MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ea7c167ec0f7c571469c13ddae88556435d365b155082146808945402ea20a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ea7c167ec0f7c571469c13ddae88556435d365b155082146808945402ea20a4
SHA3-384 hash: 4d1ca70f7b1c9562532b7e7e1ad587f9ec8c702b57d41a3b8a5606327c995d62af57c6134eb9a14d737d4a71b0be1924
SHA1 hash: 19ac1ddd66e9c215380e620a0fdefed8f2542335
MD5 hash: 4c77bfac974dc61427b5589001c7fb3c
humanhash: sweet-hydrogen-nuts-social
File name:CCleanerBundle-616-Setup.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:67'373'764 bytes
First seen:2023-09-17 10:20:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ee3b0da38e7b7c567f93f357ca3751c (2 x RedLineStealer, 2 x RaccoonStealer, 1 x QuasarRAT)
ssdeep 1572864:SntSrZFG7Jwd4USFTPGHcFsO/4EKT+ob7WQ5Rbk6uiTj+he6Y:SMFrAB9Fp4EKTAQ5RdseX
TLSH T19BE73331768BC53BD5A204B07A2DD7AE12287FB50F7294C763E81E6E45B48C38631E67
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 686eeee2b292c6ec (6 x njrat, 3 x RedLineStealer, 2 x CoinMiner)
Reporter Anonymous
Tags:exe Raccoon Stealer RaccoonStealer RAT Redline

Intelligence

File Origin
# of uploads :
1
# of downloads :
417
Origin country :
RO RO
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
control fingerprint greyware lolbin msiexec overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/6506d31183a0c6425df771c8/reports/743b16cc-3acf-4062-9b68-0b49bdcf88bf/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/1ea7c167ec0f7c571469c13ddae88556435d365b155082146808945402ea20a4
Result
Verdict:
MALICIOUS
Result
Threat name:
Raccoon Stealer v2, RedAlert
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1309566
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries disk data (e.g. SMART data)
Query firmware table information (likely to detect VMs)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer v2
Yara detected RedAlert Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1309566 Sample: CCleanerBundle-616-Setup.exe Startdate: 17/09/2023 Architecture: WINDOWS Score: 80 144 www.linkedin.com 2->144 146 www.google.com 2->146 148 2 other IPs or domains 2->148 210 Multi AV Scanner detection for domain / URL 2->210 212 Found malware configuration 2->212 214 Malicious sample detected (through community Yara rule) 2->214 216 9 other signatures 2->216 10 msiexec.exe 90 40 2->10         started        13 CCleaner.exe 2->13         started        15 CCleanerBugReport.exe 2->15         started        19 7 other processes 2->19 signatures3 process4 dnsIp5 106 C:\Users\user\AppData\Roaming\...\Patch.exe, PE32 10->106 dropped 108 C:\Windows\Installer\MSIAAF5.tmp, PE32 10->108 dropped 110 C:\Windows\Installer\MSIAAD5.tmp, PE32 10->110 dropped 118 4 other files (none is malicious) 10->118 dropped 21 CCleanerBundle-616-Setup.exe 1 37 10->21         started        24 Patch.exe 1 10->24         started        27 msiexec.exe 10->27         started        29 msiexec.exe 10->29         started        31 CCleaner64.exe 13->31         started        190 winqual.gcp.sb.avast.com 34.107.19.138, 443, 49724 GOOGLEUS United States 15->190 192 winqual.sb.avast.com 15->192 208 Query firmware table information (likely to detect VMs) 15->208 34 conhost.exe 15->34         started        112 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 19->112 dropped 114 C:\Users\...\CCleanerBundle-616-Setup.exe, PE32 19->114 dropped 116 C:\Users\user\AppData\Roaming\...\Patch.exe, PE32 19->116 dropped 120 2 other files (none is malicious) 19->120 dropped 36 CCleaner64.exe 19->36         started        38 CCleaner64.exe 19->38         started        40 msiexec.exe 4 19->40         started        file6 signatures7 process8 dnsIp9 90 C:\Users\user\AppData\...\rcsetup153_pro.exe, PE32 21->90 dropped 92 C:\Users\user\AppData\...\ccsetup616_pro.exe, PE32 21->92 dropped 94 C:\Users\user\AppData\...\spsetup132_pro.exe, PE32 21->94 dropped 104 2 other files (none is malicious) 21->104 dropped 42 ccsetup616_pro.exe 21->42         started        47 rcsetup153_pro.exe 21->47         started        49 spsetup132_pro.exe 21->49         started        218 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 24->218 220 Writes to foreign memory regions 24->220 222 Injects a PE file into a foreign processes 24->222 224 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 24->224 51 RegAsm.exe 15 7 24->51         started        53 RegAsm.exe 24->53         started        194 www.ccleaner.com 31->194 196 ncc.avast.com 31->196 202 4 other IPs or domains 31->202 96 C:\Users\user\AppData\Localbehaviorgraphoogle\...\LOG, ASCII 31->96 dropped 98 C:\Users\user\AppData\Local\...\000009.dbtmp, ASCII 31->98 dropped 100 C:\Program Files\CCleaner\gcapi_dll.dll, PE32+ 31->100 dropped 102 C:\...\gcapi_16949472057104.dll (copy), PE32+ 31->102 dropped 226 Query firmware table information (likely to detect VMs) 31->226 228 Tries to harvest and steal browser information (history, passwords, etc) 31->228 55 CCleaner64.exe 31->55         started        198 ncc.avast.com 36->198 204 2 other IPs or domains 36->204 200 ncc.avast.com 38->200 206 2 other IPs or domains 38->206 file10 signatures11 process12 dnsIp13 170 6 other IPs or domains 42->170 126 C:\Program Files\...\CCleanerBugReport.exe, PE32+ 42->126 dropped 128 C:\Program Files\CCleaner\CCleaner64.exe, PE32+ 42->128 dropped 130 C:\Program Files\CCleaner\CCUpdate.exe, PE32 42->130 dropped 138 75 other files (none is malicious) 42->138 dropped 238 Query firmware table information (likely to detect VMs) 42->238 57 CCUpdate.exe 42->57         started        62 CCleaner64.exe 42->62         started        64 CCleaner64.exe 42->64         started        66 chrome.exe 42->66         started        172 3 other IPs or domains 47->172 132 C:\Program Files\Recuva\recuva64.exe, PE32+ 47->132 dropped 140 56 other files (none is malicious) 47->140 dropped 68 recuva64.exe 47->68         started        70 regsvr32.exe 47->70         started        76 2 other processes 47->76 174 2 other IPs or domains 49->174 142 43 other files (none is malicious) 49->142 dropped 164 microsoft-auth-network.cc 85.217.144.194, 49709, 80 WS171-ASRU Bulgaria 51->164 166 95.214.24.244, 49710, 80 CMCSUS Germany 51->166 134 C:\Users\user\AppData\...\WindowsServices.exe, PE32 51->134 dropped 72 WindowsServices.exe 3 51->72         started        74 conhost.exe 51->74         started        240 Tries to delay execution (extensive OutputDebugStringW loop) 53->240 168 ipm-gcp-prod.ff.avast.com 34.111.24.1, 443, 50049, 50110 GOOGLEUS United States 55->168 176 5 other IPs or domains 55->176 136 C:\...\gcapi_16949472163836.dll (copy), PE32+ 55->136 dropped 242 Tries to harvest and steal browser information (history, passwords, etc) 55->242 file14 signatures15 process16 dnsIp17 150 ip-info-gcp.ff.avast.com 34.149.149.62, 443, 49718, 49725 ATGS-MMD-ASUS United States 57->150 156 3 other IPs or domains 57->156 122 e485d75f-7a1a-43fb-bd5d-25a8951c6664.dll, PE32 57->122 dropped 230 Query firmware table information (likely to detect VMs) 57->230 78 CCUpdate.exe 57->78         started        152 www.ccleaner.com 62->152 158 3 other IPs or domains 62->158 124 C:\...\gcapi_16949472215520.dll (copy), PE32+ 62->124 dropped 160 2 other IPs or domains 64->160 154 239.255.255.250 unknown Reserved 66->154 82 chrome.exe 66->82         started        162 3 other IPs or domains 68->162 232 Queries disk data (e.g. SMART data) 68->232 84 regsvr32.exe 70->84         started        234 Writes to foreign memory regions 72->234 236 Injects a PE file into a foreign processes 72->236 86 RegAsm.exe 72->86         started        88 chrome.exe 76->88         started        file18 signatures19 process20 dnsIp21 178 ip-info.ff.avast.com 78->178 180 ip-info-gcp.ff.avast.com 78->180 244 Query firmware table information (likely to detect VMs) 78->244 182 s.twitter.com 104.244.42.131, 443, 49869, 49906 TWITTERUS United States 82->182 184 t.co 104.244.42.133, 443, 49844, 49901 TWITTERUS United States 82->184 188 55 other IPs or domains 82->188 186 193.142.147.59, 80 FREERANGECLOUDCA Netherlands 86->186 signatures22
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-17 10:21:13 UTC
File Type:
PE (Exe)
Extracted files:
3753
AV detection:
6 of 24 (25.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d2t4cz7mb56fofdjye65v2efkzbv2ns3cviiefdibckfiaxkecsa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230917-mdny3aca59/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ea7c167ec0f7c571469c13ddae88556435d365b155082146808945402ea20a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments