MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58c71548ede50a7c277a21b9f38394c03c068a167d858dcbaf82a4f2d975e24c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58c71548ede50a7c277a21b9f38394c03c068a167d858dcbaf82a4f2d975e24c
SHA3-384 hash: b0689c321c92073d04b4bee37847ef5a70e40fb55088ebe5173b19bc25e92bdfb0e1413f95b280452167fa3b0ee800b7
SHA1 hash: b917c2fbf0984d2e267d7086be5e67c6a08a84ae
MD5 hash: a127413f40c8fcbdcef19ce0aa1d70fb
humanhash: romeo-triple-blue-lima
File name:a127413f40c8fcbdcef19ce0aa1d70fb
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'009'152 bytes
First seen:2022-01-07 00:26:44 UTC
Last seen:2022-01-07 01:41:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:WYhBD6ZjGMs9DBCZypR9uQ7YE9bV4ESKtT/B5hr:TEsVBCZC2QB60j
Threatray 301 similar samples on MalwareBazaar
TLSH T1BF250ADD51C15849CFEF07F01DFBE26E85B292C6134B4BEA731E91F06B2208EA56D4A1
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a127413f40c8fcbdcef19ce0aa1d70fb
Verdict:
Malicious activity
Analysis date:
2022-01-07 00:31:09 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/dee3b9ad-d53f-487c-ac4e-f5c13609e2ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217626/
Detection(s):
SecuriteInfo.com.AgentTesla-FDCVA127413F40C8.6878.4569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
DNS request
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit packed
Link:
https://www.filescan.io/uploads/61d788d81c0d769df9d43976/reports/1d3c8a5e-d7af-49f4-aa17-d059bc5b892f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37665388-d65e-40d1-969a-2179648e4c9b
Result
Threat name:
Clipboard Hijacker Phoenix Miner Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916597
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected Phoenix Miner
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549071 Sample: hBrgz6JniB Startdate: 07/01/2022 Architecture: WINDOWS Score: 100 114 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->114 116 Antivirus detection for URL or domain 2->116 118 Multi AV Scanner detection for submitted file 2->118 120 8 other signatures 2->120 9 hBrgz6JniB.exe 3 2->9         started        13 RegHost.exe 2->13         started        15 RegHost.exe 2->15         started        17 2 other processes 2->17 process3 file4 92 C:\Users\user\AppData\...\hBrgz6JniB.exe.log, ASCII 9->92 dropped 162 Writes to foreign memory regions 9->162 164 Injects a PE file into a foreign processes 9->164 19 RegAsm.exe 15 10 9->19         started        166 Detected unpacking (changes PE section rights) 13->166 168 Detected unpacking (overwrites its own PE header) 13->168 170 Allocates memory in foreign processes 13->170 24 bfsvc.exe 13->24         started        26 conhost.exe 13->26         started        172 Modifies the context of a thread in another process (thread injection) 15->172 174 Hides threads from debuggers 15->174 28 bfsvc.exe 15->28         started        30 conhost.exe 15->30         started        32 schtasks.exe 17->32         started        34 conhost.exe 17->34         started        36 bfsvc.exe 17->36         started        signatures5 process6 dnsIp7 98 c9d0e790b353537889bd47a364f5acff43c11f246.xyz 185.112.83.97, 49746, 80 SUPERSERVERSDATACENTERRU Russian Federation 19->98 100 49.12.47.66, 27973, 49748 HETZNER-ASDE Germany 19->100 102 2 other IPs or domains 19->102 74 C:\Users\user\AppData\Roaming\whw.exe, PE32 19->74 dropped 76 C:\Users\user\AppData\Roaming\safas2f.exe, PE32+ 19->76 dropped 78 C:\Users\user\AppData\Roaming\e3dwefw.exe, PE32 19->78 dropped 80 C:\Users\user\AppData\Roaming\clipper.exe, PE32 19->80 dropped 122 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->122 124 Performs DNS queries to domains with low reputation 19->124 126 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->126 38 clipper.exe 19->38         started        41 safas2f.exe 1 2 19->41         started        44 whw.exe 3 19->44         started        47 e3dwefw.exe 1 19->47         started        82 \Device\ConDrv, ASCII 28->82 dropped 128 Hides threads from debuggers 28->128 49 conhost.exe 32->49         started        file8 signatures9 process10 dnsIp11 138 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 38->138 140 Writes to foreign memory regions 38->140 142 Allocates memory in foreign processes 38->142 144 Injects a PE file into a foreign processes 38->144 51 AppLaunch.exe 38->51         started        56 WerFault.exe 38->56         started        94 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 41->94 dropped 146 Detected unpacking (changes PE section rights) 41->146 148 Detected unpacking (overwrites its own PE header) 41->148 150 Injects code into the Windows Explorer (explorer.exe) 41->150 160 2 other signatures 41->160 58 bfsvc.exe 41->58         started        60 curl.exe 1 41->60         started        62 conhost.exe 41->62         started        64 explorer.exe 41->64         started        112 45.147.196.146, 49810, 6213 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 44->112 152 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->152 154 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->154 156 Tries to steal Crypto Currency Wallets 44->156 96 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 47->96 dropped 158 Uses schtasks.exe or at.exe to add and modify task schedules 47->158 66 schtasks.exe 1 47->66         started        file12 signatures13 process14 dnsIp15 104 185.163.204.24, 49809, 49840, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 51->104 106 5.181.156.155, 49808, 80 MIVOCLOUDMD Moldova Republic of 51->106 110 2 other IPs or domains 51->110 84 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 51->84 dropped 86 C:\Users\user\AppData\LocalLow\...\nss3.dll, PE32 51->86 dropped 88 C:\Users\user\AppData\...\mozglue.dll, PE32 51->88 dropped 90 56 other files (none is malicious) 51->90 dropped 130 Tries to steal Mail credentials (via file / registry access) 51->130 132 Tries to harvest and steal browser information (history, passwords, etc) 51->132 134 DLL side loading technique detected 51->134 136 Hides threads from debuggers 58->136 68 conhost.exe 58->68         started        108 api.telegram.org 149.154.167.220, 443, 49752 TELEGRAMRU United Kingdom 60->108 70 conhost.exe 60->70         started        72 conhost.exe 66->72         started        file16 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58c71548ede50a7c277a21b9f38394c03c068a167d858dcbaf82a4f2d975e24c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 16:42:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lddrkshn4ufhyj32eg47ha4uya6ancqwpwcy3s5pqkspfwlv4jga._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
016c36da3c46c38f9bc18970acf60b437503e15139fd1047f4b73cdad4d6342a
RaccoonStealer
1bbee1727c791557b1119c32a93c58964414a1cce3dcc0601f92bb628e033a59
RaccoonStealer
63680cb50ca4c6ec5837dbc45a9a58f9b27fd33fb47e37e4e848225d0d0a1f2f
RaccoonStealer
92ccbbead3ca1c2a221c3dd06da16bb15fe6aef02859087c09c7d248017d955d
RaccoonStealer
932fda59abbce6378d0637c359b61b0747c9602e2e87d3105bb49ad745ed382e
RaccoonStealer
9c183568a371d5bfd048cb80caed15756b50d8cb7f5e3e8ec6bce045c35216ed
RaccoonStealer
+ 291 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:cheat discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/220107-arrwnacbcl/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
Malware Config
C2 Extraction:
49.12.47.66:27973
45.147.196.146:6213
Unpacked files
SH256 hash:
ce9a099d70fb24b7207573d72c6711b2b65f1abb792330a045d6028b9cb9aeae
MD5 hash:
dc6699122beef77a739920d2a6eb2150
SHA1 hash:
f3a0390cdd6548a72a7b3948256c1ca05ea64520
Link:
https://www.unpac.me/results/68f7c48a-5e76-47f2-a0df-1cdbc835f670/
SH256 hash:
58c71548ede50a7c277a21b9f38394c03c068a167d858dcbaf82a4f2d975e24c
MD5 hash:
a127413f40c8fcbdcef19ce0aa1d70fb
SHA1 hash:
b917c2fbf0984d2e267d7086be5e67c6a08a84ae
Link:
https://www.unpac.me/results/68f7c48a-5e76-47f2-a0df-1cdbc835f670/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/58c71548ede5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.78
Link:
https://yomi.yoroi.company/submissions/58c71548ede50a7c277a21b9f38394c03c068a167d858dcbaf82a4f2d975e24c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 58c71548ede50a7c277a21b9f38394c03c068a167d858dcbaf82a4f2d975e24c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1954104/
Cape
Cape
https://www.capesandbox.com/analysis/217626/

Comments


Avatar
zbet commented on 2022-01-07 00:26:46 UTC

url : hxxp://data-host-coin-8.com/files/7646_1641475547_2571.exe