MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6751f6f222501da88e6c56d558b2032906130558fc993e184ff173850f2b6154. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6751f6f222501da88e6c56d558b2032906130558fc993e184ff173850f2b6154
SHA3-384 hash: 623ba2e7006aca4536fdb0cbbd716bdc264e3810b76cd77de1732b85ce4c5a86e1c335aa7fd5c0a65052a3245e463ea5
SHA1 hash: 35ec6734d59210aa8f11ce1b3713bf96e66f5941
MD5 hash: 9c1fc593fb35734de8741a3dd9cd9089
humanhash: william-october-asparagus-happy
File name:9c1fc593fb35734de8741a3dd9cd9089.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:899'072 bytes
First seen:2021-05-08 06:58:52 UTC
Last seen:2021-05-08 08:02:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f1a8fb17e535ee15ba0bcd80f9090af (1 x Stop, 1 x RaccoonStealer)
ssdeep 12288:teBQsCN6Ljm93U+Su83CJkXayu8pyk+shOiUSCnwqFY+nluvi7GWoDsh:QysLSOu833Xayu8r+zwl+nUaOo
Threatray 98 similar samples on MalwareBazaar
TLSH 6015F220F653C436E5F715F449B682AC69297EA05B2420CF13D62BEA47346E1BC31EB7
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/153013/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop16.52003.14596.18201.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/718048
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 407953 Sample: CZnvYmkPm7.exe Startdate: 08/05/2021 Architecture: WINDOWS Score: 96 42 clientconfig.passport.net 2->42 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Djvu Ransomware 2->50 52 Machine Learning detection for sample 2->52 9 CZnvYmkPm7.exe 2->9         started        12 CZnvYmkPm7.exe 2->12         started        14 CZnvYmkPm7.exe 2->14         started        16 CZnvYmkPm7.exe 2->16         started        signatures3 process4 signatures5 54 Detected unpacking (changes PE section rights) 9->54 56 Detected unpacking (overwrites its own PE header) 9->56 58 Contains functionality to inject code into remote processes 9->58 18 CZnvYmkPm7.exe 1 16 9->18         started        60 Multi AV Scanner detection for dropped file 12->60 62 Machine Learning detection for dropped file 12->62 64 Injects a PE file into a foreign processes 12->64 22 CZnvYmkPm7.exe 12 12->22         started        24 CZnvYmkPm7.exe 12 14->24         started        26 CZnvYmkPm7.exe 12 16->26         started        process6 dnsIp7 44 api.2ip.ua 77.123.139.190, 443, 49692, 49697 VOLIA-ASUA Ukraine 18->44 36 C:\Users\user\AppData\...\CZnvYmkPm7.exe, PE32 18->36 dropped 38 C:\Users\...\CZnvYmkPm7.exe:Zone.Identifier, ASCII 18->38 dropped 28 CZnvYmkPm7.exe 18->28         started        31 icacls.exe 18->31         started        46 192.168.2.1 unknown unknown 22->46 file8 process9 signatures10 66 Injects a PE file into a foreign processes 28->66 33 CZnvYmkPm7.exe 12 28->33         started        process11 dnsIp12 40 api.2ip.ua 33->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6751f6f222501da88e6c56d558b2032906130558fc993e184ff173850f2b6154/
Threat name:
Win32.Trojan.Bomitag
Create hunting rule
Status:
Malicious
First seen:
2021-05-08 01:46:00 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
06db31be7914d281c35acd803c526fc82e474aa2dc340806b76ee4ab0be240bd
RaccoonStealer
496b5885ff8f521c91ca037338e188ea0374bf86816d0c804d3010fd2f5fec38
RaccoonStealer
4fc4936de4eb693ec57ae17e722c1c68e46afbc0c82f3c45d254c39571008f8b
RaccoonStealer
6a67b3b72238ab1e9ede09686b226413829c7a48a858845f09e8abd0dd094823
RaccoonStealer
75c3a83073d9b15d4f47308b5d688f1ec07422419e3bd54e78f6ef8683d42e5c
RaccoonStealer
924c25e503792d12b9c161919878e29f47c1acce08cc4c03976bbc0e60ce181e
RaccoonStealer
9feb26b9550dbf46719374757468d95b6882c00fd3ca65a02e9edf2854e900a9
RaccoonStealer
aa8c5d42026ac9a483f1984f762441d7f5805ef914819b473f9e15353995cc99
RaccoonStealer
b9aaf852417503d7ff055b60e91d326743e7f0e225d51ba63b726e137aa64810
RaccoonStealer
f0cda71528dfdf5b3fbc8af58a61aef5f9d6432c0359ab8d9df62209e6ce6d01
RaccoonStealer
+ 88 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1d76a465540f6a904ac9f1310fe3a3824b5b4549 discovery evasion persistence spyware stealer
Link:
https://tria.ge/reports/210508-d6dypafv7j/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Deletes Windows Defender Definitions
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
9b3dc949d6d3cce7f9dd94b51ba8d822ee345d0df2f90f8a6618684824e2b95b
MD5 hash:
a6fe56089c98ee5373b4cf22d4b16d74
SHA1 hash:
120c33917ab39703c4ada6789748c8eed157c164
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/32b351b5-76d7-4cb6-bed8-e7c177156523/
Parent samples :
7ef335f3910936afe2ffdcaeff03ee06af59ab221b7106cac4724c954ad73913
cba06b69cbe644420f5cfb726060d77d4abca93e1acb3815a465f1b00cf111e1
a2cc7061a035063d8ac5790c38bd123a632d43a1af2514dea36d0c5aaf66d200
31e991e037ef5ee29b3921a8ed21fe3c1284914efb88a12e8bdda2e094a41b18
feaac22107a4c4e6cdcf35878a1296fca8dc6efc970c0ba98b1cf93b80e063aa
3763170476b8a4c3cb592cbea6c4471ba2ea2463db9f7839fda502ef0a06b092
1ed1b4315c2525253918400777d7622581d7f8c161101e918999bd9d8c99be85
8d9062b1794c331d8a460427f88ce18b0a8b79204fdae3eb5c144aaacb791c55
c422dca376d729a0c4a92257bba7fd8bd5c46b236746edf45b0e1f6331bd7e9d
2518104c566d86c2a2876c2c030a1c54f300726d8a15b39e67d10725f7a51110
4db37a46432a8cf387a6ba70d689db2675c3a6f5294fe5ff7db3d785f068671f
c5ed16a495c5efbbf19918adfe4a954decc118b18691f38741d12d4f465948a5
8f9f63245c270e8442f15043c540d52aee08f4b3532d8df265d5244dc5644ce8
8f4d8aa16d1bfe09808ce2c6b24c3ad550bc41643bc5624a9506c66873c172a8
2fb3d980507741c8bbe5ddaa3ccee423d774bb9ec2f1c21c74b2eef05a5c62c1
d9aa00965d02283e49858296e530b1c730d7a427c36970f4d8d36d2f5e78d0ce
e0fffaaa25dc5ace2bf9e00b3787ebb45299f98fc8d4dbe6aad888c03e6164aa
fe2ff75d50ee83ff92a927eb120cd0f5997df50f204d47919e4b7ad3a909ed69
50164e878b632fdf08b4f0de2060872ede8970238cbcfc55e32bfc1f81dfb4e2
44d267b517f8af6f68f9548528ccfe6f532e6f18ac6f4ba32c4363afd29d59f8
4191eab7dce6ae84489c20d6ac93d123e42bf0019060847cf76e7be00139eb1c
869bd0ca39150a6e0f87609ca7e927211ba9cf636b69c33c3cd09db85922dd94
c97b731d2d70f964dbe2775fcf0fd7cf0d7ff68a0fdb31c3038a9c97ca4da6b4
6e8dafc9ac2e48e6b42dd15ce4c49d0dc0a83e6ca93fafeec8b87244ec05dea0
ec6a8a30d1d66e885ef75aaf70786fb1c05ccb1ae252c918a62a882a3babf591
f896070688915d517ec78e784f370089c15b012806dd3a3d33557e2bc3d44e2c
4176503a6e226f3ee78f38f37bd7fd9cb38e834def41ce5395a0fde5a4acfb7b
badb76b10b7d736402cc13fcd7330d29afc485da7b54c3372a78d5c98114c93f
09d2850085ff6cbe46fb427311af739e0628572289ceb4c3180ee50682070b98
27ac1959b9c2137b608a59a1cdfbad3d398941c92f590a1d92a9fbe004d27ef9
2edaa364594d0abb1ed74bf9ef76616c483c7cb77482c1189730f2da8cb3084e
17d78ceccf9fd168bf7e1d92260e5369bbd058639587ab92ea78763aafe0e5ee
2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7
81fb516d3efaf5c684ef50221e3f4bfb084b0d718d59bac7f6bbe8ea4c632f27
b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891
cb69509065e372794a18a74fa502f7bca8fa6e4be5a0fdb09c4c13dcceb364b6
f93b5dd205a567ba3445a361220e4da8a8652a9ef3f06a14d0e33f71bee0ee52
75c3a83073d9b15d4f47308b5d688f1ec07422419e3bd54e78f6ef8683d42e5c
06db31be7914d281c35acd803c526fc82e474aa2dc340806b76ee4ab0be240bd
924c25e503792d12b9c161919878e29f47c1acce08cc4c03976bbc0e60ce181e
f0cda71528dfdf5b3fbc8af58a61aef5f9d6432c0359ab8d9df62209e6ce6d01
b9aaf852417503d7ff055b60e91d326743e7f0e225d51ba63b726e137aa64810
6751f6f222501da88e6c56d558b2032906130558fc993e184ff173850f2b6154
6a67b3b72238ab1e9ede09686b226413829c7a48a858845f09e8abd0dd094823
4fc4936de4eb693ec57ae17e722c1c68e46afbc0c82f3c45d254c39571008f8b
101648667ad547177c6a6bfd210af66397cd0a7e0ec3e4b2b98ecfe5963a293c
SH256 hash:
6751f6f222501da88e6c56d558b2032906130558fc993e184ff173850f2b6154
MD5 hash:
9c1fc593fb35734de8741a3dd9cd9089
SHA1 hash:
35ec6734d59210aa8f11ce1b3713bf96e66f5941
Link:
https://www.unpac.me/results/32b351b5-76d7-4cb6-bed8-e7c177156523/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6751f6f222501da88e6c56d558b2032906130558fc993e184ff173850f2b6154

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 6751f6f222501da88e6c56d558b2032906130558fc993e184ff173850f2b6154

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/153013/
  
URLhaus
https://urlhaus.abuse.ch/url/1195796/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-08 07:07:31 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
1) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication
2) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
3) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0045] File System Micro-objective::Copy File
7) [C0047] File System Micro-objective::Delete File
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0052] File System Micro-objective::Writes File
11) [C0007] Memory Micro-objective::Allocate Memory
12) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
13) [C0040] Process Micro-objective::Allocate Thread Local Storage
14) [C0043] Process Micro-objective::Check Mutex
15) [C0041] Process Micro-objective::Set Thread Local Storage Value
16) [C0018] Process Micro-objective::Terminate Process