MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cf375fc2caa68f520a626542f6b285bcd8ad66f93cac008bd9d2226e5641fcf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cf375fc2caa68f520a626542f6b285bcd8ad66f93cac008bd9d2226e5641fcf
SHA3-384 hash: db8562c8dc504f189c14167eef17eb2eb3151731065373341664a7f43d74b894319ad1b03372c37e49e8353fa4620fa2
SHA1 hash: 3cae63a3da5393bcf21f46b89a53fd87ff4a3eb6
MD5 hash: 8aece0be80642056ffbe8536d6a0afe9
humanhash: louisiana-seventeen-kansas-lake
File name:SecuriteInfo.com.W32.AIDetect.malware1.509.3654
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:542'208 bytes
First seen:2021-04-15 15:51:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e05089ebdc79f6153676cb08f724c74b (4 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 12288:1dv0UW2GfVZOtwhGAPsWxJv7IHR796VrDEDfO2HK:HvE26VZekyE9MHRxErDE7q
Threatray 718 similar samples on MalwareBazaar
TLSH C5B4010137D1C472C9A329768525CBB01E7AB4311966268F7FD92BFC2F357E2A72434A
Reporter SecuriteInfoCom
Tags:RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware1.509.3654
Verdict:
Malicious activity
Analysis date:
2021-04-15 15:57:39 UTC
Tags:
trojan stealer raccoon evasion loader
Link:
https://app.any.run/tasks/e6b275eb-c52e-4f4a-b187-5f5b6858a399

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.509.3654.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Strictor-6840778-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Moving a file to the %AppData% subdirectory
Creating a file in the %AppData% subdirectories
Creating a service
Launching a service
Loading a system driver
Enabling the 'hidden' option for recently created files
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Enabling autorun for a service
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/677954
Signature
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Raccoon Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 387928 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 15/04/2021 Architecture: WINDOWS Score: 100 66 icanhazip.com 2->66 102 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->102 104 Multi AV Scanner detection for domain / URL 2->104 106 Found malware configuration 2->106 112 9 other signatures 2->112 10 SecuriteInfo.com.W32.AIDetect.malware1.509.exe 82 2->10         started        15 syswow.exe 2->15         started        17 kernel.exe 2->17         started        19 3 other processes 2->19 signatures3 108 System process connects to network (likely due to code injection or exploit) 66->108 110 May check the online IP address of the machine 66->110 process4 dnsIp5 74 telete.in 195.201.225.248, 443, 49715 HETZNER-ASDE Germany 10->74 76 93.157.63.213, 49717, 80 NFORCENL Russian Federation 10->76 78 whatsthescore.top 185.234.247.219, 443, 49716 INTERKONEKT-ASPL Russian Federation 10->78 58 C:\Users\user\AppData\...\Rd9mQ8fphk.exe, PE32 10->58 dropped 60 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 10->60 dropped 62 C:\Users\user\AppData\...\vcruntime140.dll, PE32 10->62 dropped 64 57 other files (none is malicious) 10->64 dropped 124 Detected unpacking (changes PE section rights) 10->124 126 Detected unpacking (overwrites its own PE header) 10->126 128 Tries to steal Mail credentials (via file access) 10->128 132 2 other signatures 10->132 21 Rd9mQ8fphk.exe 14 5 10->21         started        25 cmd.exe 1 10->25         started        130 Hides threads from debuggers 15->130 27 conhost.exe 15->27         started        80 94.130.165.87, 4444, 49759 HETZNER-ASDE Germany 17->80 82 pool.minexmr.com 17->82 29 conhost.exe 17->29         started        84 127.0.0.1 unknown unknown 19->84 file6 signatures7 process8 dnsIp9 68 icanhazip.com 104.22.19.188, 49718, 49743, 49745 CLOUDFLARENETUS United States 21->68 70 213.252.244.68, 49719, 49724, 49730 IST-ASLT Lithuania 21->70 72 192.168.2.1 unknown unknown 21->72 114 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->114 116 May check the online IP address of the machine 21->116 118 Uses schtasks.exe or at.exe to add and modify task schedules 21->118 31 svchost.exe 6 21->31         started        36 schtasks.exe 1 21->36         started        38 conhost.exe 25->38         started        40 timeout.exe 1 25->40         started        signatures10 120 Detected Stratum mining protocol 68->120 process11 dnsIp12 88 185.125.218.59, 49726, 80 IHOR-ASRU Russian Federation 31->88 90 104.22.18.188, 49722, 49728, 49738 CLOUDFLARENETUS United States 31->90 92 icanhazip.com 31->92 54 C:\Users\user\AppData\Roaming\...\syswow.exe, PE32+ 31->54 dropped 56 C:\Users\user\AppData\Roaming\...\kernel.exe, PE32+ 31->56 dropped 94 System process connects to network (likely due to code injection or exploit) 31->94 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->96 98 May check the online IP address of the machine 31->98 42 syswow.exe 31->42         started        45 kernel.exe 1 31->45         started        48 conhost.exe 36->48         started        file13 100 Detected Stratum mining protocol 88->100 signatures14 process15 dnsIp16 122 Hides threads from debuggers 42->122 50 conhost.exe 42->50         started        86 pool.minexmr.com 51.68.21.186, 4444, 49732 OVHFR France 45->86 52 conhost.exe 45->52         started        signatures17 process18
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1cf375fc2caa68f520a626542f6b285bcd8ad66f93cac008bd9d2226e5641fcf/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-04-15 14:15:12 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dtzxl7bmvjupkifgezkc62zilpgyvvtpspfmacf5turcnzled7hq._file
Verdict:
malicious
Similar samples:
2aab7a13f9d2f77601b7a8228b976e02fe1960b1eaf6669f12e646e10ced6ca3
RaccoonStealer
362911dc126bfc3bf0edde07ab4dcf66e79830f1da312942b1731b6f45ac9da5
RaccoonStealer
599393e258d8ba7b8f8633e20c651868258827d3a43a4d0712125bc487eabf92
RaccoonStealer
5f3507cbeaeda2b6fa6b1144782f45f17c274d30fba40fa1ee9b302496242265
RaccoonStealer
7beacccd4af720832723442f9afae77c52095ff5990de1352bb3a8ae1059304e
RaccoonStealer
ae9f21e994994c7d538df1032eb81cba7c3cbff6a76e8c15d91c8fe6f78dfa28
RaccoonStealer
c7f6ad7d3e040d26e8103885756e2f720a97a16f12ef44bf6707676d26680586
RaccoonStealer
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
RaccoonStealer
d4e27b8e7e1fd965522468bdc3eaf06513dd3a3e7402d9b441ab002dfc892adc
RaccoonStealer
f213aa18c565dfcb1b7637901b57b6baa6f0d3515b3c601797b418d3d8ff5e2e
RaccoonStealer
+ 708 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:xmrig botnet:72e93d05320823f6fd0af18c9cd86188d0bd144a discovery miner spyware stealer
Link:
https://tria.ge/reports/210415-5nzkgbfbr2/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
XMRig Miner Payload
Raccoon
xmrig
Unpacked files
SH256 hash:
4f0a07f2dd383171707bf4234a151c99fea73121432f04306bfb32cd6ed89f26
MD5 hash:
63ddedb3a84c32628e118bf1f63f8b7f
SHA1 hash:
e3ea3980141b8d1a39b9d22c7ba273ec70943562
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/1765b20e-db5c-4426-999d-4dacdde09877/
Parent samples :
1cf375fc2caa68f520a626542f6b285bcd8ad66f93cac008bd9d2226e5641fcf
7beacccd4af720832723442f9afae77c52095ff5990de1352bb3a8ae1059304e
SH256 hash:
1cf375fc2caa68f520a626542f6b285bcd8ad66f93cac008bd9d2226e5641fcf
MD5 hash:
8aece0be80642056ffbe8536d6a0afe9
SHA1 hash:
3cae63a3da5393bcf21f46b89a53fd87ff4a3eb6
Link:
https://www.unpac.me/results/1765b20e-db5c-4426-999d-4dacdde09877/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1cf375fc2caa68f520a626542f6b285bcd8ad66f93cac008bd9d2226e5641fcf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 1cf375fc2caa68f520a626542f6b285bcd8ad66f93cac008bd9d2226e5641fcf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1121005/
  
Delivery method
Distributed via web download

Comments