MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 020766cdf4f0fbb51c4037c9563f1df152a45d59bfabe17726d6d45f3179b423. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 020766cdf4f0fbb51c4037c9563f1df152a45d59bfabe17726d6d45f3179b423
SHA3-384 hash: ae335dbc03383c025ab025940a59e9ea2a653deb4249428b2b515bb20bfaee6e4f5c9275975f0059f89c4483e3e992f8
SHA1 hash: a0a2e98959b05182af09090d43bf7eb41f52634c
MD5 hash: 1c59e4fbaf59f978a51ca4e2f63ffe87
humanhash: two-coffee-kentucky-one
File name:1c59e4fbaf59f978a51ca4e2f63ffe87.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:858'624 bytes
First seen:2021-05-24 06:31:35 UTC
Last seen:2021-05-24 07:02:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 48d2401545bc23ddf9125d8d09f6c7f1 (4 x RaccoonStealer, 1 x Glupteba, 1 x CryptBot)
ssdeep 12288:Km0+eQDSCvrKdZi9jw5NX/4SC9jv+sZY9p9zw21HQ3BWzk4JI/Vl3rQSJdXsL:peQrUywHP4SCNvByxw21XJI/VtdXsL
Threatray 118 similar samples on MalwareBazaar
TLSH EA05F131A6A0C034F1AF15F189B5C2B8E52A7DA1672440FF52C63AEA55379E4AF3074F
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1c59e4fbaf59f978a51ca4e2f63ffe87.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-24 06:38:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/74df5fe2-108e-4a40-aac6-837bba78085e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/161252/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46348681.11621.24214.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
DNS request
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu Raccoon
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/790068
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 422465 Sample: Rz9rpSFadK.exe Startdate: 24/05/2021 Architecture: WINDOWS Score: 100 104 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->104 106 Multi AV Scanner detection for domain / URL 2->106 108 Found malware configuration 2->108 110 8 other signatures 2->110 12 Rz9rpSFadK.exe 2->12         started        15 Rz9rpSFadK.exe 2->15         started        17 Rz9rpSFadK.exe 2->17         started        19 Rz9rpSFadK.exe 2->19         started        process3 signatures4 132 Detected unpacking (changes PE section rights) 12->132 134 Detected unpacking (overwrites its own PE header) 12->134 136 Contains functionality to inject code into remote processes 12->136 21 Rz9rpSFadK.exe 1 18 12->21         started        138 Writes many files with high entropy 15->138 140 Injects a PE file into a foreign processes 15->140 25 Rz9rpSFadK.exe 15->25         started        27 Rz9rpSFadK.exe 17->27         started        29 Rz9rpSFadK.exe 19->29         started        process5 dnsIp6 94 api.2ip.ua 77.123.139.190, 443, 49716, 49723 VOLIA-ASUA Ukraine 21->94 96 192.168.2.1 unknown unknown 21->96 76 C:\Users\user\AppData\...\Rz9rpSFadK.exe, PE32 21->76 dropped 78 C:\Users\...\Rz9rpSFadK.exe:Zone.Identifier, ASCII 21->78 dropped 31 Rz9rpSFadK.exe 21->31         started        34 icacls.exe 21->34         started        98 asvb.top 27->98 80 C:\Users\user\Desktop\Rz9rpSFadK.exe, data 27->80 dropped file7 process8 signatures9 142 Injects a PE file into a foreign processes 31->142 36 Rz9rpSFadK.exe 1 27 31->36         started        process10 dnsIp11 90 asvb.top 35.235.74.220, 49724, 49725, 49726 GOOGLEUS United States 36->90 92 api.2ip.ua 36->92 68 C:\Users\user\AppData\...\updatewin1.exe, PE32 36->68 dropped 70 C:\Users\user\AppData\Local\...\5.exe, PE32 36->70 dropped 72 C:\Users\user\...\MediaDb.v1.sqlite-wal, DOS 36->72 dropped 74 168 other files (155 malicious) 36->74 dropped 114 Tries to harvest and steal browser information (history, passwords, etc) 36->114 116 Infects executable files (exe, dll, sys, html) 36->116 118 Modifies existing user documents (likely ransomware behavior) 36->118 41 5.exe 82 36->41         started        46 updatewin1.exe 2 36->46         started        file12 signatures13 process14 dnsIp15 100 tttttt.me 95.216.186.40, 443, 49731 HETZNER-ASDE Germany 41->100 102 genericalphabet.top 35.197.240.92, 443, 49733 GOOGLEUS United States 41->102 82 C:\Users\user\AppData\...\pY4zE3fX7h.zip, Zip 41->82 dropped 84 C:\Users\user\AppData\...behaviorgraph0W5da4Y8gi.zip, Zip 41->84 dropped 86 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 41->86 dropped 88 58 other files (none is malicious) 41->88 dropped 120 Tries to steal Mail credentials (via file access) 41->120 122 Tries to harvest and steal browser information (history, passwords, etc) 41->122 124 Writes many files with high entropy 41->124 48 cmd.exe 41->48         started        126 Detected unpacking (overwrites its own PE header) 46->126 128 Suspicious powershell command line found 46->128 130 Bypasses PowerShell execution policy 46->130 50 updatewin1.exe 46->50         started        file16 signatures17 process18 file19 54 conhost.exe 48->54         started        56 timeout.exe 48->56         started        66 C:\Users\user\AppData\Local\script.ps1, ASCII 50->66 dropped 112 Suspicious powershell command line found 50->112 58 powershell.exe 50->58         started        60 powershell.exe 50->60         started        signatures20 process21 process22 62 conhost.exe 58->62         started        64 conhost.exe 60->64         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/020766cdf4f0fbb51c4037c9563f1df152a45d59bfabe17726d6d45f3179b423/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-05-23 18:06:14 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
23 of 47 (48.94%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0e55e17532909ad5ad34eb4e35d791b27c6951dd15a8baba34c29ae572c884d0
RaccoonStealer
20ebe8ff1da6f2023a43b3e3cbe14479961699f9dec0324f72070fa2b275eaae
RaccoonStealer
496b5885ff8f521c91ca037338e188ea0374bf86816d0c804d3010fd2f5fec38
RaccoonStealer
6cc9956ed6e36fa513a5fb0a2826196a65fb9ca4d9fa4d9e46d5189e143a0702
RaccoonStealer
869bd0ca39150a6e0f87609ca7e927211ba9cf636b69c33c3cd09db85922dd94
RaccoonStealer
b48348bce63f1ad4550e28f99b61f3166e30eec746299c4258632a5fae95df7d
RaccoonStealer
ca81501a843554d574be590be9f5ec0c6560679c5b1e5b4e44a879f1c9be7351
RaccoonStealer
e81e9dfe89a98449992b1ca9e4acb9905b606dc3de186b9de94241bde3b230be
RaccoonStealer
e8bcd430d48c430ced6992340cbce21ffc1a4d8cc60e6255b76870d33a5ea6b9
RaccoonStealer
ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3
RaccoonStealer
+ 108 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1d76a465540f6a904ac9f1310fe3a3824b5b4549 discovery evasion persistence stealer
Link:
https://tria.ge/reports/210524-tjjyddmlh2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Deletes Windows Defender Definitions
Raccoon
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/020766cdf4f0fbb51c4037c9563f1df152a45d59bfabe17726d6d45f3179b423

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 020766cdf4f0fbb51c4037c9563f1df152a45d59bfabe17726d6d45f3179b423

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1256494/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/161252/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-24 07:24:47 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0049] File System Micro-objective::Get File Attributes
4) [C0051] File System Micro-objective::Read File
5) [C0052] File System Micro-objective::Writes File
6) [C0033] Operating System Micro-objective::Console
7) [C0040] Process Micro-objective::Allocate Thread Local Storage
8) [C0043] Process Micro-objective::Check Mutex
9) [C0041] Process Micro-objective::Set Thread Local Storage Value
10) [C0018] Process Micro-objective::Terminate Process
11) [C0039] Process Micro-objective::Terminate Thread