MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 057c94c9a7d7d2f63911469b1c25fac5b374d9f54a0d57319820df2496938bbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 057c94c9a7d7d2f63911469b1c25fac5b374d9f54a0d57319820df2496938bbd
SHA3-384 hash: edb897458ffeac1eec584ba6d7c60c8ab5eacadce3738cc1fef72ad2d55248f708c6999dc08c503abfd13c367ad6a516
SHA1 hash: f61e60763287bae7c06fdc924bbf63c197f22c03
MD5 hash: 82fcdbe5c0c44003806ee3cb7ebbcc0a
humanhash: kentucky-whiskey-skylark-kentucky
File name:82fcdbe5c0c44003806ee3cb7ebbcc0a.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:364'544 bytes
First seen:2021-11-18 18:24:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9abf03d4e22c0a12cb29c8d67fb192e4 (3 x Smoke Loader, 2 x RaccoonStealer, 1 x DanaBot)
ssdeep 6144:LNSIUG6+YwtiM8/cmLFzVL2rIqFqqPSAhXgFwh6SmRqQ0JWqZy:/riL/BhVLt3IHhOwh6SmRMWqA
Threatray 4'316 similar samples on MalwareBazaar
TLSH T19574BF00B7E0C034F5B752F88A7593A8B93F7AA17B2591CB12D526EE5675AE0EC30317
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-11-18 15:47:40 UTC
Tags:
evasion trojan loader opendir rat redline stealer vidar
Link:
https://app.any.run/tasks/f7900a48-f9c8-4d79-93b6-42329ab6823c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/207327/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61969a8143e8f62b66991d5d/reports/64859d9c-fe17-400c-b34b-811404911d06/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/168bbed3-d0dc-41a4-8c0c-90b7969d27ed
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892179
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 524654 Sample: pl8c1emoOu.exe Startdate: 18/11/2021 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Antivirus detection for URL or domain 2->65 67 Yara detected AntiVM3 2->67 69 6 other signatures 2->69 10 pl8c1emoOu.exe 1 17 2->10         started        process3 dnsIp4 51 iloveart.top 213.108.199.105, 49748, 80 WORLDSTREAMNL Russian Federation 10->51 53 185.70.186.138, 80 HOSTKEY-ASNL Netherlands 10->53 55 6 other IPs or domains 10->55 39 C:\Users\user\AppData\...\2024482284.exe, PE32 10->39 dropped 41 C:\Users\user\AppData\Local\...\2wwbh2[1].cfg, PE32 10->41 dropped 43 C:\Users\user\AppData\Local\...\2wwbh2[1].cfg, PE32 10->43 dropped 79 Detected unpacking (changes PE section rights) 10->79 81 Detected unpacking (overwrites its own PE header) 10->81 83 May check the online IP address of the machine 10->83 15 cmd.exe 1 10->15         started        file5 signatures6 process7 process8 17 2024482284.exe 3 15->17         started        20 conhost.exe 15->20         started        signatures9 57 Writes to foreign memory regions 17->57 59 Allocates memory in foreign processes 17->59 61 Injects a PE file into a foreign processes 17->61 22 vbc.exe 82 17->22         started        process10 dnsIp11 45 91.219.236.27, 49812, 80 SERVERASTRA-ASHU Hungary 22->45 47 91.219.237.226, 49813, 80 SERVERASTRA-ASHU Hungary 22->47 49 cdn.discordapp.com 162.159.129.233, 443, 49839 CLOUDFLARENETUS United States 22->49 31 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 22->31 dropped 33 C:\Users\user\AppData\LocalLow\...\nss3.dll, PE32 22->33 dropped 35 C:\Users\user\AppData\...\mozglue.dll, PE32 22->35 dropped 37 57 other files (none is malicious) 22->37 dropped 71 Tries to steal Mail credentials (via file / registry access) 22->71 73 Contains functionality to steal Internet Explorer form passwords 22->73 75 Tries to harvest and steal browser information (history, passwords, etc) 22->75 77 DLL side loading technique detected 22->77 27 3mERAEGFxD.exe 1 22->27         started        file12 signatures13 process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/057c94c9a7d7d2f63911469b1c25fac5b374d9f54a0d57319820df2496938bbd/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-11-18 18:25:06 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1568b8e7d343c78a1caada915a204f1856818867f29aedd77f38a5d3241f1996
RaccoonStealer
2dbaa3f2ead6dc481674eae6820704e3b6f3be60b9958340cf0a07b893d6e68f
RaccoonStealer
331a035b68c79153633b20c90532d477d07195bfb7010eadcae4ce8b43d49365
RaccoonStealer
3e33a762d28ac7fe0d78e56069f724e9bea14bc545e156ebfc2eed63aa70ad0f
RaccoonStealer
4a71d07d441cfbe49f254eb5b374065391f8f12723096a9d35f84148ab099456
RaccoonStealer
78b2b161f808c002683f02842b501435d4cb7882fb983705ddef7630ad4fdfcf
RaccoonStealer
87da691d7cc3e60c8cfcdd20e2499c1e37e21a615e6e3ec4a0317a3af0227ada
RaccoonStealer
9229ec3799a341bd19431bdeff3486ca918529c155692fff783b22e4fb34a0a7
RaccoonStealer
+ 4'306 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:5e31a824539ad371db8ef3c1d45702a17982fbd3 stealer
Link:
https://tria.ge/reports/211118-w2l9tafadn/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Unpacked files
SH256 hash:
c6008df01ccc3d36abe9562a14243911335281bb9c88a4741cfdb5c4e289effd
MD5 hash:
9df9dc4607a471ec755921909c41bc1e
SHA1 hash:
ec2a689a324bfc67f6016047524f7409a816494c
Link:
https://www.unpac.me/results/e4b442de-c901-4e70-bca1-cabb181e4118/
SH256 hash:
057c94c9a7d7d2f63911469b1c25fac5b374d9f54a0d57319820df2496938bbd
MD5 hash:
82fcdbe5c0c44003806ee3cb7ebbcc0a
SHA1 hash:
f61e60763287bae7c06fdc924bbf63c197f22c03
Link:
https://www.unpac.me/results/e4b442de-c901-4e70-bca1-cabb181e4118/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/057c94c9a7d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/057c94c9a7d7d2f63911469b1c25fac5b374d9f54a0d57319820df2496938bbd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207327/

Comments