MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b4d9981e15438e889193b4272e5bc6d07d0b8984e95741eb36f7cad3dec66e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b4d9981e15438e889193b4272e5bc6d07d0b8984e95741eb36f7cad3dec66e6
SHA3-384 hash: e107ee2b0157dc7af3ccb12ec7dea3311823871b7885aa7363e30d8bc8e8c24c8e579e0d5038057437cb235520946e90
SHA1 hash: abd4eaabc8f56f1c36dce4a8cf0a774e82b89625
MD5 hash: 4387e3ada05f4ba35535621f36719d8c
humanhash: comet-pip-fish-helium
File name:4387e3ada05f4ba35535621f36719d8c.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'288'704 bytes
First seen:2021-09-04 07:20:18 UTC
Last seen:2021-09-04 08:16:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:szC2ZYz7QiZDd0jwpu3ojR6L30ZonfZ8fJG:KC2ZQ9BmjwpOoj4oZonfKG
Threatray 2'293 similar samples on MalwareBazaar
TLSH T153551F3DBD252637E7BA86F8D4960D4EE69410CB22731DDF42D2A3892107617B6FA31C
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://94.158.245.24/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.24/ https://threatfox.abuse.ch/ioc/215080/

Intelligence

File Origin
# of uploads :
2
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4387e3ada05f4ba35535621f36719d8c.exe
Verdict:
No threats detected
Analysis date:
2021-09-04 07:23:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3bd50bec-3f12-43f9-ba08-08625f685593

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185270/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.8141.26021.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Connection attempt to an infection source
Running batch commands
Using the Windows Management Instrumentation requests
Launching a process
Sending an HTTP GET request
Sending an HTTP POST request
Deleting a recently created file
Reading critical registry keys
Creating a process with a hidden window
Creating a file in the system32 directory
Delayed reading of the file
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/468f5f58-fa25-4b8e-81ca-cd4ca2056452
Result
Threat name:
BitCoin Miner Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845166
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd delete
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected BitCoin Miner
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477597 Sample: l4jgmXaUBQ.exe Startdate: 04/09/2021 Architecture: WINDOWS Score: 100 129 192.168.2.1 unknown unknown 2->129 131 ipv4bot.whatismyipaddress.com 2->131 133 discord.com 2->133 165 Multi AV Scanner detection for submitted file 2->165 167 Yara detected BitCoin Miner 2->167 169 Yara detected AntiVM3 2->169 171 10 other signatures 2->171 13 l4jgmXaUBQ.exe 15 5 2->13         started        18 services32.exe 2->18         started        signatures3 process4 dnsIp5 145 cdn.discordapp.com 162.159.129.233, 443, 49727 CLOUDFLARENETUS United States 13->145 115 C:\Users\user\AppData\Local\...\svchost.exe, PE32 13->115 dropped 117 C:\Users\user\AppData\...\l4jgmXaUBQ.exe.log, ASCII 13->117 dropped 187 Self deletion via cmd delete 13->187 189 Drops PE files with benign system names 13->189 191 Injects a PE file into a foreign processes 13->191 20 l4jgmXaUBQ.exe 85 13->20         started        25 svchost.exe 4 13->25         started        27 l4jgmXaUBQ.exe 13->27         started        193 Adds a directory exclusion to Windows Defender 18->193 29 cmd.exe 18->29         started        file6 signatures7 process8 dnsIp9 135 94.158.245.24, 49733, 49734, 80 MIVOCLOUDMD Moldova Republic of 20->135 137 telete.in 195.201.225.248, 443, 49728 HETZNER-ASDE Germany 20->137 139 2 other IPs or domains 20->139 105 C:\Users\user\AppData\...\iLxvMYULdd.exe, PE32 20->105 dropped 107 C:\Users\user\AppData\...\XKQT4yHH3t.exe, PE32 20->107 dropped 109 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 20->109 dropped 113 58 other files (none is malicious) 20->113 dropped 175 Tries to steal Mail credentials (via file access) 20->175 177 Self deletion via cmd delete 20->177 179 Tries to harvest and steal browser information (history, passwords, etc) 20->179 31 XKQT4yHH3t.exe 20->31         started        35 iLxvMYULdd.exe 20->35         started        37 cmd.exe 20->37         started        111 C:\Users\user\AppData\Local\...\newettc.exe, PE32+ 25->111 dropped 181 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->181 39 newettc.exe 5 25->39         started        41 rr.exe 14 3 25->41         started        183 Adds a directory exclusion to Windows Defender 29->183 44 conhost.exe 29->44         started        46 powershell.exe 29->46         started        file10 signatures11 process12 dnsIp13 119 C:\Users\user\AppData\...\besthotnewetc.exe, PE32+ 31->119 dropped 147 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->147 48 ss.exe 31->48         started        52 besthotnewetc.exe 31->52         started        121 C:\Users\user\AppData\Local\Temp\ss.exe, PE32 35->121 dropped 55 conhost.exe 37->55         started        57 timeout.exe 37->57         started        149 Adds a directory exclusion to Windows Defender 39->149 59 cmd.exe 39->59         started        61 cmd.exe 39->61         started        141 discord.com 162.159.138.232, 443, 49730, 49737 CLOUDFLARENETUS United States 41->141 143 ipv4bot.whatismyipaddress.com 66.171.248.178, 49729, 49736, 49738 ALCHEMYNETUS United States 41->143 151 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->151 153 May check the online IP address of the machine 41->153 file14 signatures15 process16 dnsIp17 125 ipv4bot.whatismyipaddress.com 48->125 127 discord.com 48->127 157 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->157 159 May check the online IP address of the machine 48->159 103 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 52->103 dropped 63 svchost32.exe 59->63         started        67 conhost.exe 59->67         started        161 Uses schtasks.exe or at.exe to add and modify task schedules 61->161 163 Adds a directory exclusion to Windows Defender 61->163 69 conhost.exe 61->69         started        71 powershell.exe 61->71         started        73 powershell.exe 61->73         started        75 2 other processes 61->75 file18 signatures19 process20 file21 123 C:\Windows\System32\services32.exe, PE32+ 63->123 dropped 155 Drops executables to the windows directory (C:\Windows) and starts them 63->155 77 services32.exe 63->77         started        80 cmd.exe 63->80         started        82 cmd.exe 63->82         started        signatures22 process23 signatures24 185 Adds a directory exclusion to Windows Defender 77->185 84 cmd.exe 77->84         started        87 conhost.exe 80->87         started        89 schtasks.exe 80->89         started        91 conhost.exe 82->91         started        93 choice.exe 82->93         started        process25 signatures26 173 Adds a directory exclusion to Windows Defender 84->173 95 conhost.exe 84->95         started        97 powershell.exe 84->97         started        99 powershell.exe 84->99         started        101 2 other processes 84->101 process27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b4d9981e15438e889193b4272e5bc6d07d0b8984e95741eb36f7cad3dec66e6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 22:26:02 UTC
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dngztapbkq4orcizhnbhfzn4nud5boeyj2kxihvtn56k2ppmm3ta._file
Verdict:
malicious
Similar samples:
4569c2ca16175dd869475526af97004f47e2918edb583043b609fceb86b35161
RaccoonStealer
51bf9ff43b1aedfebfcf03c71e5bba10a6704b2cf4503e5bbe680221652cc458
RaccoonStealer
5d459a560ce1e32853c637997806cf8080c8d8f02d0c136057a0344d543b2532
RaccoonStealer
7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f
RaccoonStealer
a58198274fe278903f5cc16907437a6198725be5bc248d2b6155cd702caf3ed3
RaccoonStealer
d99ac72301d4d4c55ee0c6e33ad4e4551bac90b71f80515eea1a3dfe426abf23
RaccoonStealer
f7873cf1b6200ab714ca6d6ff929fc4192d91a1cfc6d685cc734d8f1decb691d
RaccoonStealer
ff1ddb96f4984d4ed65016ca7814432d51a08fe090fae4907e85926469e880da
RaccoonStealer
+ 2'283 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:8d540643cc195ccd3e77766ab1d4b73d68715d8c discovery spyware stealer
Link:
https://tria.ge/reports/210904-h6n3baeaa2/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Unpacked files
SH256 hash:
e5e6b37ca7aaf8d05fbaee7f5cbc9eedac1e2c64dadfce779db662337649c69b
MD5 hash:
b2ea957788754e9506868cae583d7dac
SHA1 hash:
7ae51af135550f276b64b498e5a8bd48e6db06e8
Link:
https://www.unpac.me/results/bfb1796a-3c9c-46c5-aca4-1a9d1c37a0e8/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/bfb1796a-3c9c-46c5-aca4-1a9d1c37a0e8/
SH256 hash:
cc189784666906e8f351d598f4d5e39159893876d81787f7939e06de60b82afe
MD5 hash:
8d7582c067da2d6e82e6d9b1fb025446
SHA1 hash:
0cebfe0f415c92b6dabda26d5593b475a423e2fe
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/bfb1796a-3c9c-46c5-aca4-1a9d1c37a0e8/
Parent samples :
3e4c7ea14c7244983b41edf75a23f40800771f02c0aba8afc0f087d6eee25d40
e1c502cf0606d96119b00772bbaf5cd66c0f084a284c2b3b9162de9574f5ee0b
1b4d9981e15438e889193b4272e5bc6d07d0b8984e95741eb36f7cad3dec66e6
32d8cde15a3e57d033e2bad6e8e0d1a3a16f4934ca4c0df122cbc7d3a0de710a
SH256 hash:
1b4d9981e15438e889193b4272e5bc6d07d0b8984e95741eb36f7cad3dec66e6
MD5 hash:
4387e3ada05f4ba35535621f36719d8c
SHA1 hash:
abd4eaabc8f56f1c36dce4a8cf0a774e82b89625
Link:
https://www.unpac.me/results/bfb1796a-3c9c-46c5-aca4-1a9d1c37a0e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/1b4d9981e15438e889193b4272e5bc6d07d0b8984e95741eb36f7cad3dec66e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185270/

Comments