MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27cb5cb27c8f29f4fcc7728b02a5a6f0f94f84ec1d17ab9284bfdb2e6b42ba98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27cb5cb27c8f29f4fcc7728b02a5a6f0f94f84ec1d17ab9284bfdb2e6b42ba98
SHA3-384 hash: ce2d11eebfa8cfada1f6fee85d16e2b13ca964d13f0fbd6a5b5e4783524a2d8f153d3c00b99a9adbb039451fd7ac060c
SHA1 hash: 2bc794d690427bbac8ef5a29dc97b304c1608601
MD5 hash: 21e89e596c315bab4c83983433b445c1
humanhash: connecticut-diet-victor-sierra
File name:21e89e596c315bab4c83983433b445c1.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:3'398'144 bytes
First seen:2021-04-07 11:18:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 49152:Hh+ZkldoPK8Yaq20X8PjfX9syQ+7Is72aM5CX2TkKe3YBoUBNPoOPMuz3l0Pn4kq:w2cPK8h0MPjfNsyQwp2V+2Tc36JFz3z
Threatray 576 similar samples on MalwareBazaar
TLSH 0BF51202B3D1D076FFAB92738B66F6165ABC78290123C92F13981D79B9701B1137E663
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bitbucket.org/heyhoeee/heyhoename1/downloads/1234.exe
Verdict:
Malicious activity
Analysis date:
2021-04-06 23:01:39 UTC
Tags:
stealer evasion
Link:
https://app.any.run/tasks/c95bdeb3-1a2e-49c9-b909-72a98d1563cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132823/
Detection(s):
Win.Dropper.Racealer-9849456-0
Create hunting rule

Sanesecurity.Foxhole.Lnk_Zip_1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Deleting a recently created file
Creating a process from a recently created file
DNS request
Sending a UDP request
Reading critical registry keys
Delayed reading of the file
Running batch commands
Launching a process
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Connection attempt
Moving a file to the %AppData% subdirectory
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668555
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383207 Sample: 40JHtWiswn.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 59 icanhazip.com 2->59 73 Found malware configuration 2->73 75 Antivirus detection for URL or domain 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 9 other signatures 2->79 10 40JHtWiswn.exe 4 2->10         started        signatures3 process4 file5 41 C:\ProgramData\123.exe, PE32 10->41 dropped 43 C:\ProgramData\1.exe, PE32 10->43 dropped 13 123.exe 3 10->13         started        17 1.exe 82 10->17         started        process6 dnsIp7 45 C:\Users\user\AppData\Local\...\123.exe.log, ASCII 13->45 dropped 95 Multi AV Scanner detection for dropped file 13->95 97 Detected unpacking (changes PE section rights) 13->97 99 Detected unpacking (overwrites its own PE header) 13->99 107 4 other signatures 13->107 20 123.exe 15 4 13->20         started        55 telete.in 195.201.225.248, 443, 49706 HETZNER-ASDE Germany 17->55 57 lifemaindecision.top 91.200.41.42, 443, 49707 HVOSTING-ASUA Ukraine 17->57 47 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 17->47 dropped 49 C:\Users\user\AppData\...\vcruntime140.dll, PE32 17->49 dropped 51 C:\Users\user\AppData\...\ucrtbase.dll, PE32 17->51 dropped 53 56 other files (none is malicious) 17->53 dropped 101 Tries to steal Mail credentials (via file access) 17->101 103 Machine Learning detection for dropped file 17->103 105 Tries to harvest and steal browser information (history, passwords, etc) 17->105 24 cmd.exe 1 17->24         started        file8 signatures9 process10 dnsIp11 67 95.182.120.221, 49715, 49728, 49730 TEAM-HOSTASRU Russian Federation 20->67 69 icanhazip.com 172.67.9.138, 49714, 49742, 49774 CLOUDFLARENETUS United States 20->69 71 192.168.2.1 unknown unknown 20->71 85 Drops PE files to the user root directory 20->85 26 svchost.exe 3 20->26         started        29 schtasks.exe 20->29         started        31 conhost.exe 24->31         started        33 timeout.exe 1 24->33         started        signatures12 process13 signatures14 87 System process connects to network (likely due to code injection or exploit) 26->87 89 Detected unpacking (changes PE section rights) 26->89 91 Detected unpacking (overwrites its own PE header) 26->91 93 3 other signatures 26->93 35 svchost.exe 26->35         started        39 conhost.exe 29->39         started        process15 dnsIp16 61 icanhazip.com 35->61 63 104.22.18.188, 49737, 49744, 49745 CLOUDFLARENETUS United States 35->63 65 104.22.19.188, 49727, 49733, 49735 CLOUDFLARENETUS United States 35->65 81 System process connects to network (likely due to code injection or exploit) 35->81 signatures17 83 May check the online IP address of the machine 61->83
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/27cb5cb27c8f29f4fcc7728b02a5a6f0f94f84ec1d17ab9284bfdb2e6b42ba98/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 14:42:08 UTC
AV detection:
37 of 48 (77.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e7fvzmt4r4u7j7ghokfqfjng6d4u7bhmdul2xeuex7ns422cxkma._file
Verdict:
malicious
Similar samples:
5a811d31e3dd7e79900b43c1030cb7851acfce9d630093106aa7d3910a64f136
RaccoonStealer
6c6ab740e7d1e69bb05349e3b27b1a52a4e0bad10ef8b019147c9d87755f95cb
RaccoonStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RaccoonStealer
706a3b4438e7b883d8c3cd66ffabfbb3e3495b3b7c6f9b48adf7a5c8cdd0c3c1
RaccoonStealer
924dd7da4bccf24de55307c9754c1e8e44f4706bdaebf80e8f9c60ebdb330635
RaccoonStealer
9ba06643629d95201f9064dfeefcf6fb17a490d5b8fd86b59f3638311a356dd4
RaccoonStealer
a9d0121ba9783e14f8ac72cce2cbce7e330d0b7f29e5311f497b86d286f2d5d1
RaccoonStealer
e3b5d4113eeec5c27fafdabb16b48d42d35cfd3ad94e1e43cb0300155d5e48e9
RaccoonStealer
e80db3924627a7961f6bbb34a4d6849546d544620ea77f12b1b3dd8ed024ef4d
RaccoonStealer
f7b38e4972a5db6c45a63c5003b5bdc89cd8b93311af6be7f292e25cc9a8b072
RaccoonStealer
+ 566 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:a2b5a5f1855c225d52223484ad45d06a0367ab29 discovery spyware stealer
Link:
https://tria.ge/reports/210407-1blpzvgt4a/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Raccoon
Unpacked files
SH256 hash:
85ccf5ea52fc82c995610d71798776357fd31c257bdb5bf89e2fbdb01eaf3a84
MD5 hash:
30e719dbf5d5b4dc25a29e91ff7b9835
SHA1 hash:
dbf18fa0eb2d0a146a5aa8d0f661d22a6f2dcd92
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/eed61a3e-dff0-4a2f-b0f9-86d4744ea39a/
SH256 hash:
b07d5bd9cbff775b25da777948365a98ba79c6f2eec53a4f2c6b0eeead3f2659
MD5 hash:
dc6d2f36f04ef6e13c56159d21310358
SHA1 hash:
024e5f7d5fdd56572478d221739c72b4d21674d0
Link:
https://www.unpac.me/results/eed61a3e-dff0-4a2f-b0f9-86d4744ea39a/
SH256 hash:
b2bec548bf3c2242b6f4cfb0745ff11cbbcd6dd6654c3818b829df72ab31e1d5
MD5 hash:
e8f265009e439fbad69ef371e3ea8801
SHA1 hash:
04d1659549a7464adb25022b178f1a2181650b02
Link:
https://www.unpac.me/results/eed61a3e-dff0-4a2f-b0f9-86d4744ea39a/
SH256 hash:
fb517b3ceeae5832eff4d6e89479b4c6c27bf2170e25ffde6b936e4ed271a406
MD5 hash:
175b4d00d9fc1d3530eed1d27b72e028
SHA1 hash:
1926830e43c4a899acf3799908cea42f725e26ae
Link:
https://www.unpac.me/results/eed61a3e-dff0-4a2f-b0f9-86d4744ea39a/
SH256 hash:
46ed908a51fa6dab3897b78e2480eecb23d371c8a6d104380160837f63630541
MD5 hash:
32068e8f53ce51883708c8c6530a12b4
SHA1 hash:
ab5438f04b79e599ddc2f263f0b332af177023b1
Link:
https://www.unpac.me/results/eed61a3e-dff0-4a2f-b0f9-86d4744ea39a/
SH256 hash:
27cb5cb27c8f29f4fcc7728b02a5a6f0f94f84ec1d17ab9284bfdb2e6b42ba98
MD5 hash:
21e89e596c315bab4c83983433b445c1
SHA1 hash:
2bc794d690427bbac8ef5a29dc97b304c1608601
Link:
https://www.unpac.me/results/eed61a3e-dff0-4a2f-b0f9-86d4744ea39a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Azorult
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27cb5cb27c8f29f4fcc7728b02a5a6f0f94f84ec1d17ab9284bfdb2e6b42ba98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 27cb5cb27c8f29f4fcc7728b02a5a6f0f94f84ec1d17ab9284bfdb2e6b42ba98

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1103494/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/132823/

Comments