MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59c8968c387cc10887a2cae1a5353d0cac816a80e64fa6f76f219469450ad17f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59c8968c387cc10887a2cae1a5353d0cac816a80e64fa6f76f219469450ad17f
SHA3-384 hash: 2bd88a24363f9e1ad1f45fe18a90d65f1bb7125b2ca9c6d4666884df11b59212fe6fcd0b064bee8e4bca63d6f5c98138
SHA1 hash: 60f2c4980418decf5df389dcdb1e069967909f3e
MD5 hash: 19c1668bc024f5d190a5dec8da3aee70
humanhash: apart-pip-enemy-gee
File name:19c1668bc024f5d190a5dec8da3aee70
Download: download sample
File size:5'299'912 bytes
First seen:2021-09-11 18:37:59 UTC
Last seen:2021-09-11 20:16:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b9290431b366a1252cf05522cb28180 (8 x RaccoonStealer)
ssdeep 98304:I/xbapfOiNqjfMc2DRcE0oTo22ObpcpPwwD8PNHUFDxxxRut5dmjBXMiZT397MwK:0x+pfOi2fXyCio22kwD40FDxfR0PmZMZ
Threatray 110 similar samples on MalwareBazaar
TLSH T1433623A302753089E5A1CC3DD523FDE4F5FA17868B42E8BC55EBACD626618D4E603E43
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AD3335A123F2AD4283E96D367B61EC85.bin
Verdict:
Malicious activity
Analysis date:
2021-09-11 16:53:36 UTC
Tags:
trojan evasion stealer loader opendir rat redline raccoon
Link:
https://app.any.run/tasks/e0abd6ce-f20d-4137-9495-6216072a40c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187090/
Detection(s):
SecuriteInfo.com.Win32.Packed.VMProtect.YC.9316.8840.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7f9517d-74b1-4d15-869c-e7f841d83aa2
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849245
Signature
Detected unpacking (changes PE section rights)
Drops VBS files to the startup folder
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481676 Sample: bm5CTUWag6 Startdate: 11/09/2021 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 8 other signatures 2->67 8 bm5CTUWag6.exe 83 2->8         started        13 EH2UWwsj8p.exe 3 2->13         started        15 sihost.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 55 telete.in 195.201.225.248, 443, 49747 HETZNER-ASDE Germany 8->55 57 45.9.20.101, 3758, 49749, 49777 DEDIPATH-LLCUS Russian Federation 8->57 59 5.181.156.77, 49748, 80 MIVOCLOUDMD Moldova Republic of 8->59 47 C:\Users\user\AppData\...\ddIco3XBaN.exe, PE32 8->47 dropped 49 C:\Users\user\AppData\...H2UWwsj8p.exe, PE32+ 8->49 dropped 51 C:\Users\user\AppData\...\vcruntime140.dll, PE32 8->51 dropped 53 58 other files (none is malicious) 8->53 dropped 87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->87 89 Tries to steal Mail credentials (via file access) 8->89 91 Self deletion via cmd delete 8->91 105 2 other signatures 8->105 19 EH2UWwsj8p.exe 3 4 8->19         started        23 ddIco3XBaN.exe 1 8->23         started        25 cmd.exe 1 8->25         started        93 Detected unpacking (changes PE section rights) 13->93 95 Query firmware table information (likely to detect VMs) 13->95 97 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->97 107 2 other signatures 13->107 99 Tries to evade analysis by execution special instruction which cause usermode exception 15->99 101 Hides threads from debuggers 15->101 27 schtasks.exe 1 15->27         started        103 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->103 29 EH2UWwsj8p.exe 17->29         started        file5 signatures6 process7 file8 41 C:\Users\user\AppData\...H2UWwsj8p.exe, PE32+ 19->41 dropped 43 C:\Users\user\AppData\...H2UWwsj8p.vbs, ASCII 19->43 dropped 69 Query firmware table information (likely to detect VMs) 19->69 71 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->71 73 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->73 75 Drops VBS files to the startup folder 19->75 45 C:\Users\user\AppData\Roaming\...\sihost.exe, PE32 23->45 dropped 77 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 23->79 81 Tries to evade analysis by execution special instruction which cause usermode exception 23->81 31 schtasks.exe 1 23->31         started        33 conhost.exe 25->33         started        35 timeout.exe 1 25->35         started        37 conhost.exe 27->37         started        83 Hides threads from debuggers 29->83 85 Tries to detect sandboxes / dynamic malware analysis system (registry check) 29->85 signatures9 process10 process11 39 conhost.exe 31->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59c8968c387cc10887a2cae1a5353d0cac816a80e64fa6f76f219469450ad17f/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-11 16:37:39 UTC
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
2aaad8177d08507b09dc3d419b4d31f65db6fe6bc6314ffce650b9fc57f0817c
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
61a70fdae6040d08c4f66f5d5ba95aba1987cda5e4715903696c3139a33d8e05
676efd23da897b1cd244d4bf83607ee87fbb00434839e9913e0fd48e4fb48ef6
81074c41b76fd86ce228d266821c33d86a7448f30f58966d7990b77ba321552e
81d14d241a35f52dae782c57784168f5295776984eb55d9f88f9f0cf12e67f72
8344424b2ab65b90171d02df7f9f8625308284c4b25e0e489c005f9c164784c2
a761168b889a5c5ff56defeb1cedb786ffa90e3b61b6660cfc41e49b1ee638f0
c5597c29f2c4b319d151a62e448202f3af45b2edd28d95513f44badd3292623c
+ 100 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/210911-w93xjaeffn/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
542605986857cc21d237dd472a6113ccee4b1d0c92b44a5287d8878d7a1fe06b
MD5 hash:
599ab1b1d0a8b5c39d3785eaf8e72d3f
SHA1 hash:
6fb445b720fcd54f221f14b318993c1ef8d7fd84
Link:
https://www.unpac.me/results/6ede59b9-32e9-4792-a8b1-7c742f36d729/
SH256 hash:
59c8968c387cc10887a2cae1a5353d0cac816a80e64fa6f76f219469450ad17f
MD5 hash:
19c1668bc024f5d190a5dec8da3aee70
SHA1 hash:
60f2c4980418decf5df389dcdb1e069967909f3e
Link:
https://www.unpac.me/results/6ede59b9-32e9-4792-a8b1-7c742f36d729/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/59c8968c387c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/59c8968c387cc10887a2cae1a5353d0cac816a80e64fa6f76f219469450ad17f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 59c8968c387cc10887a2cae1a5353d0cac816a80e64fa6f76f219469450ad17f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/187090/
  
URLhaus
https://urlhaus.abuse.ch/url/1549207/

Comments


Avatar
zbet commented on 2021-09-11 18:38:00 UTC

url : hxxp://37.0.10.214/WW/file4.exe