MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f914e285b0b9ed8bc7907abf730e0c56bc212a05c35e0b83bbd721836828f2f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f914e285b0b9ed8bc7907abf730e0c56bc212a05c35e0b83bbd721836828f2f0
SHA3-384 hash: 847b9d816be8f724c3ffa2e20c554ab088ac7226479cb414fa5ae88154e593a0e01af086397fe313b69e040069841898
SHA1 hash: b80306ce3c95596afd2c8de0d9b716ee0b947ef8
MD5 hash: 77bcc820076decab4b92833e4882caff
humanhash: uncle-quebec-oregon-mirror
File name:77bcc820076decab4b92833e4882caff.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:347'648 bytes
First seen:2021-11-06 08:15:40 UTC
Last seen:2021-11-06 10:22:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e4746628ebaf71569a51552a1011d76 (6 x RedLineStealer, 3 x RaccoonStealer, 1 x Smoke Loader)
ssdeep 6144:KoWNA/G7qIgX+pxm4tgK7rRsG6UzZsrDy8iCW3:KoWH1gX+2egorRsG6UzZIa
TLSH T109748D006BB1C039F1B252F87975A3A8B53A7DA15B3450CF23D62AEE5634AE0EC71717
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
185.159.80.90:38637

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.159.80.90:38637 https://threatfox.abuse.ch/ioc/244238/
65.108.55.203:56717 https://threatfox.abuse.ch/ioc/244568/

Intelligence

File Origin
# of uploads :
2
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/202874/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.35761.24777.23848.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/618639c52084b424af0bfa0f/reports/d3e0bab4-11a9-4207-a538-913f3bdad268/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f787c2b0-f82f-48b3-976e-daadb0ce2dbd
Result
Threat name:
RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884464
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
DLL reload attack detected
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 516908 Sample: luJyVZKp15.exe Startdate: 06/11/2021 Architecture: WINDOWS Score: 100 68 hefahei60.top 2->68 70 nusurtal4f.net 2->70 98 Multi AV Scanner detection for domain / URL 2->98 100 Found malware configuration 2->100 102 Antivirus detection for URL or domain 2->102 104 10 other signatures 2->104 11 luJyVZKp15.exe 2->11         started        14 dsrvurb 2->14         started        16 svchost.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 signatures5 114 Contains functionality to inject code into remote processes 11->114 116 Injects a PE file into a foreign processes 11->116 20 luJyVZKp15.exe 11->20         started        118 Multi AV Scanner detection for dropped file 14->118 120 Machine Learning detection for dropped file 14->120 23 dsrvurb 14->23         started        122 Changes security center settings (notifications, updates, antivirus, firewall) 16->122 25 MpCmdRun.exe 1 16->25         started        process6 signatures7 106 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->106 108 Maps a DLL or memory area into another process 20->108 110 Checks if the current machine is a virtual machine (disk enumeration) 20->110 27 explorer.exe 6 20->27 injected 112 Creates a thread in another existing process (thread injection) 23->112 32 conhost.exe 25->32         started        process8 dnsIp9 76 192.162.246.70, 49799, 80 DATACHEAP-LLC-ASRU Russian Federation 27->76 78 privacytoolzfor-you6000.top 47.74.89.149, 49747, 49750, 49751 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 27->78 80 7 other IPs or domains 27->80 60 C:\Users\user\AppData\Roaming\dsrvurb, PE32 27->60 dropped 62 C:\Users\user\AppData\Local\Temp\D96C.exe, PE32 27->62 dropped 64 C:\Users\user\AppData\Local\Temp\B141.exe, PE32 27->64 dropped 66 6 other malicious files 27->66 dropped 124 System process connects to network (likely due to code injection or exploit) 27->124 126 Benign windows process drops PE files 27->126 128 Deletes itself after installation 27->128 130 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->130 34 306.exe 27->34         started        37 D96C.exe 1 27->37         started        40 2D42.exe 15 2 27->40         started        43 4 other processes 27->43 file10 signatures11 process12 dnsIp13 82 Multi AV Scanner detection for dropped file 34->82 84 Machine Learning detection for dropped file 34->84 86 Injects a PE file into a foreign processes 34->86 45 306.exe 34->45         started        56 C:\Users\user\AppData\Local\Temp\1105.tmp, PE32 37->56 dropped 88 DLL reload attack detected 37->88 90 Detected unpacking (changes PE section rights) 37->90 92 Maps a DLL or memory area into another process 37->92 96 2 other signatures 37->96 72 cdn.discordapp.com 162.159.135.233, 443, 49820, 49827 CLOUDFLARENETUS United States 40->72 48 2D42.exe 40->48         started        74 45.9.20.149, 10844, 49836 DEDIPATH-LLCUS Russian Federation 43->74 58 C:\Users\user\AppData\Local\...\zsnzdsd.exe, PE32 43->58 dropped 94 Antivirus detection for dropped file 43->94 50 cmd.exe 43->50         started        52 conhost.exe 43->52         started        file14 signatures15 process16 signatures17 132 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->132 134 Maps a DLL or memory area into another process 45->134 136 Checks if the current machine is a virtual machine (disk enumeration) 45->136 138 Creates a thread in another existing process (thread injection) 45->138 54 conhost.exe 50->54         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f914e285b0b9ed8bc7907abf730e0c56bc212a05c35e0b83bbd721836828f2f0/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-06 02:36:06 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ekofbnqxhwyxr4qpk7xgdqmk26cckqfynpaxa5324qyg2bi6lya._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:raccoon family:redline family:smokeloader family:tofsee family:vidar family:xmrig botnet:101 botnet:1cb6d1b7211b77f96ff654c9904c9c8522f8a677 botnet:23435346346 botnet:243f5e3056753d9f9706258dce4f79e57c3a9c44 botnet:8dec62c1db2959619dca43e02fa46ad7bd606400 botnet:superstar backdoor discovery evasion infostealer miner persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/211106-j55t4sdhh8/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Core1 .NET packer
XMRig Miner Payload
Detected Djvu ransomware
Djvu Ransomware
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Vidar
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://hefahei60.top/
http://pipevai40.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
93.115.20.139:28978
185.215.113.29:36224
quadoil.ru
lakeflex.ru
185.92.73.142:52097
Unpacked files
SH256 hash:
f35e1d71747c52cddab320ae5b9ed35b24f3e1ec9b7434f6d36d7134c3eb66f8
MD5 hash:
2dff2302971aa16b6460fb12e203a6c0
SHA1 hash:
63b43efd66a20df66d92cf9a1c47ff64fb6a497e
Link:
https://www.unpac.me/results/bc463f68-99d5-45b6-b96b-ccf5df8504cb/
SH256 hash:
f914e285b0b9ed8bc7907abf730e0c56bc212a05c35e0b83bbd721836828f2f0
MD5 hash:
77bcc820076decab4b92833e4882caff
SHA1 hash:
b80306ce3c95596afd2c8de0d9b716ee0b947ef8
Link:
https://www.unpac.me/results/bc463f68-99d5-45b6-b96b-ccf5df8504cb/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f914e285b0b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f914e285b0b9ed8bc7907abf730e0c56bc212a05c35e0b83bbd721836828f2f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe f914e285b0b9ed8bc7907abf730e0c56bc212a05c35e0b83bbd721836828f2f0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1755148/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1740412/
Cape
Cape
https://www.capesandbox.com/analysis/202874/

Comments