 hash:
b1420a5cdbad8679c9c28e18679224a9
SHA1 hash:
bc687692a39efd4913b5471b6e6e5cc4a81c527b
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
106eb26f554d298813b9043d2b79c76d6e78662d3be0e09d84348cde9a059c5b
MD5 hash:
311df1e05a9c8b55c064aaa45264fbd8
SHA1 hash:
ab99cc9270cebd415eafff2701c04d569abcae86
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
96cd6c789b0efb47d71dea1121a59f0cfe35df0a6a5105b37c6d96ca0f21c12b
MD5 hash:
a9599f63bb5ead25178212989e597810
SHA1 hash:
a8bc21eb81eaaa8ea02fb59906a367380c6921e7
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
30e3efed39facc141f211c462f31a795c431c0745e9c95a03863e5e37fc4b2db
MD5 hash:
8c83858af0ba1327303326f409c7c487
SHA1 hash:
8c7ec43314743847d29879218729df532af5f9ee
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
1662ef5fc4f91d7f3db6e36e70c1c89983ecea17e3058f560c23705e5586013d
MD5 hash:
47eba3836ecc2bcc02a26764eaf8c068
SHA1 hash:
45ca4457caa41849383098852c761876982c07f0
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
53a13d9b85c62c225f80677e7e84f0e4b3980c0695a7606212176326f2ee72e0
MD5 hash:
ba4548a88c431f3b9e3777e165a62f60
SHA1 hash:
412ca7d19a5bbc44fe0382a59f1bbae0eb1be44d
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
20ea684200df1613c743f53311f20dee81f90eb177506eef9a3b59049bc8a29c
MD5 hash:
7f128ea3e008142a2f6c4daa27364c1a
SHA1 hash:
2c60e9cb463e51c1432b1a1bbe88450ddc0823f9
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
2ac2f22f376075b29c0b6c787c57ce9a70ef0727bfb1617c3bfb94198bfa7640
MD5 hash:
f9c6d895abb9e1dac411cf78baeb5dfb
SHA1 hash:
16445ba3e98d44624eb922f7d28ca1b7bbcce1bd
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
0e38d6da609f88ddbb0efcf976acd158d126efd5825bf31198b5a06c1cb11af7
MD5 hash:
8650ca33a8ff3497d05e2065d3b84092
SHA1 hash:
0c68de6bda05747a8c58b7f2009126499465c01b
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
395ea61f7c5ff25382eba5489984553b9c92c45a6f3952c2a8ec60d4b17fe9a0
MD5 hash:
e1b2c226db2127b94942b6929a416b9f
SHA1 hash:
1fd29ae46f2d22ae0b9e610f4bf90bf8b4c1b0b7
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
9c00e935a41bb1dc0b2b65ac18c0a1be05bdc555676e7eb8a830590b52e55436
MD5 hash:
e7526d8f9a8f888b75b85f9a1ebae3dc
SHA1 hash:
79ca1cbf3184302db8defa924c43295106021c7e
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
db51913dcbd74a51e46f4d8dca34ddaf44a928fd5250b34858b9d165dd68eca4
MD5 hash:
74f0d39f05f13a059791497a61471842
SHA1 hash:
f5c39e3b0429cba32f009b191d12b590378aa51e
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
376bf69f01fe65802f1ec35b8715067687c4bd47937154fc4c3903b06fe89a92
MD5 hash:
feea5b4bc6a46188e7998b53b668d6fe
SHA1 hash:
ff73a76d88ba96baba23acf669ab2fb61e541916
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
a174e0d67eca3a59399994a54a44f4f2b7584f286dcf3cdb7a80f1ef83c010c6
MD5 hash:
b3b683d8cb51a926977080d7f7cf4bf5
SHA1 hash:
82eb466d03c72417f1a3f1320ccb732899af5e88
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
45d9692387c93cf23ad0acf2414db0e14561b9c1348c6ba542c7eebd98c3a6fb
MD5 hash:
b80ef2cf9a5e9b17cd11a39c70b4b8d9
SHA1 hash:
f54927d935d696ab267e5fa1f0e710ffffbd3359
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
1a6d9eb72531d6cdd70ffb0524aebdbd96ac0787590a1f81310c5428bee42318
MD5 hash:
518cfedd1ab25cd5d9e79d258e1103f2
SHA1 hash:
d734431a9d9955fbfe50c68ae3304f5337611fcc
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
17eba5a8fc60b5e62fbbea29e971691988da98a98db3a2c2bf9aad00b1b72dc4
MD5 hash:
e74d9b73743dfbb9f025a7908c85da37
SHA1 hash:
8a5b323b090cb0d2c4ff59f0ef520d323dd86097
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
fdceba054ec00f95b58fa1afb87c2b7c2446cfeb14b17b44976cddc11e40af60
MD5 hash:
9415b7eff193a1f0b6a2ba337cb13bc9
SHA1 hash:
e1d1ada2ec5ce0f504474573a3855487e4aa2653
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
14efaab946fcdd710ab5aca7aaae03384645b835557daf7d8f2d69ead07ed288
MD5 hash:
ae71b42fa3dde104f6b2407a618207f0
SHA1 hash:
97444fa8aac92de2321e194867fde0c2713aab6d
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
8d3969cb79d43cc377f8e055925ebed4f86b5d0aa0e43d50220fa6cce57cf6f5
MD5 hash:
f5f47bfb4cf5eee6b39aec54c3c69324
SHA1 hash:
d72ca97b3ccb816b2b461b86f0504a6a6995d8cf
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
862008b06254923939bedb8de791dcedc0438e5c5754d67c7b6dea3ceddc9d49
MD5 hash:
9b493d27f3e62826812ddac483bd2ef1
SHA1 hash:
d8f8a22bf3338e41c2588de4600a713eea6deed3
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
SH256 hash:
f21a2fa48b72b3bf5876cc3ba39ded1e5891d32d403ef424407f1dc96cdddc65
MD5 hash:
0b24fbcfbed6516dae6cc97e8459f13a
SHA1 hash:
7f1341dd37f153febb7028f6aae997524de39864
Link:
https://www.unpac.me/results/97336732-be0a-4249-a075-ef8232b0333e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f21a2fa48b72b3bf5876cc3ba39ded1e5891d32d403ef424407f1dc96cdddc65

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments