MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bbee1727c791557b1119c32a93c58964414a1cce3dcc0601f92bb628e033a59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bbee1727c791557b1119c32a93c58964414a1cce3dcc0601f92bb628e033a59
SHA3-384 hash: 20ef551534cad81d0c9c4084504114a3bcd2c8d450f9794a5540c541fc74e457a4088e76833c5433c99dcbf9d8bf7c20
SHA1 hash: 79170b05c349aea1b3d5553b4a8fb7cf431e2693
MD5 hash: fa366bb4b21aa3bb795b312c7d9f883f
humanhash: kilo-golf-ohio-robert
File name:antiban.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:30'208 bytes
First seen:2022-01-06 17:45:04 UTC
Last seen:2022-01-06 19:42:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:tIesukMHzQiQ0CihW1HL4sy9fIuwLoKM8oTYrhALwNCD1yF5dYAKJ9Yl6dnPU3Sn:tzTQiZCngfQuNcF5dG6Iq8U9Ksa
TLSH T148D25728D3F85732E2F387B59CF68593A972B513AE39DB9C2486130D49227844953B3F
Reporter tech_skeech
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
antiban.exe
Verdict:
Malicious activity
Analysis date:
2022-01-06 17:48:04 UTC
Tags:
loader
Link:
https://app.any.run/tasks/8cc97861-36d4-4ca8-83a5-676c1ee5c272

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217584/
Detection(s):
SecuriteInfo.com.MSIL.Downloadergen9.15390.31162.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61d72aa71c0d769df9d38604/reports/ef57edce-97f6-46c5-a63e-ac1a8f32cbef/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a9eccbe-15b8-4007-880c-8051c3f3eb5b
Result
Threat name:
BitCoin Miner Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916422
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected BitCoin Miner
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SilentXMRMiner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 548900 Sample: antiban.exe Startdate: 06/01/2022 Architecture: WINDOWS Score: 100 80 api.telegram.org 149.154.167.220, 443, 49811 TELEGRAMRU United Kingdom 2->80 82 185.163.204.21, 49813, 49814, 49815 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 2->82 110 Multi AV Scanner detection for domain / URL 2->110 112 Antivirus detection for URL or domain 2->112 114 Antivirus detection for dropped file 2->114 116 11 other signatures 2->116 11 antiban.exe 15 6 2->11         started        15 services32.exe 2->15         started        signatures3 process4 dnsIp5 84 data-host-coin-8.com 198.11.172.78, 49761, 49762, 49764 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 11->84 86 192.168.2.1 unknown unknown 11->86 64 C:\ProgramData\7627_1641405166_3855.exe, PE32 11->64 dropped 66 C:\ProgramData\7352_1641405220_7062.exe, PE32 11->66 dropped 68 C:\ProgramData\4733_1641405115_2485.exe, PE32+ 11->68 dropped 18 7627_1641405166_3855.exe 3 11->18         started        21 4733_1641405115_2485.exe 11->21         started        23 WerFault.exe 23 9 11->23         started        140 Antivirus detection for dropped file 15->140 142 Detected unpacking (changes PE section rights) 15->142 144 Machine Learning detection for dropped file 15->144 146 4 other signatures 15->146 26 conhost.exe 5 15->26         started        file6 signatures7 process8 file9 94 Multi AV Scanner detection for dropped file 18->94 96 Machine Learning detection for dropped file 18->96 98 Writes to foreign memory regions 18->98 100 Injects a PE file into a foreign processes 18->100 28 RegAsm.exe 18->28         started        102 Antivirus detection for dropped file 21->102 104 Detected unpacking (changes PE section rights) 21->104 106 Allocates memory in foreign processes 21->106 108 2 other signatures 21->108 33 conhost.exe 4 21->33         started        60 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->60 dropped 62 C:\Users\user\AppData\...\sihost32.exe, PE32+ 26->62 dropped 35 sihost32.exe 26->35         started        signatures10 process11 dnsIp12 88 c9d0e790b353537889bd47a364f5acff43c11f245.xyz 185.112.83.97, 49773, 80 SUPERSERVERSDATACENTERRU Russian Federation 28->88 90 95.143.177.66, 49805, 9006 RHTEC-ASrh-tecIPBackboneDE Russian Federation 28->90 92 cdn.discordapp.com 162.159.129.233, 443, 49774, 49809 CLOUDFLARENETUS United States 28->92 70 C:\Users\user\AppData\Roaming\whw.exe, PE32 28->70 dropped 72 C:\Users\user\AppData\Roaming\safas2f.exe, PE32+ 28->72 dropped 74 C:\Users\user\AppData\Roaming\e3dwefw.exe, PE32 28->74 dropped 76 C:\Users\user\AppData\Roaming\clipper.exe, PE32 28->76 dropped 128 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->128 130 Performs DNS queries to domains with low reputation 28->130 132 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->132 37 safas2f.exe 28->37         started        78 C:\Users\user\AppData\...\services32.exe, PE32+ 33->78 dropped 41 cmd.exe 1 33->41         started        43 cmd.exe 1 33->43         started        134 Writes to foreign memory regions 35->134 136 Allocates memory in foreign processes 35->136 138 Creates a thread in another existing process (thread injection) 35->138 45 conhost.exe 2 35->45         started        file13 signatures14 process15 file16 58 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 37->58 dropped 118 Multi AV Scanner detection for dropped file 37->118 120 Detected unpacking (changes PE section rights) 37->120 122 Detected unpacking (overwrites its own PE header) 37->122 126 5 other signatures 37->126 47 services32.exe 41->47         started        50 conhost.exe 41->50         started        124 Uses schtasks.exe or at.exe to add and modify task schedules 43->124 52 conhost.exe 43->52         started        54 schtasks.exe 1 43->54         started        signatures17 process18 signatures19 148 Writes to foreign memory regions 47->148 150 Allocates memory in foreign processes 47->150 152 Hides threads from debuggers 47->152 154 Creates a thread in another existing process (thread injection) 47->154 56 conhost.exe 2 47->56         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1bbee1727c791557b1119c32a93c58964414a1cce3dcc0601f92bb628e033a59/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 17:46:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=do7oc4t4pekvpmirtqzkspcyszcbjiom4pomaya7sk5wfdqdhjmq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220106-wbr3dabhbp/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
1bbee1727c791557b1119c32a93c58964414a1cce3dcc0601f92bb628e033a59
MD5 hash:
fa366bb4b21aa3bb795b312c7d9f883f
SHA1 hash:
79170b05c349aea1b3d5553b4a8fb7cf431e2693
Link:
https://www.unpac.me/results/9ad3bba9-c623-4ceb-82cc-97bf5dd99e4e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/1bbee1727c791557b1119c32a93c58964414a1cce3dcc0601f92bb628e033a59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 1bbee1727c791557b1119c32a93c58964414a1cce3dcc0601f92bb628e033a59

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217584/

Comments