MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 697798d7b063108abe8c5ea01ed847e75fc1bb7fb3649b83298df4bcfa6ff916. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 697798d7b063108abe8c5ea01ed847e75fc1bb7fb3649b83298df4bcfa6ff916
SHA3-384 hash: ca3b6c85b2aa1e9b59c381289de3085bd10c8b0f242b7912ecd1b79a9882963c440abcc8278007098830b79041d3fe52
SHA1 hash: f1b056dc1900fc8200b93186677aa6e3c9c92e07
MD5 hash: a7946c9b215e4d6a26dfddb131d04e69
humanhash: blue-oxygen-muppet-music
File name:a7946c9b215e4d6a26dfddb131d04e69.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:311'808 bytes
First seen:2021-08-07 09:25:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2ba8e1f75a8e02687cc194905c50074 (12 x RaccoonStealer, 1 x Stop, 1 x ArkeiStealer)
ssdeep 6144:65gGL/GRvMWvddCLPAnJRD3smuShCpr/5OCYAWsKV:efevPuPAnJRjZM/5ORH
Threatray 57 similar samples on MalwareBazaar
TLSH T15864F0217681CC32D6234A715C22F6E55F2AFC71183BDA5B3B81365E5F363E1AE15306
dhash icon 1272d292105c5c03 (31 x RaccoonStealer, 6 x Smoke Loader, 4 x Loki)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://94.158.245.253/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.253/ https://threatfox.abuse.ch/ioc/166000/

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
x86_x64_setup.exe
Verdict:
Malicious activity
Analysis date:
2021-08-04 20:56:16 UTC
Tags:
evasion trojan rat redline opendir stealer raccoon vidar
Link:
https://app.any.run/tasks/ef620f33-4a1e-4c4f-a44b-cbe11b08fc62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177144/
Detection(s):
Win.Malware.Generic-9883819-0
Create hunting rule

Win.Packed.Generic-9883938-0
Create hunting rule

Win.Dropper.Ursnif-9884109-0
Create hunting rule

Win.Trojan.Generic-9884138-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending an HTTP GET request
Connecting to a non-recommended domain
Sending a UDP request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Query of malicious DNS domain
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/298b604d-e6ae-4765-b534-e28b0c939401
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828613
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 461040 Sample: GCm5dlW06F.exe Startdate: 07/08/2021 Architecture: WINDOWS Score: 100 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 Antivirus detection for URL or domain 2->66 68 5 other signatures 2->68 9 GCm5dlW06F.exe 1 23 2->9         started        process3 dnsIp4 56 4kvideoyoutube.xyz 23.254.202.116, 49736, 80 HOSTWINDSUS United States 9->56 58 89.191.225.69, 49738, 80 MGNHOST-ASRU Russian Federation 9->58 60 7 other IPs or domains 9->60 46 C:\Users\user\AppData\...\7486113411.exe, PE32 9->46 dropped 48 C:\Users\user\...\tH7eC4aW2kA8fN2mF1pJ[1].exe, PE32 9->48 dropped 50 C:\Users\user\...\tH7eC4aW2kA8fN2mF1pJ[1].exe, PE32 9->50 dropped 78 Detected unpacking (changes PE section rights) 9->78 80 Detected unpacking (overwrites its own PE header) 9->80 82 May check the online IP address of the machine 9->82 84 Performs DNS queries to domains with low reputation 9->84 14 cmd.exe 1 9->14         started        16 cmd.exe 1 9->16         started        file5 signatures6 process7 process8 18 7486113411.exe 82 14->18         started        23 conhost.exe 14->23         started        25 taskkill.exe 1 16->25         started        27 conhost.exe 16->27         started        dnsIp9 52 telete.in 195.201.225.248, 443, 49755 HETZNER-ASDE Germany 18->52 54 94.158.245.253, 49757, 80 MIVOCLOUDMD Moldova Republic of 18->54 38 C:\Users\user\AppData\...\v3yXAxIirg.exe, PE32 18->38 dropped 40 C:\Users\user\AppData\...\vcruntime140.dll, PE32 18->40 dropped 42 C:\Users\user\AppData\...\ucrtbase.dll, PE32 18->42 dropped 44 57 other files (none is malicious) 18->44 dropped 70 Detected unpacking (changes PE section rights) 18->70 72 Detected unpacking (overwrites its own PE header) 18->72 74 Tries to steal Mail credentials (via file access) 18->74 76 Tries to harvest and steal browser information (history, passwords, etc) 18->76 29 v3yXAxIirg.exe 18->29         started        32 cmd.exe 1 18->32         started        file10 signatures11 process12 signatures13 86 Detected unpacking (changes PE section rights) 29->86 88 Detected unpacking (overwrites its own PE header) 29->88 34 conhost.exe 32->34         started        36 timeout.exe 1 32->36         started        process14
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/697798d7b063108abe8c5ea01ed847e75fc1bb7fb3649b83298df4bcfa6ff916/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 00:58:18 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nf3zrv5qmmiivpuml2qb5wch45p4do37wnsjxazjrx2lz6tp7ela._file
Verdict:
suspicious
Similar samples:
47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80
RaccoonStealer
4bf0a958bf731e67495df5bb0daffa049404d94d1138b0af8b6544fa69d1688e
RaccoonStealer
4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
RaccoonStealer
a8b913ce201179d8e302d9924fed2cb40508d23741fa11554420cccce9caa772
RaccoonStealer
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
RaccoonStealer
f31538e8ea191fbb1ea2e89e4c3e9e8e6882aa31ffb225b35b3f68db4dbd83fc
RaccoonStealer
f91c7c2e15b7343d97bc5c3961f43ebd659440102a4a9c3359d7a9e6e0aef9d3
RaccoonStealer
fc25512ebc702b7b64fe49986b457e95884386944560d4fbdcf8a573e612629e
RaccoonStealer
+ 47 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:8a89272858125c31016bc130ad19557408b8bbe4 discovery spyware stealer
Link:
https://tria.ge/reports/210807-d4nvqcvhae/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Raccoon Stealer Payload
Unpacked files
SH256 hash:
70d56173507f076c22da9381919220067035815b1a5430892031fe02495e47ac
MD5 hash:
247dd210b50701c3f966f66670e2ae06
SHA1 hash:
aa249585714a0bb9accc2d7c0633d334d8375e33
Link:
https://www.unpac.me/results/04aec62b-ea82-4ae4-b983-97b2bf1bdd81/
SH256 hash:
697798d7b063108abe8c5ea01ed847e75fc1bb7fb3649b83298df4bcfa6ff916
MD5 hash:
a7946c9b215e4d6a26dfddb131d04e69
SHA1 hash:
f1b056dc1900fc8200b93186677aa6e3c9c92e07
Link:
https://www.unpac.me/results/04aec62b-ea82-4ae4-b983-97b2bf1bdd81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/697798d7b063108abe8c5ea01ed847e75fc1bb7fb3649b83298df4bcfa6ff916

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177144/

Comments