MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 187fcce7435c3f1dcccb75985131336f4365d2ac689c2ee22561285e9e37d261. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 187fcce7435c3f1dcccb75985131336f4365d2ac689c2ee22561285e9e37d261
SHA3-384 hash: cf6aba7b4653161fa9c333b2f0049df5c81403a60fedb9c8b91e17d3c73820d6bc6da8afdc9e83fb93ca3400f52b9b65
SHA1 hash: 72b2120c96fd07d57b0a771f4538e3e391e05363
MD5 hash: b25d22267068ad25dff4f2254b776d26
humanhash: kilo-summer-hydrogen-cola
File name:b25d22267068ad25dff4f2254b776d26.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:584'704 bytes
First seen:2021-09-21 18:10:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 35279f0bcb93fbb246a2ff5f9995bdc1 (6 x RaccoonStealer)
ssdeep 12288:HPyvUhuDGncJlujEpr8qEFRkbNZ5tWDmp4NAc15Kp3CIF5j1QwZPRrE:Qwckyr8RkJXampEhoPa2PRw
Threatray 3'180 similar samples on MalwareBazaar
TLSH T1AFC49E2675719076F17240B0AE6CABA1167EBC7049324EAB73CA063D4FB15D2D721B3B
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.95.11.122/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.95.11.122/ https://threatfox.abuse.ch/ioc/224422/

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b25d22267068ad25dff4f2254b776d26.exe
Verdict:
Malicious activity
Analysis date:
2021-09-21 18:12:53 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/360bdb8c-082e-49b5-b631-63676c3ab0ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189948/
Detection(s):
Win.Malware.Raccoon-9892387-1
Create hunting rule

Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce28aba1-0a54-4a70-bb1c-bba803f28aee
Result
Threat name:
BitCoin Miner Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855116
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Schedule system process
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BitCoin Miner
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487547 Sample: iVYmUHHcoW.exe Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 127 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->127 129 Antivirus / Scanner detection for submitted sample 2->129 131 Multi AV Scanner detection for submitted file 2->131 133 8 other signatures 2->133 12 iVYmUHHcoW.exe 84 2->12         started        17 services32.exe 2->17         started        19 svchosts.exe 2->19         started        process3 dnsIp4 111 45.95.11.122, 49764, 80 ULTRA-PACKETUS Italy 12->111 113 telete.in 195.201.225.248, 443, 49763 HETZNER-ASDE Germany 12->113 115 cdn.discordapp.com 162.159.129.233, 443, 49765 CLOUDFLARENETUS United States 12->115 101 C:\Users\user\AppData\...\gxZ3fKBnQ6.exe, PE32 12->101 dropped 103 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->103 dropped 105 C:\Users\user\AppData\...\ucrtbase.dll, PE32 12->105 dropped 109 57 other files (none is malicious) 12->109 dropped 153 Tries to steal Mail credentials (via file access) 12->153 155 Contains functionality to steal Internet Explorer form passwords 12->155 157 Tries to harvest and steal browser information (history, passwords, etc) 12->157 21 gxZ3fKBnQ6.exe 5 12->21         started        107 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 17->107 dropped 159 Adds a directory exclusion to Windows Defender 17->159 25 cmd.exe 17->25         started        27 cmd.exe 17->27         started        117 rentry.co 19->117 161 Contains functionality to register a low level keyboard hook 19->161 163 Installs a global keyboard hook 19->163 file5 signatures6 process7 file8 95 C:\Users\user\AppData\Local\Temp\tgt.exe, PE32 21->95 dropped 97 C:\Users\user\AppData\...\parsmminer.exe, PE32+ 21->97 dropped 99 C:\Users\user\AppData\Local\...\ccstilir.exe, PE32 21->99 dropped 141 Detected unpacking (overwrites its own PE header) 21->141 143 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->143 29 parsmminer.exe 5 21->29         started        33 tgt.exe 14 3 21->33         started        35 ccstilir.exe 15 4 21->35         started        145 Adds a directory exclusion to Windows Defender 25->145 38 conhost.exe 25->38         started        40 powershell.exe 25->40         started        signatures9 process10 dnsIp11 119 192.168.2.1 unknown unknown 29->119 165 Adds a directory exclusion to Windows Defender 29->165 42 cmd.exe 29->42         started        44 cmd.exe 29->44         started        121 discord.com 162.159.135.232, 443, 49767 CLOUDFLARENETUS United States 33->121 123 ipv4bot.whatismyipaddress.com 66.171.248.178, 49766, 80 ALCHEMYNETUS United States 33->123 167 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->167 169 May check the online IP address of the machine 33->169 125 rentry.co 51.158.178.115, 443, 49768, 49769 OnlineSASFR France 35->125 93 C:\Users\user\AppData\Roaming\svchosts.exe, PE32 35->93 dropped 171 Installs a global keyboard hook 35->171 47 cmd.exe 35->47         started        file12 signatures13 process14 signatures15 49 svchost32.exe 42->49         started        53 conhost.exe 42->53         started        149 Uses schtasks.exe or at.exe to add and modify task schedules 44->149 151 Adds a directory exclusion to Windows Defender 44->151 55 powershell.exe 44->55         started        57 conhost.exe 44->57         started        59 powershell.exe 44->59         started        65 2 other processes 44->65 61 conhost.exe 47->61         started        63 schtasks.exe 47->63         started        process16 file17 91 C:\Users\user\services32.exe, PE32+ 49->91 dropped 135 Drops PE files to the user root directory 49->135 67 services32.exe 49->67         started        70 cmd.exe 49->70         started        72 cmd.exe 49->72         started        137 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 55->137 signatures18 process19 signatures20 139 Adds a directory exclusion to Windows Defender 67->139 74 cmd.exe 67->74         started        77 conhost.exe 70->77         started        79 schtasks.exe 70->79         started        81 conhost.exe 72->81         started        83 choice.exe 72->83         started        process21 signatures22 147 Adds a directory exclusion to Windows Defender 74->147 85 conhost.exe 74->85         started        87 powershell.exe 74->87         started        89 powershell.exe 74->89         started        process23
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/187fcce7435c3f1dcccb75985131336f4365d2ac689c2ee22561285e9e37d261/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 04:33:53 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=db74zz2dlq7r3tglowmfcmjtn5bwluvmncoc5yrfmeuf5hrx2jqq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
4a6434d66a30ccd95a6c269ba54133d0cade8eb565cd7fd6582abeff8a02a3fc
RaccoonStealer
769e6fac3f7be0c7278bf32ec84b6e96690e06c4ed2c4d06df1f790fc97165e5
RaccoonStealer
78d2e3ffb53da033d7df217d5a67ea52dbac7928cb77d907307a1c77b4453cfe
RaccoonStealer
79353b4beb5c15fb26a1a4e35742da675a5adeff230f9a4d8f3577d47e263e97
RaccoonStealer
7b8ffb495d71939d9dfb9b4f4b0bd9bd9d3fad675aa487e2b20129c33f877c50
RaccoonStealer
7dab69ecef0dc000e97634c8bf2840242b9e75038f32c0eac5eb79772309e43c
RaccoonStealer
830de75be32c7b749962b6ba9b8f9bb50db8bb9145653fa9e38f33715732ded4
RaccoonStealer
8d83c8cd1c00fda08e1e524c4be95484070cfe1a87b38162a31cd6c86aec566b
RaccoonStealer
93ba1d3d5ea0f821f84ee02b34b65c3768098b5dfc84022a92f79db5a18f2411
RaccoonStealer
f0c98f4c47a7f3890884cea6e1e84d19fd63eeed8b05ba9cb367707a0f28aeba
RaccoonStealer
+ 3'170 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210921-wslxpaabc5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
187fcce7435c3f1dcccb75985131336f4365d2ac689c2ee22561285e9e37d261
MD5 hash:
b25d22267068ad25dff4f2254b776d26
SHA1 hash:
72b2120c96fd07d57b0a771f4538e3e391e05363
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/8258073c-f8dc-44b5-84c2-b261151feb19/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/187fcce7435c3f1dcccb75985131336f4365d2ac689c2ee22561285e9e37d261

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189948/

Comments