MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a081b2e6f932f6c6773603ef59b1e66f7961be9df09fbb10282eeef7d6491a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a081b2e6f932f6c6773603ef59b1e66f7961be9df09fbb10282eeef7d6491a0
SHA3-384 hash: b994d63403a7b5899a98fe4df4aa6ef1f1a4b29491029c6cbd0af92d02f5d9bdf056f11b4d5e45d6901342a95adc13a8
SHA1 hash: 492cb9a8e4aaeb899027c3b552492dfef9495c34
MD5 hash: cb180fa088a056222e0d0fccf7f6d9bd
humanhash: oscar-helium-avocado-oven
File name:IMAGE_06.EXE
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:478'720 bytes
First seen:2021-10-06 07:18:23 UTC
Last seen:2021-10-06 08:19:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:ml+zKxkpMD/9/qqDH3mA/icw6EPYgqFhQ5c7dPQGR/uMZ9VKOna3KFU42p:m4zhpk/RH/k6EPYgqM5c7d3huMZ7KOG
Threatray 3'497 similar samples on MalwareBazaar
TLSH T19EA4AF102689DF26D6BDB77980B1550093F1BB238F23D25E7EB540ED1E32BD08F2665A
Reporter cocaman
Tags:exe INVOICE RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMAGE_06.EXE
Verdict:
Malicious activity
Analysis date:
2021-10-06 07:25:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cb967c34-e843-46bf-8990-3eb2f047334a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195301/
Detection(s):
SecuriteInfo.com.Variant.Ser.MSILHeracles.127.20732.20858.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/615d4deeb95458900cdcf7af/reports/b9e6234d-4631-4cb8-ba6c-8df1172e2a94/overview
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66905855-f46d-4fb0-88bd-ca32994c377d
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/865301
Signature
Contains functionality to steal Internet Explorer form passwords
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 497725 Sample: IMAGE_06.EXE Startdate: 06/10/2021 Architecture: WINDOWS Score: 92 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Raccoon Stealer 2->44 46 2 other signatures 2->46 8 IMAGE_06.EXE 15 3 2->8         started        process3 dnsIp4 34 cdn.discordapp.com 162.159.129.233, 443, 49721, 49728 CLOUDFLARENETUS United States 8->34 24 C:\Users\user\AppData\...\IMAGE_06.EXE.log, ASCII 8->24 dropped 48 Self deletion via cmd delete 8->48 50 Contains functionality to steal Internet Explorer form passwords 8->50 52 Injects a PE file into a foreign processes 8->52 13 IMAGE_06.EXE 80 8->13         started        file5 signatures6 process7 dnsIp8 36 91.219.236.243, 49743, 80 SERVERASTRA-ASHU Hungary 13->36 38 teletop.top 172.67.176.216, 49737, 80 CLOUDFLARENETUS United States 13->38 26 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 13->26 dropped 28 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->28 dropped 30 C:\Users\user\AppData\...\ucrtbase.dll, PE32 13->30 dropped 32 56 other files (none is malicious) 13->32 dropped 54 Tries to steal Mail credentials (via file access) 13->54 56 Self deletion via cmd delete 13->56 58 Tries to harvest and steal browser information (history, passwords, etc) 13->58 18 cmd.exe 1 13->18         started        file9 signatures10 process11 process12 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a081b2e6f932f6c6773603ef59b1e66f7961be9df09fbb10282eeef7d6491a0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 07:19:11 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fiebwltpsmxwyz3tma7plgy6m33zmg7j34e7xmicqlxo67lesgqa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
58012e1bc38619a3a83b1b3742b066a7bc1ad2bceb622ed5603d7a0175489e54
RaccoonStealer
71c8ba3bff2028ae1586c04850560d0d11711f166b4713604c65bb68db07e03a
RaccoonStealer
7383c5e9d047eff7d5a91139c0f5c1c80c1cae7fdf5ebb59a0db20a05abb58a2
RaccoonStealer
ab9a992f805bce47b17d65b705612b2c88d55beafd9714c5a278be7ee09e1d58
RaccoonStealer
b7b037355cc6e9dc7f9c665f1ea987bafed82a4825409a5d05cde15c6d243dff
RaccoonStealer
c37589d196b538bdbe783c81ba966e7a3689f9867cf5d22d207a602c86ebdf7e
RaccoonStealer
c67646ba071947726cb2420a03887901a79a762844862eeb61f2fa8349ea355f
RaccoonStealer
dcff0727ff7809cddf9d0ca02725f70ead9eff5799cdef37b2b05fee166bc5e8
RaccoonStealer
dded956a99823dc3d87aafa2764e9a561eb9df6b571251f118468052143d76cc
RaccoonStealer
dedecac051c66649d617a251056138a2e59e530a0c172b7c851b6a10d8c45222
RaccoonStealer
+ 3'487 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:4d5433b8318af12e4072597bf01ea38cd4a6320d discovery spyware stealer suricata
Link:
https://tria.ge/reports/211006-h5knhabaak/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
Unpacked files
SH256 hash:
2a081b2e6f932f6c6773603ef59b1e66f7961be9df09fbb10282eeef7d6491a0
MD5 hash:
cb180fa088a056222e0d0fccf7f6d9bd
SHA1 hash:
492cb9a8e4aaeb899027c3b552492dfef9495c34
Link:
https://www.unpac.me/results/1e53ac49-be9a-4521-aecc-67920b68de44/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2a081b2e6f93/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/2a081b2e6f932f6c6773603ef59b1e66f7961be9df09fbb10282eeef7d6491a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RaccoonStealer

img 2be334c13319b84d4a8b5de9fbd8d0a4a8abf39b9eb8cc0c43d99ecdca9edaa3

RaccoonStealer

Executable exe 2a081b2e6f932f6c6773603ef59b1e66f7961be9df09fbb10282eeef7d6491a0

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 2be334c13319b84d4a8b5de9fbd8d0a4a8abf39b9eb8cc0c43d99ecdca9edaa3
Cape
Cape
https://www.capesandbox.com/analysis/195301/

Comments