MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0
SHA3-384 hash: 3690672a166eb2c832aab4a5337dd15255aea3f24fb343b524d56e57d7a93a2908f6b6232a03d38c1eda2ebd7e873f90
SHA1 hash: 2a8c22a93cfaa5b52d70ccba5a86107dd7955673
MD5 hash: c58ab85e86005430cf8b4eb02d203271
humanhash: dakota-glucose-alanine-robert
File name:c58ab85e86005430cf8b4eb02d203271
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:432'128 bytes
First seen:2021-12-07 11:16:18 UTC
Last seen:2021-12-07 12:57:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bd61429d86f194f3b84d97af55b8c371 (3 x RedLineStealer, 1 x Amadey, 1 x RaccoonStealer)
ssdeep 6144:FM2cWRAPqsIQdzjAGwEnaOv7ghZnejObWULlPJgePsmUTJhuo5J:F9RAPzXtD+nUObW+lPJgekmUTmo
Threatray 4'423 similar samples on MalwareBazaar
TLSH T16694BE00E7A0D034F1F316F85AB69268A93F7AA15B3454DF53D466EA5B34AE0EC3131B
File icon (PE):PE icon
dhash icon b6dacabecee6baa6 (72 x Stop, 68 x RedLineStealer, 55 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c58ab85e86005430cf8b4eb02d203271
Verdict:
Malicious activity
Analysis date:
2021-12-07 22:57:30 UTC
Tags:
trojan evasion loader
Link:
https://app.any.run/tasks/d47a586b-12b8-469a-8caa-ce5b17b67c01

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/212081/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.2795.24091.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Query of malicious DNS domain
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1196/overview
Behaviour
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61af42b0fa72c81b5b0fe920/reports/1dcc46e2-6ad0-43f6-8e07-fefc7a9986d2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5775455f-bf13-40b8-90b9-88998f7c8956
Result
Threat name:
MedusaHTTP Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/902959
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected MedusaHTTP
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 535437 Sample: 92vCuJxeIG Startdate: 07/12/2021 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Antivirus detection for URL or domain 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 5 other signatures 2->69 9 92vCuJxeIG.exe 1 17 2->9         started        process3 dnsIp4 57 highart.top 185.82.219.16, 49768, 80 ITL-BG Bulgaria 9->57 59 185.70.186.174, 80 HOSTKEY-ASNL Netherlands 9->59 61 2 other IPs or domains 9->61 45 C:\Users\user\AppData\...\3016677051.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\Local\...\2wwbh2[1].cfg, PE32 9->47 dropped 49 C:\Users\user\AppData\Local\...\2wwbh2[1].cfg, PE32 9->49 dropped 79 Detected unpacking (changes PE section rights) 9->79 81 Detected unpacking (overwrites its own PE header) 9->81 83 May check the online IP address of the machine 9->83 14 cmd.exe 1 9->14         started        16 svchost.exe 1 9->16         started        18 cmd.exe 1 9->18         started        file5 signatures6 process7 process8 20 3016677051.exe 82 14->20         started        25 conhost.exe 14->25         started        27 taskkill.exe 1 16->27         started        29 conhost.exe 16->29         started        dnsIp9 51 91.219.236.27, 49811, 80 SERVERASTRA-ASHU Hungary 20->51 53 91.219.236.97, 49812, 80 SERVERASTRA-ASHU Hungary 20->53 55 94.158.245.137, 49792, 80 MIVOCLOUDMD Moldova Republic of 20->55 37 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 20->37 dropped 39 C:\Users\user\AppData\...\vcruntime140.dll, PE32 20->39 dropped 41 C:\Users\user\AppData\...\ucrtbase.dll, PE32 20->41 dropped 43 56 other files (none is malicious) 20->43 dropped 71 Detected unpacking (changes PE section rights) 20->71 73 Detected unpacking (overwrites its own PE header) 20->73 75 Tries to steal Mail credentials (via file / registry access) 20->75 77 2 other signatures 20->77 31 cmd.exe 1 20->31         started        file10 signatures11 process12 process13 33 conhost.exe 31->33         started        35 timeout.exe 1 31->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-12-07 11:17:11 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lru3yykmmcjhtdhm7kaigwhjptnhydvfh4yodyjezmklkthz6gya._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
25128763bec88f9e6b4a99d05f4aa46fd3694452851fda8b1b5cbc0eb0474fa6
RaccoonStealer
2f895a09ae635487eb6b767e6a95d90efa8d58a9d356229f5ee24f9963ab9e23
RaccoonStealer
4a47a042c53ecd2836f77477e003095403fe2b4194a48817fc420f8c224131a9
RaccoonStealer
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1
RaccoonStealer
5f131a6fd46a437ab6cfaf7ea0a554c9c9248ac8aaec7770a0f8395817ed7321
RaccoonStealer
a68f787d330808769f87c48f03f9da428bba40595757cd045535b20c7d66d53e
RaccoonStealer
a9dc8bc2e80847e41c306c393801632e02efcd1a516cea1104912c4ccaefa8a6
RaccoonStealer
+ 4'413 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:a2337059abb40b184e621b38e62ace3e1a158d50 stealer
Link:
https://tria.ge/reports/211207-ndpe9sghcp/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Unpacked files
SH256 hash:
219e17150170df3b02a78d880398772d4857e29fe27f534e750f1bcebdd53fa3
MD5 hash:
afe240752cdabe37b8db03d615737df9
SHA1 hash:
6f9288f7f21b86e9c9941b4a51bbea17bd301da7
Link:
https://www.unpac.me/results/6cf991b0-bcc6-46d2-a712-465e8a2ef9b3/
SH256 hash:
5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0
MD5 hash:
c58ab85e86005430cf8b4eb02d203271
SHA1 hash:
2a8c22a93cfaa5b52d70ccba5a86107dd7955673
Link:
https://www.unpac.me/results/6cf991b0-bcc6-46d2-a712-465e8a2ef9b3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5c69bc614c60/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 5c69bc614c6092798cecfa808358e97cda7c0ea53f30e1e124cb14b54cf9f1b0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1862417/
Cape
Cape
https://www.capesandbox.com/analysis/212081/

Comments


Avatar
zbet commented on 2021-12-07 11:16:20 UTC

url : hxxp://highart.top/foradvertisingwwb.exe