MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02cc17250b31fad5f305a6336430bc862392b79384acf7523178bb2178c422ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02cc17250b31fad5f305a6336430bc862392b79384acf7523178bb2178c422ce
SHA3-384 hash: a3251df2c034d2087e436426139257a72168e313ef79d83e26a3fb01ef6c32c7ba6d7e00ad87d730b2e597eafc2487ea
SHA1 hash: 5e755d39a008ba7f0595b09c11b834f0a31acd10
MD5 hash: 17738cb5bbe32bbee56320fff5c327cb
humanhash: utah-august-blue-march
File name:toolspab2.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:167'424 bytes
First seen:2021-04-10 13:54:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 184831578683bbb147b526b96ff959bd (1 x RaccoonStealer)
ssdeep 3072:Hph14y94fo9792LmJ7/K0E5/Q7D5DJI/:HD4QqLS+/0
Threatray 761 similar samples on MalwareBazaar
TLSH 15F39E24B6E0D133D59728705974C2E25A3ABEB26FA491C7B7883F2E5E712F05A31703
Reporter James_inthe_box
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
toolspab2.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-10 13:55:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/47f03057-4384-4a2c-89d3-6c113410fbca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133492/
Detection(s):
SecuriteInfo.com.Malware.PDB-11.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Connection attempt to an infection source
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c437ad85-5723-472c-b128-35f1c0c101f3
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/672020
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 384957 Sample: toolspab2.exe Startdate: 10/04/2021 Architecture: WINDOWS Score: 100 85 clientconfig.passport.net 2->85 87 api.ip.sb 2->87 89 3 other IPs or domains 2->89 115 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->115 117 Multi AV Scanner detection for domain / URL 2->117 119 Found malware configuration 2->119 121 10 other signatures 2->121 11 toolspab2.exe 2->11         started        14 utdwiet 2->14         started        signatures3 process4 signatures5 133 Detected unpacking (changes PE section rights) 11->133 135 Contains functionality to inject code into remote processes 11->135 137 Injects a PE file into a foreign processes 11->137 16 toolspab2.exe 1 11->16         started        19 BackgroundTransferHost.exe 19 11->19         started        21 utdwiet 1 14->21         started        process6 file7 105 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->105 107 Renames NTDLL to bypass HIPS 16->107 109 Maps a DLL or memory area into another process 16->109 24 explorer.exe 17 16->24 injected 59 C:\Users\user\AppData\Local\Temp\AE30.tmp, PE32 21->59 dropped 111 Checks if the current machine is a virtual machine (disk enumeration) 21->111 113 Creates a thread in another existing process (thread injection) 21->113 signatures8 process9 dnsIp10 91 999080321yomtest251-service10020125999080321.ru 24->91 93 999080321yirtest231-service10020125999080321.ru 24->93 95 66 other IPs or domains 24->95 61 C:\Users\user\AppData\Roaming\utdwiet, PE32 24->61 dropped 63 C:\Users\user\AppData\Local\Temp\5531.exe, PE32 24->63 dropped 65 C:\Users\user\AppData\Local\Temp\4E79.exe, PE32 24->65 dropped 67 6 other files (4 malicious) 24->67 dropped 123 System process connects to network (likely due to code injection or exploit) 24->123 125 Benign windows process drops PE files 24->125 127 Performs DNS queries to domains with low reputation 24->127 131 2 other signatures 24->131 29 332D.exe 80 24->29         started        34 explorer.exe 24->34         started        36 B2C3.exe 24->36         started        38 8 other processes 24->38 file11 129 Tries to resolve many domain names, but no domain seems valid 93->129 signatures12 process13 dnsIp14 97 lomhasnopryiyome.top 74.119.195.170, 443, 49735 MOVECLICKLLCUS United States 29->97 99 telete.in 195.201.225.248, 443, 49734 HETZNER-ASDE Germany 29->99 73 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 29->73 dropped 75 C:\Users\user\AppData\...\vcruntime140.dll, PE32 29->75 dropped 77 C:\Users\user\AppData\...\ucrtbase.dll, PE32 29->77 dropped 83 56 other files (none is malicious) 29->83 dropped 141 Tries to steal Mail credentials (via file access) 29->141 143 Contains functionality to steal Internet Explorer form passwords 29->143 145 Tries to harvest and steal browser information (history, passwords, etc) 29->145 40 cmd.exe 29->40         started        101 999080321newfolder1002-01312599908032135.site 34->101 147 System process connects to network (likely due to code injection or exploit) 34->147 149 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->149 79 C:\Users\user\AppData\Local\Temp\new.exe, PE32+ 36->79 dropped 81 C:\Users\user\AppData\Local\Temp\build.exe, PE32 36->81 dropped 42 new.exe 36->42         started        151 Detected unpacking (changes PE section rights) 38->151 153 Detected unpacking (overwrites its own PE header) 38->153 155 Injects a PE file into a foreign processes 38->155 46 4E79.exe 38->46         started        49 4167.exe 38->49         started        51 4167.exe 38->51         started        53 5531.exe 38->53         started        file15 signatures16 process17 dnsIp18 55 conhost.exe 40->55         started        57 timeout.exe 40->57         started        69 C:\Users\user\AppData\Local\...\Services.exe, PE32+ 42->69 dropped 71 C:\Users\user\AppData\...\sihost64.exe, PE32+ 42->71 dropped 139 Drops PE files with benign system names 42->139 103 176.57.69.148 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 46->103 file19 signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02cc17250b31fad5f305a6336430bc862392b79384acf7523178bb2178c422ce/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2021-04-10 13:54:14 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
012d5c894ccd2bf291fef8f312c37efdcaae7375c2d65bfa8b9d55f43e4c072a
RaccoonStealer
10fb27aeb699fab2c1e2c4be638674d6fc421553ed87373d3d8483e8bdc29047
RaccoonStealer
27614f810715e1ac5987d10abdac7e101227f1ff49e470cd0fee680c604d672d
RaccoonStealer
78f5967d8bd5d31343632e8558b9315d9d44d009c923b9c41d417943906f2849
RaccoonStealer
7ca4eb9602b54dd5a1003cc83c39d0cc07aeb041cf8be6562f656675a40e4ee8
RaccoonStealer
86f57444e6f4a40378fd0959a54794c7384d04678f8c66dfb7801f3d0cfc0152
RaccoonStealer
b2f42e0c46898da53cb52d2d1a7f7ea2a090b08491c8b89a4e155cf77b6ab9ed
RaccoonStealer
b406e4a74e433abdb7068ce8de04bb25eb3954f0c6620adc317153c1c4eb30eb
RaccoonStealer
d3e7387c7a11a1f82b133b18bf2e3972617ecb3ea29e7366c93024d1fc4af6ab
RaccoonStealer
f8bf48e34c4002e07e7c57dc4eee52abe141b8a9cfb693325229f56cca507d40
RaccoonStealer
+ 751 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:smokeloader family:vidar botnet:3d7990f080e9dcb56104447e3789dec4380efc8b botnet:afefd33a49c7cbd55d417545269920f24c85aa37 backdoor discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/210410-tq5jlqbttn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Raccoon
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Unpacked files
SH256 hash:
6cc63b665ea65def9c5f8c4f1c73e2124e041cdc6c55fda6a464cdc19420a273
MD5 hash:
5cff71255f4b94a23e2bb7520601d90b
SHA1 hash:
2f236e55ba4873e11400e10755bfecd5443bf2c4
Link:
https://www.unpac.me/results/850666fb-28dd-41f6-88e6-e942bb77ce4d/
SH256 hash:
02cc17250b31fad5f305a6336430bc862392b79384acf7523178bb2178c422ce
MD5 hash:
17738cb5bbe32bbee56320fff5c327cb
SHA1 hash:
5e755d39a008ba7f0595b09c11b834f0a31acd10
Link:
https://www.unpac.me/results/850666fb-28dd-41f6-88e6-e942bb77ce4d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02cc17250b31fad5f305a6336430bc862392b79384acf7523178bb2178c422ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/133492/

Comments