MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6ee9ff778c9ef5511f2344d2dbf0b199578e19278426ed84c61d4704115ca34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	f6ee9ff778c9ef5511f2344d2dbf0b199578e19278426ed84c61d4704115ca34
SHA3-384 hash:	c09cb6b10fe27655921b9f8c6ec10365ff015e2539830660f84dbcac07bb2fb62efd81613a99f0ea3469f50e26e64025
SHA1 hash:	596f5d5270a2031e1487d28a2d740bfa23c9376f
MD5 hash:	88d2ca69818db3e5bfd37b797b65c81f
humanhash:	lithium-bravo-batman-cat
File name:	88d2ca69818db3e5bfd37b797b65c81f.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	315'904 bytes
First seen:	2022-02-03 10:50:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	aa17de4797e2f58234070c4dc34e5bf7 (1 x RaccoonStealer)
ssdeep	6144:tmP2WWPm2ZrMIL3Z/RbF26C2ZTGpCv0ouNcS8Sx4M8jsKorpY:wOWS9mIzFRbF262pCv0ouDH4TsrY
TLSH	T11B648D10BB90C035E5F712F449BA93ADA93E7EA25B2550CF53D52AEE4A346E0EC31317
File icon (PE):
dhash icon	2dec1378399b9b91 (25 x Smoke Loader, 22 x RedLineStealer, 7 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://91.219.236.18/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://91.219.236.18/	https://threatfox.abuse.ch/ioc/378337/

Intelligence

File Origin

# of uploads :

# of downloads :

203

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/232123/

Detection(s):

Win.Malware.Dropperx-9938227-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for synchronization primitives

Creating a file

Launching a process

Changing a file

Creating a file in the %AppData% subdirectories

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a recently created process

Query of malicious DNS domain

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5855/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4bc56568-7c65-4d45-913a-4e230f1e2ebf

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/933242

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f6ee9ff778c9ef5511f2344d2dbf0b199578e19278426ed84c61d4704115ca34/

Threat name:

Win32.Backdoor.Systembc

Status:

Malicious

First seen:

2022-02-03 08:37:36 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=63xj753yzhxvkepsgrgs3pyldgkxrymspbbg5wcmmhkhaqivzi2a._file

Verdict:

malicious

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/220203-mxvwqagaf7/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://host-data-coin-11.com/
http://file-coin-host-12.com/

Unpacked files

SH256 hash:

196c516ea546fb935ac669681a74a4dc80da79d9088f464f6cc6f126ae934f4e

MD5 hash:

c36de8bc9668ec4eaafca4c349dca0d5

SHA1 hash:

ea2cadfada69b93ca3abeb8b2462c5c18891fabf

Link:

https://www.unpac.me/results/07a70de1-fe3a-4ea8-98f8-b6dfa8a66e5b/

Parent samples :

6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad
8928eed86ea55a63e3646bf8ca403b4b1e57702f73c1ecc8fa403b5700a304ef
18ad362dcae8df5827846223c09ceba7766e09733b685d4067ee39037daec452
da39948d95cdbce6e1ca9e0fdbb77080164a379f593e530b5732d3fc38df7bf8
7c74a8c41e24f69015185f78b8fbc177edcbe9d27099e904497b2310999f74cb
92ebb6be19502fe2573a9eac183bcc657b88ac5b0344285d9db409b0a3d88dab
af6fa095b427a0e95dd826696c2b92b0123e688e3c95f6d27825cc2928085d1b
de8099732ee5b73f3fa6d032a74e8576d06663fc16b2c6da27a34444fdced1c8

SH256 hash:

f6ee9ff778c9ef5511f2344d2dbf0b199578e19278426ed84c61d4704115ca34

MD5 hash:

88d2ca69818db3e5bfd37b797b65c81f

SHA1 hash:

596f5d5270a2031e1487d28a2d740bfa23c9376f

Link:

https://www.unpac.me/results/07a70de1-fe3a-4ea8-98f8-b6dfa8a66e5b/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f6ee9ff778c9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f6ee9ff778c9ef5511f2344d2dbf0b199578e19278426ed84c61d4704115ca34

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

exe f6ee9ff778c9ef5511f2344d2dbf0b199578e19278426ed84c61d4704115ca34

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2020729/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2013850/

Cape

https://www.capesandbox.com/analysis/232123/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample