MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b7b6ef3fc21c58be4121dcd66b8e3b1231c0bb49f6e256460cc213775f4dd90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b7b6ef3fc21c58be4121dcd66b8e3b1231c0bb49f6e256460cc213775f4dd90
SHA3-384 hash: cc5622326bfc5e01510991b9e20948f1c771016dc05447bcca99dc029c1a16b523f05f2a0a969411d67a0805442d0a77
SHA1 hash: 2dcb621aec4f844fd37c64e6eabee9f827abf93d
MD5 hash: dda320cdb60094470b148e93760105f3
humanhash: jupiter-oxygen-december-lamp
File name:dda320cdb60094470b148e93760105f3
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:988'672 bytes
First seen:2022-01-17 12:56:47 UTC
Last seen:2022-01-17 14:41:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b8b949414a1cbbc9af7d834ae8be805f (11 x RedLineStealer, 5 x RaccoonStealer, 4 x ArkeiStealer)
ssdeep 24576:kLcvE4N6whUaZiRAK/cRgOnmq9g6iBcZDy:kYvMf37cOU7m6Lhy
TLSH T15225EF82A24364A0D4C51BBD07F39A4E05D7EAC96E0C4DA94F067067709FBEF16E24BD
File icon (PE):PE icon
dhash icon 6960e896228a6968 (3 x CoinMiner, 2 x AsyncRAT, 1 x RaccoonStealer)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dda320cdb60094470b148e93760105f3
Verdict:
Malicious activity
Analysis date:
2022-01-17 13:07:05 UTC
Tags:
loader stealer trojan raccoon
Link:
https://app.any.run/tasks/0a887664-3765-4d90-8e99-ddd3a589990a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219840/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed print.exe
Link:
https://www.filescan.io/uploads/61e567a40f8c757253c46f1f/reports/65b4e546-f2dc-4b49-8d08-4aa50da73045/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ca4435f-a724-438a-8213-a1f45d1f940d
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921789
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
DLL side loading technique detected
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 554267 Sample: aqpfp1EexU Startdate: 17/01/2022 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Antivirus detection for URL or domain 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 4 other signatures 2->40 8 aqpfp1EexU.exe 2->8         started        process3 signatures4 42 Contains functionality to inject code into remote processes 8->42 44 Writes to foreign memory regions 8->44 46 Allocates memory in foreign processes 8->46 48 2 other signatures 8->48 11 RegSvcs.exe 80 8->11         started        process5 dnsIp6 30 185.163.204.212, 49713, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 11->30 32 185.163.204.22, 49712, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 11->32 22 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 11->22 dropped 24 C:\Users\user\AppData\LocalLow\...\nss3.dll, PE32 11->24 dropped 26 C:\Users\user\AppData\...\mozglue.dll, PE32 11->26 dropped 28 56 other files (none is malicious) 11->28 dropped 50 Tries to steal Mail credentials (via file / registry access) 11->50 52 Tries to harvest and steal browser information (history, passwords, etc) 11->52 54 DLL side loading technique detected 11->54 16 cmd.exe 1 11->16         started        file7 signatures8 process9 process10 18 conhost.exe 16->18         started        20 timeout.exe 1 16->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b7b6ef3fc21c58be4121dcd66b8e3b1231c0bb49f6e256460cc213775f4dd90/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-01-17 07:19:31 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
31 of 41 (75.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dn5w5474ehcyxzasdxgwnohdwerryc5ut5xckzdazqqto5pu3wia._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220117-p6xssaaca4/
Unpacked files
SH256 hash:
c7e3f3128c5e7887f3464cd379e58fbfc4ce44c101d0ecb060c47e7677c38708
MD5 hash:
ca1a8dee034623b47f34e48458cf1f38
SHA1 hash:
ea40f3ac7cb988bc8f46540b63749801002410d7
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/71c9a082-7b50-4e7c-b2d1-1428e7c0d741/
Parent samples :
1b7b6ef3fc21c58be4121dcd66b8e3b1231c0bb49f6e256460cc213775f4dd90
d87651d0c192db36871a32659dbc4329e673136e9465f9ed6058f21f87abdd46
SH256 hash:
1b7b6ef3fc21c58be4121dcd66b8e3b1231c0bb49f6e256460cc213775f4dd90
MD5 hash:
dda320cdb60094470b148e93760105f3
SHA1 hash:
2dcb621aec4f844fd37c64e6eabee9f827abf93d
Link:
https://www.unpac.me/results/71c9a082-7b50-4e7c-b2d1-1428e7c0d741/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.36
Link:
https://yomi.yoroi.company/submissions/1b7b6ef3fc21c58be4121dcd66b8e3b1231c0bb49f6e256460cc213775f4dd90

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 1b7b6ef3fc21c58be4121dcd66b8e3b1231c0bb49f6e256460cc213775f4dd90

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1983654/
Cape
Cape
https://www.capesandbox.com/analysis/219840/

Comments


Avatar
zbet commented on 2022-01-17 12:56:49 UTC

url : hxxps://coinbase-bonus.com/rea4gb440m4.exe