MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bb99aadf6fb6f90e663f4b63e21588314b13c490351d62785b8b7d7c8199efb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bb99aadf6fb6f90e663f4b63e21588314b13c490351d62785b8b7d7c8199efb
SHA3-384 hash: a985ff5ef75785f0603506942970ef0e4a17e8d2f29dba10e01d73553ffadd34f30eaf102f92722ddd9faa5b00838d43
SHA1 hash: 3d92a378146ecb6cdbd149a229114655dd494d6b
MD5 hash: 0f67920b18100442a0a896d60dfa4656
humanhash: blossom-alaska-kitten-utah
File name:Usd transfer & Invoice.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'222'656 bytes
First seen:2021-08-26 07:55:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:euUIkMD+2337P1AOfXRvL9wOhH1RBk4Cch:pPld3rSOfXRjK2y/
Threatray 2'244 similar samples on MalwareBazaar
TLSH T16445E53C98FD2927C066CA76CBF4D827B404D9AF3226ADA554D757260353B8330D7A2E
dhash icon d4b0aa8b8bae9edc (7 x Formbook, 7 x Loki, 5 x AgentTesla)
Reporter GovCERT_CH
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Usd transfer & Invoice.exe
Verdict:
Malicious activity
Analysis date:
2021-08-26 07:56:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/59b31152-7de3-47cb-8b09-ca7b1a1323fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182542/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1011.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a97ab25-519a-42a7-9e06-f2c92c66d27b
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/839568
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6bb99aadf6fb6f90e663f4b63e21588314b13c490351d62785b8b7d7c8199efb/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 07:56:10 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=no4zvlpw7nxzbztd6s3d4ikyqmklcpcjani5mj4fxc35psazt35q._file
Verdict:
malicious
Similar samples:
445bd1c221cff019e52db89d03e05a8c22509cea0ede28da6d55bff7fd840bae
RaccoonStealer
70c61a7220e7df5841fded5bafa8340c388440911f8c894b35872188f300f29d
RaccoonStealer
d8eb6d3fe02a890173827c242182acd22aa699e4bbd918fd22b95c00aa3a6445
RaccoonStealer
da8777fa1ea919560e5fd0fcad56f265546fa9fa5e061776705da8a79ec1ca7c
RaccoonStealer
ff1ddb96f4984d4ed65016ca7814432d51a08fe090fae4907e85926469e880da
RaccoonStealer
+ 2'234 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:829b8253290a33cf285fa6fea2c8437d0e687dde stealer
Link:
https://tria.ge/reports/210826-g9vz66tfre/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Raccoon
Unpacked files
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/6ce72976-c6fa-4f04-b99b-b18454fb1aab/
SH256 hash:
64c6c8dee57bf8f2cca7c63bf8c2015eaa5a75ef09b1409eb7a5001768d09648
MD5 hash:
7d42fbbc11fedfd3233fe3b459a0ab69
SHA1 hash:
92aa9094173d557543e4c800da62663cc18b2307
Link:
https://www.unpac.me/results/6ce72976-c6fa-4f04-b99b-b18454fb1aab/
SH256 hash:
b84a89f13c06fd9847f36ef49c41a52b1346add8890bdc069b875bd3acb1884a
MD5 hash:
04306bb0e947cd2487705441d8008159
SHA1 hash:
3ea6b48b5f2fccd7c88f5d78b951447089c4c8ae
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/6ce72976-c6fa-4f04-b99b-b18454fb1aab/
Parent samples :
da8777fa1ea919560e5fd0fcad56f265546fa9fa5e061776705da8a79ec1ca7c
445bd1c221cff019e52db89d03e05a8c22509cea0ede28da6d55bff7fd840bae
6bb99aadf6fb6f90e663f4b63e21588314b13c490351d62785b8b7d7c8199efb
403fb79c97c2bb3948a866e60b9f77bc41c5dca8122df6a3ab15a0c11db71261
SH256 hash:
6bb99aadf6fb6f90e663f4b63e21588314b13c490351d62785b8b7d7c8199efb
MD5 hash:
0f67920b18100442a0a896d60dfa4656
SHA1 hash:
3d92a378146ecb6cdbd149a229114655dd494d6b
Link:
https://www.unpac.me/results/6ce72976-c6fa-4f04-b99b-b18454fb1aab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/6bb99aadf6fb6f90e663f4b63e21588314b13c490351d62785b8b7d7c8199efb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RaccoonStealer

Executable exe 6bb99aadf6fb6f90e663f4b63e21588314b13c490351d62785b8b7d7c8199efb

(this sample)

  
Dropped by
RaccoonStealer
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/182542/

Comments