MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28520ee298fdd4ba65380e1bd9330643db263aa0b4f5d740beb2cd57301bc94a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28520ee298fdd4ba65380e1bd9330643db263aa0b4f5d740beb2cd57301bc94a
SHA3-384 hash: d2a75555712a6c116367c344e320ba43c55eb995a78fdfa7a387e2af45e796294630f3cadf7e71230ca5d3e1fbd42749
SHA1 hash: 08a68b602eea6f72439c3d4446732ba4f376abf6
MD5 hash: 965037d05dcc60513ddf7b407eda58dc
humanhash: nitrogen-uniform-pluto-emma
File name:SKMC07102021.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:569'740 bytes
First seen:2021-10-07 19:45:34 UTC
Last seen:2021-10-07 21:10:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:/KlD3I0AS4fgpU0C0dRnkQfs40R4G5i545xXqe8G4T7cR2L7W5pUiUNANsq:/Kl/AVCCam/D46i5wxnX4XcRzQGsq
Threatray 3'590 similar samples on MalwareBazaar
TLSH T1DDC423039283C693D3D586B24A73F035B2FAC4456423A20B67426F6F677831D7646FDA
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://91.219.236.103/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.103/ https://threatfox.abuse.ch/ioc/231120/

Intelligence

File Origin
# of uploads :
2
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKMC07102021.exe
Verdict:
Malicious activity
Analysis date:
2021-10-07 19:46:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b1b031d9-9fc4-4285-bd11-fec82ab005f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195952/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.28243.18581.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/615f4e7ae3d213d202ba545a/reports/dba6545f-eb86-4564-9136-70169106c06c/overview
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/468e5b59-4876-4390-a700-99c577a5350b
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866682
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Sigma detected: Bypass UAC via Fodhelper.exe
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499110 Sample: SKMC07102021.exe Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 81 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->81 83 Multi AV Scanner detection for domain / URL 2->83 85 Found malware configuration 2->85 87 6 other signatures 2->87 10 SKMC07102021.exe 17 2->10         started        14 fodhelper.exe 16 2->14         started        16 fodhelper.exe 16 2->16         started        19 fodhelper.exe 16 2->19         started        process3 dnsIp4 59 C:\Users\user\AppData\Local\...\vexxqumji.dll, PE32 10->59 dropped 93 Injects a PE file into a foreign processes 10->93 21 SKMC07102021.exe 83 10->21         started        61 C:\Users\user\AppData\Local\...\xalzip.dll, PE32 14->61 dropped 95 Contains functionality to compare user and computer (likely to detect sandboxes) 14->95 26 fodhelper.exe 14->26         started        67 192.168.2.1 unknown unknown 16->67 63 C:\Users\user\AppData\Local\...\xalzip.dll, PE32 16->63 dropped 28 fodhelper.exe 16->28         started        65 C:\Users\user\AppData\Local\...\xalzip.dll, PE32 19->65 dropped 30 fodhelper.exe 19->30         started        file5 signatures6 process7 dnsIp8 69 91.219.236.103, 49765, 80 SERVERASTRA-ASHU Hungary 21->69 71 teletop.top 104.21.17.146, 49764, 80 CLOUDFLARENETUS United States 21->71 73 jebarryplbg.com 172.67.160.252, 443, 49766 CLOUDFLARENETUS United States 21->73 49 C:\Users\user\AppData\...\2tgeMKaBBa.exe, PE32 21->49 dropped 51 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 21->51 dropped 53 C:\Users\user\AppData\...\vcruntime140.dll, PE32 21->53 dropped 55 57 other files (none is malicious) 21->55 dropped 89 Tries to steal Mail credentials (via file access) 21->89 91 Tries to harvest and steal browser information (history, passwords, etc) 21->91 32 2tgeMKaBBa.exe 17 21->32         started        36 schtasks.exe 1 26->36         started        file9 signatures10 process11 file12 47 C:\Users\user\AppData\Local\...\xalzip.dll, PE32 32->47 dropped 75 Uses schtasks.exe or at.exe to add and modify task schedules 32->75 77 Injects a PE file into a foreign processes 32->77 79 Contains functionality to compare user and computer (likely to detect sandboxes) 32->79 38 2tgeMKaBBa.exe 2 32->38         started        41 conhost.exe 36->41         started        signatures13 process14 file15 57 C:\Users\user\AppData\...\fodhelper.exe, PE32 38->57 dropped 43 schtasks.exe 1 38->43         started        process16 process17 45 conhost.exe 43->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28520ee298fdd4ba65380e1bd9330643db263aa0b4f5d740beb2cd57301bc94a/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 19:46:05 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fbja5yuy7xkluzjybyn5smygipnsmovawt25oqf6wlgvoma3zffa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
459d4fd9bd7ec69f47d9c3306856a7e6ec39b17ff2c88ae80dcac8e9daba760e
RaccoonStealer
58012e1bc38619a3a83b1b3742b066a7bc1ad2bceb622ed5603d7a0175489e54
RaccoonStealer
71c8ba3bff2028ae1586c04850560d0d11711f166b4713604c65bb68db07e03a
RaccoonStealer
7383c5e9d047eff7d5a91139c0f5c1c80c1cae7fdf5ebb59a0db20a05abb58a2
RaccoonStealer
ab9a992f805bce47b17d65b705612b2c88d55beafd9714c5a278be7ee09e1d58
RaccoonStealer
b7b037355cc6e9dc7f9c665f1ea987bafed82a4825409a5d05cde15c6d243dff
RaccoonStealer
c37589d196b538bdbe783c81ba966e7a3689f9867cf5d22d207a602c86ebdf7e
RaccoonStealer
c67646ba071947726cb2420a03887901a79a762844862eeb61f2fa8349ea355f
RaccoonStealer
dded956a99823dc3d87aafa2764e9a561eb9df6b571251f118468052143d76cc
RaccoonStealer
dedecac051c66649d617a251056138a2e59e530a0c172b7c851b6a10d8c45222
RaccoonStealer
+ 3'580 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:27c9b6ae257af0ad6f3f3330ea633fc782fa4daf discovery spyware stealer
Link:
https://tria.ge/reports/211007-ygy4zscgh5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Unpacked files
SH256 hash:
2abe8e6d4ff496c4cdae5b1e25a597a05885877344324ec3bbdadc045ce48cef
MD5 hash:
0eb0192ad558b9242972b7b641279f4f
SHA1 hash:
e43a4a6a2244039e4e5b42d75bfb76f19564c851
Link:
https://www.unpac.me/results/59af3311-6fc5-460f-b780-f1ed3c63ada6/
SH256 hash:
28520ee298fdd4ba65380e1bd9330643db263aa0b4f5d740beb2cd57301bc94a
MD5 hash:
965037d05dcc60513ddf7b407eda58dc
SHA1 hash:
08a68b602eea6f72439c3d4446732ba4f376abf6
Link:
https://www.unpac.me/results/59af3311-6fc5-460f-b780-f1ed3c63ada6/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/28520ee298fd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/28520ee298fdd4ba65380e1bd9330643db263aa0b4f5d740beb2cd57301bc94a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/195952/

Comments