MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4420d56e7d9699dc1962cb5504cd177d428aa1e2bfb96a77dfa455947d712cfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4420d56e7d9699dc1962cb5504cd177d428aa1e2bfb96a77dfa455947d712cfe
SHA3-384 hash: d68b6525bb00824a3787ec367820d83302d0e396942ca9ae83dda1d26cc6fc48ec608324a9262ab1482781471c6e73e8
SHA1 hash: 1d5cdcbc59881c8e4623156df12b448d92d52de0
MD5 hash: 0aecb987fe54d6a7ce3564e896d9474a
humanhash: kilo-fish-mockingbird-indigo
File name:0aecb987fe54d6a7ce3564e896d9474a.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:8'114'818 bytes
First seen:2023-09-01 17:10:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5aac13b454c010f0b5d38f6a34b2bd36 (1 x RaccoonStealer)
ssdeep 98304:H0oAscORbbtQcHoH8l5c9Br/yJenMFfYrwnYA5dsorfQYvxyvejlgAGCgbRFWMxS:H0QbbHoHs5c9xdMbfP2ejTevyZ
Threatray 368 similar samples on MalwareBazaar
TLSH T18D86E152BB478E87C5459E346863604C9CB4F0CE7F43EAA77A9C324E4E133816BE66C5
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e8e8b8b0b8aca4e4 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
None C2:
http://proxyindex.xyz/c2conf

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0aecb987fe54d6a7ce3564e896d9474a.exe
Verdict:
Malicious activity
Analysis date:
2023-09-01 17:12:15 UTC
Tags:
lumma stealer loader
Link:
https://app.any.run/tasks/4a648792-48da-4a82-8f35-a2fe6e579018

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445642/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.25677.5951.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Moving a recently created file
Replacing files
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Reading critical registry keys
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto overlay packed packed
Link:
https://www.filescan.io/uploads/64f21b287444d2eb09f4ef7e/reports/f8c507fa-2661-4fe3-9072-8b116f5496bd/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4420d56e7d9699dc1962cb5504cd177d428aa1e2bfb96a77dfa455947d712cfe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f712be2b-64e8-4c7f-93df-8602c8e587e9
Result
Threat name:
LummaC Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1301784
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Detected VMProtect packer
Drops password protected ZIP file
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs DNS queries to domains with low reputation
Potential dropper URLs found in powershell memory
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected LummaC Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1301784 Sample: 8pargHFfae.exe Startdate: 01/09/2023 Architecture: WINDOWS Score: 100 80 Snort IDS alert for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 13 other signatures 2->86 10 8pargHFfae.exe 13 2->10         started        process3 dnsIp4 66 217.196.96.130, 49752, 49760, 49761 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 10->66 68 188.114.96.7, 49715, 49717, 49718 CLOUDFLARENETUS European Union 10->68 70 proxyindex.xyz 188.114.97.7, 49714, 49716, 49722 CLOUDFLARENETUS European Union 10->70 58 C:\Users\user\AppData\...\buefolmuxoi.exe, PE32 10->58 dropped 92 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->92 94 Query firmware table information (likely to detect VMs) 10->94 96 Performs DNS queries to domains with low reputation 10->96 98 3 other signatures 10->98 15 buefolmuxoi.exe 8 10->15         started        file5 signatures6 process7 file8 60 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 15->60 dropped 62 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 15->62 dropped 72 Antivirus detection for dropped file 15->72 74 Multi AV Scanner detection for dropped file 15->74 19 cmd.exe 2 15->19         started        signatures9 process10 process11 21 4523423.exe 15 31 19->21         started        26 7z.exe 2 19->26         started        28 7z.exe 3 19->28         started        30 4 other processes 19->30 dnsIp12 64 pastebin.com 172.67.34.170, 443, 49759 CLOUDFLARENETUS United States 21->64 50 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 21->50 dropped 52 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 21->52 dropped 54 C:\ProgramData\HostData\logs.uce, ASCII 21->54 dropped 88 Sample is not signed and drops a device driver 21->88 32 cmd.exe 1 21->32         started        35 cmd.exe 21->35         started        37 cmd.exe 21->37         started        56 C:\Users\user\AppData\Local\...\4523423.exe, PE32 26->56 dropped file13 signatures14 process15 signatures16 76 Encrypted powershell cmdline option found 32->76 78 Uses schtasks.exe or at.exe to add and modify task schedules 32->78 39 powershell.exe 21 32->39         started        42 conhost.exe 32->42         started        44 conhost.exe 35->44         started        46 schtasks.exe 35->46         started        48 conhost.exe 37->48         started        process17 signatures18 90 Potential dropper URLs found in powershell memory 39->90
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4420d56e7d9699dc1962cb5504cd177d428aa1e2bfb96a77dfa455947d712cfe/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2023-08-28 09:01:38 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
18 of 38 (47.37%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iqqnk3t5s2m5yglcznkqjtixpvbivipcx64wu567urkzi7lrft7a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
RaccoonStealer
35b70fc462fe02d507a58c2b5a33ddd5e26aadc7ac8fe3beae2a82666c8b17c6
RaccoonStealer
38e66e1c80433f2a4e16a708f8cb5e26ed32963f38664ffe398827271d7f41e6
RaccoonStealer
47e6060b55267523e0ff1b66de2bca8302c6de5125a0514a75ff94951cc11982
RaccoonStealer
4c5c389d0f6cbdaf6fd89585559d71a37e061e7678aa1a5391d82657f8890569
RaccoonStealer
51d90d0f36824178f6d6331e3fd67540fefb3414f2a22e631a91adb0e1528e7c
RaccoonStealer
5af998eadaf766f821394c52cf9270a0c87a6c579d315782f78ac053b31a133b
RaccoonStealer
5c43e762e23599c29a344fabf02fe235e79c9e4697da49d0a17334979faa3920
RaccoonStealer
86f5b4f32c68f9337a19363da77d77b6275923da37d2e4144b8f0740620fd3ac
RaccoonStealer
f65152edceb657dc8745194f2b3f0c02ec64b82e4131fe6859afadaf4e39a87f
RaccoonStealer
+ 358 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer vmprotect
Link:
https://tria.ge/reports/230901-vp9nxage75/
Behaviour
Creates scheduled task(s)
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VMProtect packed file
Downloads MZ/PE file
Unpacked files
SH256 hash:
4420d56e7d9699dc1962cb5504cd177d428aa1e2bfb96a77dfa455947d712cfe
MD5 hash:
0aecb987fe54d6a7ce3564e896d9474a
SHA1 hash:
1d5cdcbc59881c8e4623156df12b448d92d52de0
Link:
https://www.unpac.me/results/f8789a3c-1e2d-486d-8eca-3c481e14daca/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4420d56e7d96/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4420d56e7d9699dc1962cb5504cd177d428aa1e2bfb96a77dfa455947d712cfe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/445642/

Comments