MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22a7d9f0f89491f6ef37085e4f95e9cb1be53e25848ee63afd5ec6baa333e8d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22a7d9f0f89491f6ef37085e4f95e9cb1be53e25848ee63afd5ec6baa333e8d4
SHA3-384 hash: 47da7600d020d98cadea4cbcd7b85ec419e80f3eab2e624569aaa8f801be31d24e6808ca2ea5f369f3719e554c3cfbe3
SHA1 hash: 7096dfdc2e1a7feaf544c0786a3b2266d8b06491
MD5 hash: b2e8ee5630cfbf9c640e1e6c80dfba96
humanhash: oregon-lamp-diet-kitten
File name:b2e8ee5630cfbf9c640e1e6c80dfba96
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'739'264 bytes
First seen:2021-11-21 11:23:07 UTC
Last seen:2021-11-21 13:11:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 15aeac4aa1d11f9ad3fc4c4ac7bb9468 (58 x RedLineStealer, 5 x RaccoonStealer, 3 x CoinMiner)
ssdeep 49152:g8+kkMsaXIctD/cP7eX7uVl8mJa2xPFP+HEuQzmsr+KNaLU6NVg:QFaYctrkMuX8uRFm9QpMa
Threatray 3'779 similar samples on MalwareBazaar
TLSH T1F5853374924D363CC14B17B979BFFB0E97D0B366A6F53F57A4008613293D88B24682A7
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b2e8ee5630cfbf9c640e1e6c80dfba96
Verdict:
Malicious activity
Analysis date:
2021-11-21 11:24:47 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/b8926d7d-3a4f-4939-b267-a0c948dfe329

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Launching a process
Сreating synchronization primitives
DNS request
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm packed racealer
Link:
https://www.filescan.io/uploads/619a2c55dd04e7d00e00c562/reports/b494f54a-391f-4c65-b51a-adaa7a644fae/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6e64b2c-e06c-454f-b17d-aa046831b11b
Result
Threat name:
MicroClip Raccoon Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/893277
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Disables security and backup related services
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected MicroClip
Yara detected Raccoon Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 525750 Sample: 0dMENJipYG Startdate: 21/11/2021 Architecture: WINDOWS Score: 100 99 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->99 101 Multi AV Scanner detection for domain / URL 2->101 103 Multi AV Scanner detection for submitted file 2->103 105 6 other signatures 2->105 10 0dMENJipYG.exe 2->10         started        13 svchost.exe 2->13         started        15 SgrmBroker.exe 2->15         started        17 8 other processes 2->17 process3 dnsIp4 113 Query firmware table information (likely to detect VMs) 10->113 115 Tries to detect sandboxes and other dynamic analysis tools (window names) 10->115 117 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 10->117 123 4 other signatures 10->123 20 AppLaunch.exe 83 10->20         started        25 WerFault.exe 23 9 10->25         started        119 Changes security center settings (notifications, updates, antivirus, firewall) 13->119 121 DLL side loading technique detected 15->121 87 127.0.0.1 unknown unknown 17->87 89 192.168.2.1 unknown unknown 17->89 27 WerFault.exe 17->27         started        signatures5 process6 dnsIp7 91 91.219.237.226, 49719, 80 SERVERASTRA-ASHU Hungary 20->91 93 f0600756.xsph.ru 141.8.193.236, 49728, 80 SPRINTHOSTRU Russian Federation 20->93 95 91.219.236.27, 49718, 80 SERVERASTRA-ASHU Hungary 20->95 69 C:\Users\user\AppData\...\tRkwEFF1sV.exe, PE32 20->69 dropped 71 C:\Users\user\AppData\...\9DRUO9eKGj.exe, PE32+ 20->71 dropped 73 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 20->73 dropped 77 58 other files (2 malicious) 20->77 dropped 107 Tries to steal Mail credentials (via file / registry access) 20->107 109 Tries to harvest and steal browser information (history, passwords, etc) 20->109 111 DLL side loading technique detected 20->111 29 tRkwEFF1sV.exe 20->29         started        33 9DRUO9eKGj.exe 3 20->33         started        75 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 25->75 dropped file8 signatures9 process10 file11 79 C:\Windows\Client.exe, PE32 29->79 dropped 81 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 29->81 dropped 83 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 29->83 dropped 127 Disables security and backup related services 29->127 35 cmd.exe 29->35         started        37 cmd.exe 29->37         started        39 cmd.exe 29->39         started        43 2 other processes 29->43 85 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32+ 33->85 dropped 41 cmd.exe 1 33->41         started        signatures12 process13 process14 45 net.exe 35->45         started        47 conhost.exe 35->47         started        49 net.exe 37->49         started        51 conhost.exe 37->51         started        53 conhost.exe 39->53         started        55 sc.exe 39->55         started        57 powershell.exe 14 17 41->57         started        61 conhost.exe 41->61         started        63 4 other processes 43->63 dnsIp15 65 net1.exe 45->65         started        67 net1.exe 49->67         started        97 iplogger.org 5.9.162.45, 443, 49729 HETZNER-ASDE Germany 57->97 125 May check the online IP address of the machine 57->125 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22a7d9f0f89491f6ef37085e4f95e9cb1be53e25848ee63afd5ec6baa333e8d4/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-18 17:03:21 UTC
AV detection:
27 of 45 (60.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96
RaccoonStealer
4cf588b87b8697aecc8c5c0cc516b3de86b15ea5185191949e54282d6bde34b9
RaccoonStealer
8466ebd35658644d4c289191e1341b8900bb021196fae0b82fbba7d8a74a3073
RaccoonStealer
872c9ca954ed0738734e97cac2496e3961f19d5766a7fe23d93cd3ca8d6f8824
RaccoonStealer
8ec06531b8d67c49241fcf844168448b6a7c428a32d41f00d3714e19e1b18f3c
RaccoonStealer
eb77f172afe361c9ff6138ae480d05a5832ba5c15191f9a9b5ccb1267ca5ed5c
RaccoonStealer
fd0b13334b1cd15dd3e73f91d4840e370504b1d14a750e9b657ac9869ceada02
RaccoonStealer
+ 3'769 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:576040f513c41d5e933abc05463344f7269776af evasion stealer trojan
Link:
https://tria.ge/reports/211121-nhp8csdgfm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
a0e0213425095e3f4f1b55cc5dfebf5a9adb2dede45b287ca19ab69dc4a83863
MD5 hash:
ab47d9c9d6e693d37a172ccf32740af7
SHA1 hash:
bd2d748333ce1072ab346dd32761b3eb778d4cbd
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/79ed2817-393d-4d8d-a752-8e372146b1dd/
SH256 hash:
22a7d9f0f89491f6ef37085e4f95e9cb1be53e25848ee63afd5ec6baa333e8d4
MD5 hash:
b2e8ee5630cfbf9c640e1e6c80dfba96
SHA1 hash:
7096dfdc2e1a7feaf544c0786a3b2266d8b06491
Link:
https://www.unpac.me/results/79ed2817-393d-4d8d-a752-8e372146b1dd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/22a7d9f0f894/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22a7d9f0f89491f6ef37085e4f95e9cb1be53e25848ee63afd5ec6baa333e8d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 22a7d9f0f89491f6ef37085e4f95e9cb1be53e25848ee63afd5ec6baa333e8d4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1803129/
Cape
Cape
https://www.capesandbox.com/analysis/207885/

Comments


Avatar
zbet commented on 2021-11-21 11:23:08 UTC

url : hxxp://f0600404.xsph.ru/asda.exe