MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42d7f38a0939dd15cc3ffd2ed9cc6be3a88120081cddc062275f105821920e83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42d7f38a0939dd15cc3ffd2ed9cc6be3a88120081cddc062275f105821920e83
SHA3-384 hash: 6ce4e163f675754789c06f190428a72f3e4054094b58e5b710c5b6abb8a4f509442456f5c66f13d08c7204c4a2631903
SHA1 hash: 69facf12ea5197bf6a849870f580262b294d3123
MD5 hash: f26d797a201aa69cd7ddc1a48f27c8d8
humanhash: berlin-rugby-illinois-autumn
File name:F26D797A201AA69CD7DDC1A48F27C8D8.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:24'259'112 bytes
First seen:2021-05-28 19:48:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (54 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 393216:KsVOd5xakEEhhXU/gfaMQUEObweGGnNj3Yirrdtimm+kQyOB6TF9tcR/DzJna:KyOjxa2SIfpzJbRJdImFKTxUI
TLSH C5373317B194903EC0AE27310533A16014FBFBAEF457BE0766E0D88ECF665D01E7AA65
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.105.230.174/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.105.230.174/ https://threatfox.abuse.ch/ioc/66374/

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
F26D797A201AA69CD7DDC1A48F27C8D8.exe
Verdict:
No threats detected
Analysis date:
2021-05-28 20:43:45 UTC
Tags:
installer
Link:
https://app.any.run/tasks/b16a8658-14e8-4d12-b9cb-ecec061ea2e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Sending a UDP request
Moving a file to the Program Files subdirectory
Creating a file
Moving a recently created file
Deleting a recently created file
Delayed reading of the file
Launching the process to change network settings
Creating a process with a hidden window
Running batch commands
Launching a process
Replacing files
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/794077
Signature
Antivirus / Scanner detection for submitted sample
Disable Windows Defender notifications (registry)
Hides threads from debuggers
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: WScript or CScript Dropper
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 426476 Sample: DGHvBZ3q2m.exe Startdate: 28/05/2021 Architecture: WINDOWS Score: 52 84 aun3xk18k.space 2->84 86 www.bandicam.com 2->86 88 2 other IPs or domains 2->88 98 Multi AV Scanner detection for domain / URL 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 Multi AV Scanner detection for submitted file 2->102 104 5 other signatures 2->104 10 DGHvBZ3q2m.exe 2 2->10         started        signatures3 process4 file5 70 C:\Users\user\AppData\...\DGHvBZ3q2m.tmp, PE32 10->70 dropped 13 DGHvBZ3q2m.tmp 8 21 10->13         started        process6 file7 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->74 dropped 76 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 13->76 dropped 78 C:\ProgramData\LTYLbFU37JKYp\is-N7RQS.tmp, PE32+ 13->78 dropped 80 2 other files (none is malicious) 13->80 dropped 16 wscript.exe 1 13->16         started        19 Bandicam.4.5.8.1673.exe 11 170 13->19         started        process8 dnsIp9 96 Wscript starts Powershell (via cmd or directly) 16->96 23 cmd.exe 16->23         started        25 cmd.exe 1 16->25         started        28 cmd.exe 16->28         started        90 ad-repack.ddns.net 34.199.8.144, 49730, 80 AMAZON-AESUS United States 19->90 92 4.5.8.167 LEVEL3US United States 19->92 94 cdn.filesend.jp 172.67.70.62, 443, 49731 CLOUDFLARENETUS United States 19->94 60 C:\Program Files (x86)\Bandicam\loader.exe, PE32 19->60 dropped 62 C:\Program Files (x86)\Bandicam\bdcam.exe, PE32 19->62 dropped 64 C:\Program Files (x86)\...\Uninstall.exe, PE32 19->64 dropped 66 20 other files (none is malicious) 19->66 dropped 30 bdcam.exe 19->30         started        32 netsh.exe 19->32         started        35 ROUTE.EXE 19->35         started        37 kg.exe 19->37         started        file10 signatures11 process12 dnsIp13 40 uc948ghxa.exe 23->40         started        43 7z.exe 23->43         started        52 5 other processes 23->52 112 Wscript starts Powershell (via cmd or directly) 25->112 46 reg.exe 1 1 25->46         started        54 3 other processes 25->54 56 2 other processes 28->56 114 Hides threads from debuggers 30->114 58 2 other processes 30->58 82 95.141.193.133 ALTURA-ASRU Russian Federation 32->82 48 conhost.exe 32->48         started        50 conhost.exe 35->50         started        68 C:\Users\user\AppData\Local\Temp\kg.exe, PE32 37->68 dropped file14 signatures15 process16 file17 106 Maps a DLL or memory area into another process 40->106 108 Sample uses process hollowing technique 40->108 72 C:\ProgramData\...\uc948ghxa.exe, PE32 43->72 dropped 110 Disable Windows Defender notifications (registry) 46->110 signatures18
Gathering data
Threat name:
Win32.Downloader.Bitser
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 23:27:04 UTC
AV detection:
9 of 47 (19.15%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ill7hcqjhhorltb77uxnttdl4ouiciaidto4ayrhl4ifqimsb2bq._file
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:a04bdc2a0a76a79328fd273bdf81c935d5db8d54 evasion stealer
Link:
https://tria.ge/reports/210528-xsqesex9qa/
Behaviour
Delays execution with timeout.exe
Download via BitsAdmin
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Raccoon
Contains code to disable Windows Defender
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42d7f38a0939dd15cc3ffd2ed9cc6be3a88120081cddc062275f105821920e83

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments