MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17a54b98e0fa1559a540e2ec3c30f0c23d8a8cbe7b18c8fe1f4241945f314e5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 3 YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17a54b98e0fa1559a540e2ec3c30f0c23d8a8cbe7b18c8fe1f4241945f314e5e
SHA3-384 hash: 06809998fa3c5672a18ddabca029b8df0fb938862cfd82b8bf778a1d720283c2fd2c6b2dd515107698bafc641d429a53
SHA1 hash: 1c66940e95724d2a6d202a5c8afe1b0b90f2dd0e
MD5 hash: 3f17a7e9bdb7a066966be287406da7a2
humanhash: earth-stream-spaghetti-winner
File name:3f17a7e9bdb7a066966be287406da7a2.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:352'256 bytes
First seen:2021-05-19 10:20:06 UTC
Last seen:2021-05-19 11:01:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ee1e46776fdb5a3bd242a0d3fac4b11 (2 x RaccoonStealer)
ssdeep 6144:yN+baHZ9rU0MJThaEKua4pjiSxDZRO4VMeorRFDpeLgSt:yN+ba59rZMJThFa4pugNav947
Threatray 1'237 similar samples on MalwareBazaar
TLSH B974AE316391C039F4F322F849BA9379A63A3EB1673490CF53D516EA5A356E0AC31397
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://morlux02.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://morlux02.top/index.php https://threatfox.abuse.ch/ioc/47933/
http://sogkys22.top/index.php https://threatfox.abuse.ch/ioc/47934/
http://45.142.212.182/ https://threatfox.abuse.ch/ioc/47953/

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Unturned Manager.exe
Verdict:
Malicious activity
Analysis date:
2021-05-19 08:30:28 UTC
Tags:
trojan evasion opendir loader stealer vidar raccoon
Link:
https://app.any.run/tasks/6cd1415d-dfae-44c4-9d22-ddfbf8776ee6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/158528/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.26274.7830.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a UDP request
Sending an HTTP GET request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a custom TCP request
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/784798
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Country aware sample found (crashes after keyboard check)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 417194 Sample: 5BwzWIBwCG.exe Startdate: 19/05/2021 Architecture: WINDOWS Score: 100 46 telete.in 2->46 48 nailedpizza.top 2->48 50 iplogger.org 2->50 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Antivirus detection for URL or domain 2->60 62 Antivirus detection for dropped file 2->62 64 6 other signatures 2->64 8 5BwzWIBwCG.exe 29 2->8         started        signatures3 process4 dnsIp5 52 gclean.biz 8.209.75.180, 49726, 49727, 49729 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 8->52 54 g-clean.in 8->54 56 3 other IPs or domains 8->56 24 C:\Users\user\AppData\...\97204151766.exe, PE32 8->24 dropped 26 C:\Users\user\AppData\...\49950241674.exe, PE32 8->26 dropped 28 C:\Users\user\AppData\...\44199243683.exe, PE32 8->28 dropped 30 6 other malicious files 8->30 dropped 66 Detected unpacking (changes PE section rights) 8->66 68 Detected unpacking (overwrites its own PE header) 8->68 70 May check the online IP address of the machine 8->70 13 WerFault.exe 9 8->13         started        16 WerFault.exe 9 8->16         started        18 WerFault.exe 9 8->18         started        20 5 other processes 8->20 file6 signatures7 process8 file9 32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 13->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->40 dropped 42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->42 dropped 44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->44 dropped 22 conhost.exe 20->22         started        process10
Gathering data
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 10:20:20 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c6suxgha7ikvtjka4lwdymhqyi6yvdf6pmmmr7q7ijazixzrjzpa._file
Verdict:
malicious
Similar samples:
2646ae31ed3d84368a410fee518a2b5b9090931dbcfa690632a4ab541eb9557e
RaccoonStealer
2e00fe5b5239656d02676e4e95e200ef21c1d1986e07d4c8d64d16ec1d6e821f
RaccoonStealer
549a131665d0230870272c99660fb149e3854345882d9bb76f1945cd0bf647d5
RaccoonStealer
65cb803d8339bc32863bd557a882cf2016ad7945b18f344aeb94860ca8f6b235
RaccoonStealer
6b956e92b865ecc772c63964eee6d3ef9fcb56eea1b62c52130486d09b006542
RaccoonStealer
70c29fa01c7cb936c92b0df9b8fc1faea3c7108e7dae3d32aa0b889b392dc53d
RaccoonStealer
7deefc102955d15af316521068fd9df9474507a3f0d4ef0c8cfbae498dd8fdef
RaccoonStealer
8a9ed010aa3db217f81dfa4d928863eef5cac1165dab6c03258948b8ef019435
RaccoonStealer
acf5a0702538d69871c917a13a45effbcc2dd9161578b270a6b56f8447062dbf
RaccoonStealer
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
RaccoonStealer
+ 1'227 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:raccoon botnet:7528117f6a744f7afc4b767f2029d96b378f12c8 discovery spyware stealer
Link:
https://tria.ge/reports/210519-rj34emfg6e/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Raccoon
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17a54b98e0fa1559a540e2ec3c30f0c23d8a8cbe7b18c8fe1f4241945f314e5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 17a54b98e0fa1559a540e2ec3c30f0c23d8a8cbe7b18c8fe1f4241945f314e5e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/158528/
  
URLhaus
https://urlhaus.abuse.ch/url/1247592/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-19 11:01:23 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0045] File System Micro-objective::Copy File
4) [C0049] File System Micro-objective::Get File Attributes
5) [C0051] File System Micro-objective::Read File
6) [C0052] File System Micro-objective::Writes File
7) [C0007] Memory Micro-objective::Allocate Memory
8) [C0033] Operating System Micro-objective::Console
9) [C0040] Process Micro-objective::Allocate Thread Local Storage
10) [C0043] Process Micro-objective::Check Mutex
11) [C0041] Process Micro-objective::Set Thread Local Storage Value
12) [C0018] Process Micro-objective::Terminate Process