MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04157eb6cdd54ef10f305bb2feb43eafa0c0335dea91afd4c153101737fa3dde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04157eb6cdd54ef10f305bb2feb43eafa0c0335dea91afd4c153101737fa3dde
SHA3-384 hash: 68d475e746264960144d0915d146df4b7dd442f7b0d742ebd226a23669d8c77ff16d3b7a5a0785753bca4ba1c789a996
SHA1 hash: 697045281146a2e7dba7ec5ffdd587985e6adf67
MD5 hash: 241e902c0d538548be6b89a94771aa07
humanhash: low-august-autumn-robin
File name:Intaller.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:580'608 bytes
First seen:2021-09-11 10:36:11 UTC
Last seen:2021-09-11 12:11:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 69566d56ce8187d49438dd02ea591694 (5 x Stop, 3 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 12288:7mYdiI2ZKtXUOKzpueiU6rRMleHrm1FtPnBcab+QR:6Ydk1xg261M48r5cab3R
Threatray 3'075 similar samples on MalwareBazaar
TLSH T1B7C4E030B6B0C035E8B726F889B997A8AD2D7DB16B3050CB62D536EB57346E49C30753
dhash icon e8e8e8e8aa62a489 (8 x RaccoonStealer, 6 x RedLineStealer, 2 x Tofsee)
Reporter Anonymous
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Intaller.exe
Verdict:
Malicious activity
Analysis date:
2021-09-11 10:37:04 UTC
Tags:
trojan stealer raccoon loader opendir
Link:
https://app.any.run/tasks/9e3111ca-9eb5-42ea-94e5-c2f32257ec7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187047/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop18.41125.17317.9525.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/063887fa-c934-469d-9cbd-a4c68026557e
Result
Threat name:
Raccoon Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849135
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481566 Sample: Intaller.exe Startdate: 11/09/2021 Architecture: WINDOWS Score: 100 51 xmr.2miners.com 2->51 69 Sigma detected: Xmrig 2->69 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 13 other signatures 2->75 9 Intaller.exe 82 2->9         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 57 telete.in 195.201.225.248, 443, 49735 HETZNER-ASDE Germany 9->57 59 5.181.156.77, 49736, 80 MIVOCLOUDMD Moldova Republic of 9->59 61 45.137.190.31, 49737, 80 BITWEB-ASRU Russian Federation 9->61 43 C:\Users\user\AppData\...\s6YrH277Eg.exe, PE32+ 9->43 dropped 45 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 9->45 dropped 47 C:\Users\user\AppData\...\vcruntime140.dll, PE32 9->47 dropped 49 57 other files (none is malicious) 9->49 dropped 85 Detected unpacking (changes PE section rights) 9->85 87 Tries to steal Mail credentials (via file access) 9->87 89 Self deletion via cmd delete 9->89 91 2 other signatures 9->91 20 s6YrH277Eg.exe 25 8 9->20         started        25 cmd.exe 1 9->25         started        63 192.168.2.1 unknown unknown 14->63 65 127.0.0.1 unknown unknown 16->65 file6 signatures7 process8 dnsIp9 53 discord.com 162.159.136.232, 443, 49814 CLOUDFLARENETUS United States 20->53 55 httpbin.org 3.209.207.48, 443, 49813 AMAZON-AESUS United States 20->55 41 C:\Users\user\AppData\...\DriversService.exe, PE32+ 20->41 dropped 77 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->77 79 Writes to foreign memory regions 20->79 81 Modifies the context of a thread in another process (thread injection) 20->81 83 Injects a PE file into a foreign processes 20->83 27 InstallUtil.exe 20->27         started        31 powershell.exe 1 19 20->31         started        33 conhost.exe 25->33         started        35 timeout.exe 1 25->35         started        file10 signatures11 process12 dnsIp13 67 xmr.2miners.com 51.89.96.41, 2222, 49815, 49820 OVHFR France 27->67 93 Query firmware table information (likely to detect VMs) 27->93 37 conhost.exe 27->37         started        39 conhost.exe 31->39         started        signatures14 95 Detected Stratum mining protocol 67->95 process15
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/04157eb6cdd54ef10f305bb2feb43eafa0c0335dea91afd4c153101737fa3dde/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-11 10:37:08 UTC
AV detection:
17 of 42 (40.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqkx5nwn2vhpcdzqlozp5nb6v6qmam255ki27vgbkmibon72hxpa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
14e4824be0683d1089694045fb18bfef2da645ab2c4c8b07158894e9d9ec2a1b
RaccoonStealer
1f33aa224f3464124f8f62a38f34e907e38d85af939cbb9156d058e172b6de04
RaccoonStealer
31452b50fe8475fa4566b814ed702c6910029ff66db45d3dbb21c2e3ed63594f
RaccoonStealer
41ce43aa875bf977ec9eb039e5853ade1af522dd0dff4f19282f6c8038ae2dff
RaccoonStealer
561a8533273e9f2b9c5fb33089538d4c70d6b7d6358750ba89dcf3c56417d95d
RaccoonStealer
64c1dfd4d78c54982f2908ecb8a61479adb6dd75a68c2ace5617d9a8de482298
RaccoonStealer
9e5261496e29772d832ce9eb4c8d0fea051a1b586c0a008529dfabb5ee5dc43a
RaccoonStealer
aa15c9a23c122e4df9220823e55ccc39dcb7ac6b0fd07633f5b850e787b1a61f
RaccoonStealer
dceba751e6f0a8c3466adbada5cc222ad99067f256cf640a1f8cdacfeba76141
RaccoonStealer
f5e61fcc4300b16d273ba8e0a957ad8cc89f757d5329409cfed0dea6ae64c322
RaccoonStealer
+ 3'065 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:fd34ae8fb78d0554aa7caf12c271e01efb3342f6 discovery persistence spyware stealer suricata upx
Link:
https://tria.ge/reports/210911-mntbjaeddj/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Raccoon
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
5f2954f943382869b6424414e0c4f33ec73c677b419122de0e6c4544a2a2f0fb
MD5 hash:
8175a7e3e9c1bb058531a51acb6f94a4
SHA1 hash:
faad4335b79bc551506d900aa47ea895820da16b
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/8deab6b7-f3d2-4706-83c1-bd520f95e919/
Parent samples :
5e3fb9f22a412050356e0ea4079847c7969c8aac021f8855404435032a4427e6
948c35c2c7611793fcc9042c65ca6224829ee9c923efd4e9845ab32857727721
71875b2f1fdbd32fcd8c8db55e437e150d7bfaba30c435d71cdcfdb31331080b
2544e6d8a7c6932c94db8a0194979926064237390b04ce96f1b4a8ca1956d21f
04157eb6cdd54ef10f305bb2feb43eafa0c0335dea91afd4c153101737fa3dde
SH256 hash:
04157eb6cdd54ef10f305bb2feb43eafa0c0335dea91afd4c153101737fa3dde
MD5 hash:
241e902c0d538548be6b89a94771aa07
SHA1 hash:
697045281146a2e7dba7ec5ffdd587985e6adf67
Link:
https://www.unpac.me/results/8deab6b7-f3d2-4706-83c1-bd520f95e919/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/04157eb6cdd5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04157eb6cdd54ef10f305bb2feb43eafa0c0335dea91afd4c153101737fa3dde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187047/

Comments