MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b46df5a271c4e35adf1027792e4035301ae87fe4a112f89f507b37522b541be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b46df5a271c4e35adf1027792e4035301ae87fe4a112f89f507b37522b541be
SHA3-384 hash: 010d63b1b08e2fed8d9fe3d28adc35233a0e12f94627874cf1f09c5cc3f950a4e5e1c9805f5783f21985b0dca763f18b
SHA1 hash: 5a6d18b801c333a2c93c99aab7e2048f12bb433a
MD5 hash: 7d17a86a5bf1513e56e01d7468be87db
humanhash: table-avocado-comet-helium
File name:7d17a86a5bf1513e56e01d7468be87db
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:509'440 bytes
First seen:2021-08-06 10:51:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cc9eff21144ed22ef598d26ba22e8d47 (6 x RaccoonStealer, 1 x GCleaner)
ssdeep 12288:HP7NeNk3cX/E7OJSUzhMzC5eQiQdIARwoOspd:HP7ANNvE7OHmzC8QdI25
Threatray 2'198 similar samples on MalwareBazaar
TLSH T18FB402513B80D772C8951D308C74CAA86B3D6D718D64560B37B9BB6BAF342F2367630A
dhash icon 81bcdcac9c8cb4a4 (6 x RaccoonStealer, 4 x RedLineStealer, 3 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7d17a86a5bf1513e56e01d7468be87db
Verdict:
Malicious activity
Analysis date:
2021-08-06 10:53:20 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/707ceaba-528a-4346-832f-98655d89c9d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176967/
Detection(s):
Win.Malware.Generic-9883650-0
Create hunting rule

Win.Malware.Generic-9883707-0
Create hunting rule

Win.Malware.Generic-9883728-0
Create hunting rule

Win.Malware.Generic-9883752-0
Create hunting rule

Win.Malware.Generic-9883823-0
Create hunting rule

Win.Malware.Generic-9884015-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2fa82743-24fa-4f50-9291-07907f6581d4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828226
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460657 Sample: n4UNftV8qH Startdate: 06/08/2021 Architecture: WINDOWS Score: 100 89 Sigma detected: Xmrig 2->89 91 Multi AV Scanner detection for domain / URL 2->91 93 Multi AV Scanner detection for submitted file 2->93 95 6 other signatures 2->95 8 n4UNftV8qH.exe 83 2->8         started        13 win32update.exe 2->13         started        15 win32update.exe 2->15         started        17 13 other processes 2->17 process3 dnsIp4 81 telete.in 195.201.225.248, 443, 49717 HETZNER-ASDE Germany 8->81 83 ck37505.tmweb.ru 188.225.63.143, 443, 49726 TIMEWEB-ASRU Russian Federation 8->83 85 5.252.179.21, 49718, 80 MIVOCLOUDMD Moldova Republic of 8->85 67 C:\Users\user\AppData\...\BUbbXP8zXU.exe, PE32+ 8->67 dropped 69 C:\Users\user\AppData\LocalLow\1xVPfvJcrg, SQLite 8->69 dropped 71 C:\Users\user\AppData\...\vcruntime140.dll, PE32 8->71 dropped 73 58 other files (none is malicious) 8->73 dropped 111 Detected unpacking (changes PE section rights) 8->111 113 Detected unpacking (overwrites its own PE header) 8->113 115 Tries to steal Mail credentials (via file access) 8->115 117 Tries to harvest and steal browser information (history, passwords, etc) 8->117 19 BUbbXP8zXU.exe 11 4 8->19         started        23 cmd.exe 1 8->23         started        119 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->119 121 Adds a directory exclusion to Windows Defender 13->121 25 powershell.exe 15->25         started        27 powershell.exe 15->27         started        29 powershell.exe 15->29         started        33 2 other processes 15->33 87 127.0.0.1 unknown unknown 17->87 123 Changes security center settings (notifications, updates, antivirus, firewall) 17->123 125 DLL side loading technique detected 17->125 31 MpCmdRun.exe 17->31         started        file5 signatures6 process7 file8 65 C:\Users\user\AppData\...\win32update.exe, PE32+ 19->65 dropped 97 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->97 99 Writes to foreign memory regions 19->99 101 Allocates memory in foreign processes 19->101 103 4 other signatures 19->103 35 InstallUtil.exe 19->35         started        39 powershell.exe 19->39         started        41 powershell.exe 24 19->41         started        51 3 other processes 19->51 53 2 other processes 23->53 43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        signatures9 process10 dnsIp11 75 149.202.83.171, 3333, 49731 OVHFR France 35->75 77 pool.supportxmr.com 35->77 79 pool-fr.supportxmr.com 35->79 105 Query firmware table information (likely to detect VMs) 35->105 55 conhost.exe 35->55         started        107 Disable Windows Defender notifications (registry) 39->107 57 conhost.exe 39->57         started        59 conhost.exe 41->59         started        61 conhost.exe 51->61         started        63 conhost.exe 51->63         started        signatures12 109 Detected Stratum mining protocol 75->109 process13
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5b46df5a271c4e35adf1027792e4035301ae87fe4a112f89f507b37522b541be/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 21:35:48 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lndn6wrhdrhdllpraj3zfzadkma25b76jiis7cpva6zxkivvig7a._file
Verdict:
malicious
Similar samples:
11a5764ca8d515eb745b67a1d693fa3747873f80855cefd5eb7bf890cf0a7a8a
RaccoonStealer
3afbed4e5f1478afdf560b832b2342fe53e565c204d724b4158d5b3f1a121bda
RaccoonStealer
4124f1b874e8d7b99bf59c36eb9ba36928018299a090e4eaf9dc0141551a8bde
RaccoonStealer
4afb5969afd2c92b331d1fef3412103b6fa4d1ab3f386b9cf505b694038790bc
RaccoonStealer
4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
RaccoonStealer
523821c313298b7fadbe5b8807619b819130205c39698d1be04b1a4891b52c0e
RaccoonStealer
67e94de414ed1862f9e05c3cfbe6dca9f039871f5675d082975da34db4ff0cac
RaccoonStealer
765122a51ca892c353717e43af45875e9fed000ed736759b53b73155692bb775
RaccoonStealer
b987b62195f982a1b4b8bccfc559b20f96581c945b1fa3c7a4685ff8c7112db5
RaccoonStealer
+ 2'188 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:2ca2376c561d1af7f8b9e6f3256b06220a3db187 discovery persistence spyware stealer
Link:
https://tria.ge/reports/210806-nf18ern9ze/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Raccoon Stealer Payload
Unpacked files
SH256 hash:
6b3cb79e70b64516a491f38393de2bcbaeefe09e1aebf6900dc467441785db36
MD5 hash:
78142aaf4e92aa7b4883c0a81751c2a4
SHA1 hash:
3643762f4dd5fb81dd00ea49a6acfe0e362d8abe
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/b092f1e4-2287-4633-be50-d892051f6438/
Parent samples :
11a5764ca8d515eb745b67a1d693fa3747873f80855cefd5eb7bf890cf0a7a8a
5b46df5a271c4e35adf1027792e4035301ae87fe4a112f89f507b37522b541be
b99ac985c91f5a5e0c2ab8c5b92cb644cea66cb3336c2b6665274e78151cc372
SH256 hash:
5b46df5a271c4e35adf1027792e4035301ae87fe4a112f89f507b37522b541be
MD5 hash:
7d17a86a5bf1513e56e01d7468be87db
SHA1 hash:
5a6d18b801c333a2c93c99aab7e2048f12bb433a
Link:
https://www.unpac.me/results/b092f1e4-2287-4633-be50-d892051f6438/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b46df5a271c4e35adf1027792e4035301ae87fe4a112f89f507b37522b541be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 5b46df5a271c4e35adf1027792e4035301ae87fe4a112f89f507b37522b541be

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1510883/
Cape
Cape
https://www.capesandbox.com/analysis/176967/

Comments


Avatar
zbet commented on 2021-08-06 10:51:20 UTC

url : hxxp://ck37505.tmweb.ru/1236.exe