MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11a5764ca8d515eb745b67a1d693fa3747873f80855cefd5eb7bf890cf0a7a8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11a5764ca8d515eb745b67a1d693fa3747873f80855cefd5eb7bf890cf0a7a8a
SHA3-384 hash: 2c9bd15aa725b371eefad7a64f9357d32e53355e9af09e91f2bd096c4e874b772437fcfbeee622af8f5bc1f947744d6f
SHA1 hash: fda8dcb393ee1ab90e788dfe4b3813d7bf04c2e5
MD5 hash: 0baccbb3c9954f8e20d00fcc7b9c8197
humanhash: august-idaho-nineteen-sodium
File name:0baccbb3c9954f8e20d00fcc7b9c8197
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:472'576 bytes
First seen:2021-08-06 08:22:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2ba8e1f75a8e02687cc194905c50074 (12 x RaccoonStealer, 1 x Stop, 1 x ArkeiStealer)
ssdeep 12288:mpJBx86sDHsybjDs/if2yPrqbxduHmogdRO4EWb:mf8FDnbfs/7UrtxgRO4
Threatray 2'059 similar samples on MalwareBazaar
TLSH T15AA402123597C033E96175314C33C6EE5B677835ED21AA872B82927D6F76292EF27302
dhash icon 1272d292105c5c03 (31 x RaccoonStealer, 6 x Smoke Loader, 4 x Loki)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://tmpfiles.org/dl/86254/icon.png
Verdict:
Malicious activity
Analysis date:
2021-08-04 20:16:29 UTC
Tags:
evasion trojan stealer vidar rat redline phishing raccoon
Link:
https://app.any.run/tasks/80edef3c-be29-42b3-b452-2cb8609d210f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176942/
Detection(s):
Win.Malware.Generic-9883819-0
Create hunting rule

Win.Packed.Generic-9883938-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/901611a7-4f65-4faa-9dd8-93dfd9eb6eb6
Result
Threat name:
Raccoon Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828178
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460609 Sample: 7ZyfPZf6vp Startdate: 06/08/2021 Architecture: WINDOWS Score: 100 75 Sigma detected: Xmrig 2->75 77 Multi AV Scanner detection for domain / URL 2->77 79 Found malware configuration 2->79 81 11 other signatures 2->81 8 7ZyfPZf6vp.exe 83 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 7 other processes 2->17 process3 dnsIp4 61 telete.in 195.201.225.248, 443, 49732 HETZNER-ASDE Germany 8->61 63 ck37505.tmweb.ru 188.225.63.143, 443, 49737 TIMEWEB-ASRU Russian Federation 8->63 65 5.252.179.21, 49733, 80 MIVOCLOUDMD Moldova Republic of 8->65 53 C:\Users\user\AppData\...\gCqkWxdOv6.exe, PE32+ 8->53 dropped 55 C:\Users\user\AppData\...\vcruntime140.dll, PE32 8->55 dropped 57 C:\Users\user\AppData\...\ucrtbase.dll, PE32 8->57 dropped 59 57 other files (none is malicious) 8->59 dropped 91 Detected unpacking (changes PE section rights) 8->91 93 Detected unpacking (overwrites its own PE header) 8->93 95 Tries to steal Mail credentials (via file access) 8->95 97 Tries to harvest and steal browser information (history, passwords, etc) 8->97 19 gCqkWxdOv6.exe 9 4 8->19         started        23 cmd.exe 1 8->23         started        25 WerFault.exe 13->25         started        67 127.0.0.1 unknown unknown 15->67 file5 signatures6 process7 file8 51 C:\Users\user\AppData\...\win32update.exe, PE32+ 19->51 dropped 83 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->83 85 Writes to foreign memory regions 19->85 87 Allocates memory in foreign processes 19->87 89 4 other signatures 19->89 27 InstallUtil.exe 19->27         started        31 powershell.exe 19->31         started        33 powershell.exe 23 19->33         started        39 3 other processes 19->39 35 conhost.exe 23->35         started        37 timeout.exe 23->37         started        signatures9 process10 dnsIp11 69 37.187.95.110, 3333, 49747 OVHFR France 27->69 71 pool.supportxmr.com 27->71 73 pool-fr.supportxmr.com 27->73 99 Query firmware table information (likely to detect VMs) 27->99 41 conhost.exe 27->41         started        101 Disable Windows Defender notifications (registry) 31->101 43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 39->47         started        49 conhost.exe 39->49         started        signatures12 103 Detected Stratum mining protocol 69->103 process13
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/11a5764ca8d515eb745b67a1d693fa3747873f80855cefd5eb7bf890cf0a7a8a/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-04 20:44:24 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cgsxmtfi2uk6w5c3m6q5ne72g5dyop4aqvoo7vplpp4jbtykpkfa._file
Verdict:
malicious
Similar samples:
04b34c18709ece0d212e247408e19b638f9eddd1dd24cf9c839fa5bcee5fc9b3
RaccoonStealer
2a067a9926a833051caa67b4f1b60c32b312b6d09136da1b0ab8845af67fc5ee
RaccoonStealer
58290a4919362f3f76725d0cd01e812f6207d415017b91434ea7049b04c842b3
RaccoonStealer
726275af580053d15d4070b4158e1dfcdf13c555ce39b0c39cef3c3569b8164b
RaccoonStealer
a6f0dc73e69c768ad702394dc9250700e54e3439a9adb609b119292f70200522
RaccoonStealer
c4e7522db67d9ccd282873cbff6d97a3ddee685b5028f664b7338589d0db2772
RaccoonStealer
cc734514a9be905018d6f5fb5c1382a610fcd9c01348d969682d2160dc03b1fb
RaccoonStealer
e7712697b1259ff1a3f8cbfa6435c069b4127af3316ea52aa740d5ae8cf2bd4b
RaccoonStealer
+ 2'049 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:2ca2376c561d1af7f8b9e6f3256b06220a3db187 discovery persistence spyware stealer upx
Link:
https://tria.ge/reports/210806-2zx7vn7t96/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Raccoon
Raccoon Stealer Payload
Unpacked files
SH256 hash:
6b3cb79e70b64516a491f38393de2bcbaeefe09e1aebf6900dc467441785db36
MD5 hash:
78142aaf4e92aa7b4883c0a81751c2a4
SHA1 hash:
3643762f4dd5fb81dd00ea49a6acfe0e362d8abe
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/238e8828-e44b-4f09-aa9c-89ef5a93fef7/
Parent samples :
11a5764ca8d515eb745b67a1d693fa3747873f80855cefd5eb7bf890cf0a7a8a
5b46df5a271c4e35adf1027792e4035301ae87fe4a112f89f507b37522b541be
b99ac985c91f5a5e0c2ab8c5b92cb644cea66cb3336c2b6665274e78151cc372
SH256 hash:
11a5764ca8d515eb745b67a1d693fa3747873f80855cefd5eb7bf890cf0a7a8a
MD5 hash:
0baccbb3c9954f8e20d00fcc7b9c8197
SHA1 hash:
fda8dcb393ee1ab90e788dfe4b3813d7bf04c2e5
Link:
https://www.unpac.me/results/238e8828-e44b-4f09-aa9c-89ef5a93fef7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11a5764ca8d515eb745b67a1d693fa3747873f80855cefd5eb7bf890cf0a7a8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 11a5764ca8d515eb745b67a1d693fa3747873f80855cefd5eb7bf890cf0a7a8a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1510621/
Cape
Cape
https://www.capesandbox.com/analysis/176942/

Comments


Avatar
zbet commented on 2021-08-06 08:22:46 UTC

url : hxxp://cr97923.tmweb.ru/123.exe