MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 459d4fd9bd7ec69f47d9c3306856a7e6ec39b17ff2c88ae80dcac8e9daba760e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 459d4fd9bd7ec69f47d9c3306856a7e6ec39b17ff2c88ae80dcac8e9daba760e
SHA3-384 hash: a81d55a133ca50cc6d129a85e771af1dcc5eebe6d24c5986c56b1d7bb61a7a7358599d80957c0d384d6f882dfe1bfef2
SHA1 hash: f6f5202b9e38a257f5f0bbc784eb4b9ff6c481af
MD5 hash: f626600409cd7eaa72c1105a52002cd5
humanhash: steak-batman-fifteen-zebra
File name:IMAGE-07102021.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:622'595 bytes
First seen:2021-10-06 09:36:52 UTC
Last seen:2021-10-06 11:13:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:/BcHbkK2euIqSd/fGL8GRf0+FaGdA8pqtNcSgUJBS9cyYqlH:/EkZeuIqyXGb8nGdp8JJwYqB
Threatray 3'496 similar samples on MalwareBazaar
TLSH T10ED4236431A04DB7E97256712E2677A4E23E01599792DB070FF8BD373527A8F6EC820C
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://91.219.236.243/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.243/ https://threatfox.abuse.ch/ioc/230868/

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMAGE-07102021.exe
Verdict:
Malicious activity
Analysis date:
2021-10-06 09:50:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4a63eb87-544c-4bb4-b996-935cebb0aac3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195439/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.3002.8626.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/615d6e4198a6280f3932d3da/reports/0033a376-b26f-4081-8969-beed9f7913b1/overview
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d04f404-709e-4748-9159-9f4c8b89c2d8
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865403
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Sigma detected: Bypass UAC via Fodhelper.exe
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 497833 Sample: IMAGE-07102021.exe Startdate: 06/10/2021 Architecture: WINDOWS Score: 100 81 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->81 83 Multi AV Scanner detection for domain / URL 2->83 85 Found malware configuration 2->85 87 5 other signatures 2->87 10 IMAGE-07102021.exe 17 2->10         started        14 fodhelper.exe 16 2->14         started        16 fodhelper.exe 16 2->16         started        18 fodhelper.exe 16 2->18         started        process3 file4 59 C:\Users\user\AppData\...\shezrrlykr.dll, PE32 10->59 dropped 93 Injects a PE file into a foreign processes 10->93 20 IMAGE-07102021.exe 83 10->20         started        61 C:\Users\user\AppData\Local\...\zsvuaeelp.dll, PE32 14->61 dropped 25 fodhelper.exe 14->25         started        63 C:\Users\user\AppData\Local\...\zsvuaeelp.dll, PE32 16->63 dropped 27 fodhelper.exe 16->27         started        65 C:\Users\user\AppData\Local\...\zsvuaeelp.dll, PE32 18->65 dropped 29 fodhelper.exe 18->29         started        signatures5 process6 dnsIp7 67 91.219.236.243, 49758, 80 SERVERASTRA-ASHU Hungary 20->67 69 jebarryplbg.com 104.21.15.10, 443, 49759 CLOUDFLARENETUS United States 20->69 71 teletop.top 172.67.176.216, 49757, 80 CLOUDFLARENETUS United States 20->71 49 C:\Users\user\AppData\...\kqeFbMCxYg.exe, PE32 20->49 dropped 51 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 20->51 dropped 53 C:\Users\user\AppData\...\vcruntime140.dll, PE32 20->53 dropped 55 57 other files (none is malicious) 20->55 dropped 89 Tries to steal Mail credentials (via file access) 20->89 91 Tries to harvest and steal browser information (history, passwords, etc) 20->91 31 kqeFbMCxYg.exe 17 20->31         started        36 schtasks.exe 1 25->36         started        file8 signatures9 process10 dnsIp11 73 192.168.2.1 unknown unknown 31->73 47 C:\Users\user\AppData\Local\...\zsvuaeelp.dll, PE32 31->47 dropped 75 Uses schtasks.exe or at.exe to add and modify task schedules 31->75 77 Injects a PE file into a foreign processes 31->77 79 Contains functionality to compare user and computer (likely to detect sandboxes) 31->79 38 kqeFbMCxYg.exe 2 31->38         started        41 conhost.exe 36->41         started        file12 signatures13 process14 file15 57 C:\Users\user\AppData\...\fodhelper.exe, PE32 38->57 dropped 43 schtasks.exe 1 38->43         started        process16 process17 45 conhost.exe 43->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/459d4fd9bd7ec69f47d9c3306856a7e6ec39b17ff2c88ae80dcac8e9daba760e/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 09:37:10 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iwou7wn5p3dj6r6zymygqvvh43wdtml76leiv2anzleotwv2oyha._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
5451dce2ce5d9e6b5f9ed22dd2b535b36557c73511b734134fa8877f064eb8d7
RaccoonStealer
58012e1bc38619a3a83b1b3742b066a7bc1ad2bceb622ed5603d7a0175489e54
RaccoonStealer
71c8ba3bff2028ae1586c04850560d0d11711f166b4713604c65bb68db07e03a
RaccoonStealer
7383c5e9d047eff7d5a91139c0f5c1c80c1cae7fdf5ebb59a0db20a05abb58a2
RaccoonStealer
ab9a992f805bce47b17d65b705612b2c88d55beafd9714c5a278be7ee09e1d58
RaccoonStealer
b7b037355cc6e9dc7f9c665f1ea987bafed82a4825409a5d05cde15c6d243dff
RaccoonStealer
c37589d196b538bdbe783c81ba966e7a3689f9867cf5d22d207a602c86ebdf7e
RaccoonStealer
c67646ba071947726cb2420a03887901a79a762844862eeb61f2fa8349ea355f
RaccoonStealer
dded956a99823dc3d87aafa2764e9a561eb9df6b571251f118468052143d76cc
RaccoonStealer
dedecac051c66649d617a251056138a2e59e530a0c172b7c851b6a10d8c45222
RaccoonStealer
+ 3'486 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:27c9b6ae257af0ad6f3f3330ea633fc782fa4daf stealer
Link:
https://tria.ge/reports/211006-llgpaaahh8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
459d4fd9bd7ec69f47d9c3306856a7e6ec39b17ff2c88ae80dcac8e9daba760e
MD5 hash:
f626600409cd7eaa72c1105a52002cd5
SHA1 hash:
f6f5202b9e38a257f5f0bbc784eb4b9ff6c481af
Link:
https://www.unpac.me/results/af2a2381-5513-49e1-a101-e19f0e740216/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/459d4fd9bd7e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/459d4fd9bd7ec69f47d9c3306856a7e6ec39b17ff2c88ae80dcac8e9daba760e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/195439/

Comments