MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6401919fd20e698ec964ca0df4eee18c1f13852eef32a9246fe4605cff79969. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6401919fd20e698ec964ca0df4eee18c1f13852eef32a9246fe4605cff79969
SHA3-384 hash: a7568d996329b2127a4e85c46641f867c841039ddd2ab97a899ff4b5150a79e5523cbb2873b8987a42d7474df3d81ea5
SHA1 hash: bd5f62284b8c1c905a72b3c7f66240a4704e1bfa
MD5 hash: a4822c960055c8c34fcc130bae6f0d86
humanhash: beryllium-washington-zulu-diet
File name:a4822c960055c8c34fcc130bae6f0d86.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:327'168 bytes
First seen:2021-12-07 23:46:11 UTC
Last seen:2021-12-08 01:34:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4eb02e1fe9496df33596532c6e671ce9 (2 x RedLineStealer, 2 x RaccoonStealer, 2 x Smoke Loader)
ssdeep 3072:9lLLm0Iy4e+AJgCUBrJcgHbm2mrYARcA+l5Bz7ruFrYEKL0gHU4uf3kl9buZXQ73:DQrJ3sp4bTSrY3g1B4ZuBu2qheBku
Threatray 8'408 similar samples on MalwareBazaar
TLSH T133648E1066A0D035F5B712F85AB99378A93E7EA16B3490CF13D427EA5B746E0EC3031B
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://94.158.245.147/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.147/ https://threatfox.abuse.ch/ioc/264838/

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a4822c960055c8c34fcc130bae6f0d86.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-07 23:51:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/59ae27cd-674d-4ead-9383-02f76674a663

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/212296/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31749.22561.1235.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1274/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes
Link:
https://www.filescan.io/uploads/61aff2784d8e6f3a5e181d1e/reports/a8bb150d-2192-43f5-9535-71a833927071/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c88bc4f5-788c-4dc2-9967-dff5efb26629
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/903529
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 536007 Sample: LpjqJFqssa.exe Startdate: 08/12/2021 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 9 other signatures 2->47 8 LpjqJFqssa.exe 2->8         started        10 ugvjara 2->10         started        process3 signatures4 13 LpjqJFqssa.exe 8->13         started        65 Machine Learning detection for dropped file 10->65 67 Contains functionality to inject code into remote processes 10->67 69 Injects a PE file into a foreign processes 10->69 16 ugvjara 10->16         started        process5 signatures6 71 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->71 73 Maps a DLL or memory area into another process 13->73 75 Checks if the current machine is a virtual machine (disk enumeration) 13->75 18 explorer.exe 4 13->18 injected 77 Creates a thread in another existing process (thread injection) 16->77 process7 dnsIp8 33 file-coin-data-5.com 37.0.10.199, 49744, 49745, 49746 WKD-ASIE Netherlands 18->33 35 185.233.81.115, 443, 49809 SUPERSERVERSDATACENTERRU Russian Federation 18->35 37 3 other IPs or domains 18->37 27 C:\Users\user\AppData\Roaming\ugvjara, PE32 18->27 dropped 29 C:\Users\user\AppData\Local\Temp\C13C.exe, PE32 18->29 dropped 31 C:\Users\user\...\ugvjara:Zone.Identifier, ASCII 18->31 dropped 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Benign windows process drops PE files 18->51 53 Deletes itself after installation 18->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->55 23 C13C.exe 4 18->23         started        file9 signatures10 process11 dnsIp12 39 45.9.20.149, 42871, 49838 DEDIPATH-LLCUS Russian Federation 23->39 57 Multi AV Scanner detection for dropped file 23->57 59 Detected unpacking (changes PE section rights) 23->59 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->61 63 10 other signatures 23->63 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6401919fd20e698ec964ca0df4eee18c1f13852eef32a9246fe4605cff79969/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-12-07 19:55:26 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6zabsgp5edtjr3ewjsqn6txodda7cocs53zsvesg7zdalt7xtfuq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
06d230cca12e200a7b7400e0a6a36fec7811a9d88fadb147fef454c953a23061
RaccoonStealer
168f62c6ea11a386469563c360ee5517da31015e774ccc9c8ba3d1bd4b4f45ef
RaccoonStealer
17dc1fee7e207e38779e7224fd0c5b9fd62909ada1c870c832bc603b2d11643b
RaccoonStealer
4d87dc42d7955f0441294956abfd9878b967ca196c6e1a3be40affc4877da5f9
RaccoonStealer
85641fdd05980c31b2e8d6d3f6218391dd089780df85a53e24a1f3f0abdf6a24
RaccoonStealer
c25d7f5497f9a12e564244665d9e83740bbcb88fa384fba9d3bc704f4da7d442
RaccoonStealer
fc2efbe9d556ba1bfae20033d0cb3503d4db0f09cce8090baefc78ecb897da49
RaccoonStealer
+ 8'398 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:bazarloader family:bitrat family:raccoon family:redline family:smokeloader botnet:f797145799b7b1b77b35d81de942eee0908da519 botnet:fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor dropper infostealer loader stealer suricata trojan
Link:
https://tria.ge/reports/211207-3svcdsdffn/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Bazar/Team9 Loader payload
Amadey
Bazar Loader
BitRAT
BitRAT Payload
Raccoon
RedLine
RedLine Payload
SmokeLoader
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
185.215.113.35/d2VxjasuwS/index.php
Unpacked files
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/5fed6058-fb76-4032-9127-6bca0e0fda36/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
f6401919fd20e698ec964ca0df4eee18c1f13852eef32a9246fe4605cff79969
MD5 hash:
a4822c960055c8c34fcc130bae6f0d86
SHA1 hash:
bd5f62284b8c1c905a72b3c7f66240a4704e1bfa
Link:
https://www.unpac.me/results/5fed6058-fb76-4032-9127-6bca0e0fda36/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6401919fd20e698ec964ca0df4eee18c1f13852eef32a9246fe4605cff79969

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe f6401919fd20e698ec964ca0df4eee18c1f13852eef32a9246fe4605cff79969

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1856795/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/212296/

Comments