MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31ad805cd3b0420e4780a14a04ead82456043d344453405c091caafb0462d129. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31ad805cd3b0420e4780a14a04ead82456043d344453405c091caafb0462d129
SHA3-384 hash: bc648ac8a330fe2de3013e1a8170afd7e5c0c11074bfbc3b470da880dc0f5a21b85f49a180ac4e5e4108328839199794
SHA1 hash: 8d51e45dc3b8c5f0a38fd7c40d27ee91809e13b8
MD5 hash: e2fd2972d4a6928b21beacb58fa02c88
humanhash: kansas-emma-friend-ten
File name:e2fd2972d4a6928b21beacb58fa02c88
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:386'016 bytes
First seen:2022-01-16 15:18:15 UTC
Last seen:2022-01-16 16:35:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:TFCJ2oRNyHXIQenAKo7MMye9zurKCy5bl0EBUUffNtWEivOOOJZoeVzYN2+0cIWa:TclfAb7nC0WEG05iTS
Threatray 5'730 similar samples on MalwareBazaar
TLSH T1438408C5A4289081CEFCB5F2B866E92220F93CAD8DC3454D76F972361472A57DE0B91F
File icon (PE):PE icon
dhash icon 090d141563496d3f (19 x RedLineStealer, 2 x RaccoonStealer, 2 x CoinMiner)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e2fd2972d4a6928b21beacb58fa02c88
Verdict:
Malicious activity
Analysis date:
2022-01-16 15:19:19 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/8bf61996-cc76-47c2-886a-9be98455f224

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219616/
Detection(s):
SecuriteInfo.com.W32.Trojan.GUO.genEldorado.15266.5115.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed packed replace.exe
Link:
https://www.filescan.io/uploads/61e43769f2e8ec86fe075f52/reports/28797b9b-c3f0-452f-a964-fe2ac398d5e0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51adb8ca-de29-441e-a8f0-0870682e32a2
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921395
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553873 Sample: dzOULChIgx Startdate: 16/01/2022 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Antivirus detection for URL or domain 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 5 other signatures 2->46 8 dzOULChIgx.exe 15 3 2->8         started        process3 dnsIp4 34 cdn.discordapp.com 162.159.133.233, 443, 49762 CLOUDFLARENETUS United States 8->34 24 C:\Users\user\AppData\...\dzOULChIgx.exe.log, ASCII 8->24 dropped 48 Self deletion via cmd delete 8->48 50 Contains functionality to steal Internet Explorer form passwords 8->50 52 Injects a PE file into a foreign processes 8->52 13 dzOULChIgx.exe 80 8->13         started        file5 signatures6 process7 dnsIp8 36 185.163.204.212, 49764, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 13->36 38 185.163.204.22, 49763, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 13->38 26 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 13->26 dropped 28 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->28 dropped 30 C:\Users\user\AppData\...\ucrtbase.dll, PE32 13->30 dropped 32 56 other files (none is malicious) 13->32 dropped 54 Tries to steal Mail credentials (via file / registry access) 13->54 56 Self deletion via cmd delete 13->56 58 Tries to harvest and steal browser information (history, passwords, etc) 13->58 18 cmd.exe 1 13->18         started        file9 signatures10 process11 process12 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       
Gathering data
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-01-16 15:19:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 28 (67.86%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ggwyaxgtwbba4r4auffaj2wyerlaipjuirjuaxajdsvpwbdc2euq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0dc9020d1da0f60fb0ea2b10ee9e6930f67e5d3bc5859ba390973e5165d86b7a
RaccoonStealer
31ad805cd3b0420e4780a14a04ead82456043d344453405c091caafb0462d129
RaccoonStealer
972385a61cc340b61a7e3101c1854a589ef2a61df0cc31ef680a329c2e68f0e6
RaccoonStealer
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
RaccoonStealer
ba1d27e1521b29f5fabc05094b177131f356588ce26b2e5336910df2bd1cc919
RaccoonStealer
c25d1fe88e1b97a9b07941683641db28863d24e4c422a9cb4033db3cf641a9ae
RaccoonStealer
e669fa8f3d869836219ea581fb41aecc85db944b441aaee127b5a8e9ed06d037
RaccoonStealer
f12e6cd63a8d0c79621de6f617a1d5d58a811bc5e9a5798aa7fdb2b6fc067971
RaccoonStealer
+ 5'720 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon agilenet stealer
Link:
https://tria.ge/reports/220116-sp6k5sfhcj/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Obfuscated with Agile.Net obfuscator
Raccoon
Unpacked files
SH256 hash:
31ad805cd3b0420e4780a14a04ead82456043d344453405c091caafb0462d129
MD5 hash:
e2fd2972d4a6928b21beacb58fa02c88
SHA1 hash:
8d51e45dc3b8c5f0a38fd7c40d27ee91809e13b8
Link:
https://www.unpac.me/results/72a03167-556e-4ef7-b2ed-f62364dbe841/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/31ad805cd3b0420e4780a14a04ead82456043d344453405c091caafb0462d129

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 31ad805cd3b0420e4780a14a04ead82456043d344453405c091caafb0462d129

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1981529/
Cape
Cape
https://www.capesandbox.com/analysis/219616/

Comments


Avatar
zbet commented on 2022-01-16 15:18:17 UTC

url : hxxp://82.148.31.111/F.exe