MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73c1188d93bd4318a830cb6d891aae7580a61c396ce37ba3676a321bbd3a137e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73c1188d93bd4318a830cb6d891aae7580a61c396ce37ba3676a321bbd3a137e
SHA3-384 hash: 72206dae32d6dd8a165b308460e0043a986115bf889bac7903e7c27bea47b6690e0cdd8cf615154f08d7c01b59affd73
SHA1 hash: 50e4bf720d7915cc91019ab9be13139f3fae47a3
MD5 hash: de210ff368c5f737e0e60dc752d7671a
humanhash: gee-lamp-glucose-solar
File name:DE210FF368C5F737E0E60DC752D7671A.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:6'767'797 bytes
First seen:2021-09-07 16:51:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 196608:it5Og1Tsmsqz1kb1MsSJzInPsJzECAN9LZWQKI:WaK8MzJzInPKEJeQKI
Threatray 415 similar samples on MalwareBazaar
TLSH T14B66333AF6A5013AF1531F3298D6D6729035B7500FACA46EB3EC6ADDD81B1420AF474B
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://178.23.190.242/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://178.23.190.242/ https://threatfox.abuse.ch/ioc/216953/

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://crackedroot.com/sketchup-pro-2021-crack-plus-license-key-here/
Verdict:
Malicious activity
Analysis date:
2021-09-04 05:20:42 UTC
Tags:
trojan loader rat redline stealer vidar evasion unwanted netsupport raccoon
Link:
https://app.any.run/tasks/0f3b2676-68ec-4d1c-b40e-7c02c1d0c210

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186089/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Running batch commands
Creating a file in the Windows subdirectories
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Sending a UDP request
Connection attempt to an infection source
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the system32 directory
Sending an HTTP GET request to an infection source
Connecting to a non-recommended domain
Creating a file in the system32 subdirectories
Modifying a system file
Replacing files
Moving a file to the Program Files subdirectory
Enabling the 'hidden' option for files in the %temp% directory
Possible injection to a system process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fed39395-afc8-4a7a-ba22-51d781dad9da
Result
Threat name:
BitCoin Miner Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846813
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected BitCoin Miner
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 479244 Sample: fPPE8cHbql.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 76 91.199.212.52 SECTIGOGB United Kingdom 2->76 78 206.81.21.194 DIGITALOCEAN-ASNUS United States 2->78 80 12 other IPs or domains 2->80 110 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->110 112 Multi AV Scanner detection for domain / URL 2->112 114 Antivirus detection for dropped file 2->114 116 13 other signatures 2->116 8 fPPE8cHbql.exe 18 32 2->8         started        signatures3 process4 file5 50 C:\Program Files (x86)\SmartPDF\...\stats.exe, PE32 8->50 dropped 52 C:\Program Files (x86)\SmartPDF\...\lg.exe, PE32 8->52 dropped 54 C:\Program Files (x86)\...\installer.exe, PE32 8->54 dropped 56 8 other files (6 malicious) 8->56 dropped 11 9840432e051a6fa1192594db02b80a4c1fd73456.exe 80 8->11         started        16 chrome.exe 14 435 8->16         started        18 Inlog.exe 8->18         started        20 5 other processes 8->20 process6 dnsIp7 96 178.23.190.242, 49756, 80 LYNERO-ASDK unknown 11->96 98 telete.in 195.201.225.248, 443, 49727 HETZNER-ASDE Germany 11->98 58 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 11->58 dropped 60 C:\Users\user\AppData\...\vcruntime140.dll, PE32 11->60 dropped 62 C:\Users\user\AppData\...\ucrtbase.dll, PE32 11->62 dropped 72 56 other files (none is malicious) 11->72 dropped 118 Tries to steal Mail credentials (via file access) 11->118 120 Tries to harvest and steal browser information (history, passwords, etc) 11->120 100 192.168.2.1 unknown unknown 16->100 102 239.255.255.250 unknown Reserved 16->102 122 Adds a directory exclusion to Windows Defender 16->122 22 chrome.exe 17 16->22         started        64 C:\Users\user\AppData\Local\...\Inlog.tmp, PE32 18->64 dropped 26 Inlog.tmp 18->26         started        104 theonlinesportsgroup.net 20->104 106 remotenetwork.xyz 20->106 108 2 other IPs or domains 20->108 66 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 20->66 dropped 68 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 20->68 dropped 70 C:\Users\user\AppData\...\Windows Updater.exe, PE32 20->70 dropped 74 10 other files (none is malicious) 20->74 dropped 28 VPN.tmp 20->28         started        30 WEATHER Manager.tmp 20->30         started        file8 signatures9 process10 dnsIp11 82 iplis.ru 88.99.66.31, 443, 49734, 49735 HETZNER-ASDE Germany 22->82 84 accounts.google.com 142.250.27.84, 443, 49733 GOOGLEUS United States 22->84 92 6 other IPs or domains 22->92 32 C:\Users\user\AppData\Local\...\Cookies, SQLite 22->32 dropped 94 3 other IPs or domains 26->94 46 4 other files (none is malicious) 26->46 dropped 86 duzlwewk2uk96.cloudfront.net 13.224.89.103, 49754, 49755, 80 AMAZON-02US United States 28->86 34 C:\Users\user\AppData\...\itdownload.dll, PE32 28->34 dropped 36 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 28->36 dropped 38 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 28->38 dropped 40 C:\Users\user\AppData\Local\...\Setup.exe, PE32 28->40 dropped 88 s3.tebi.io 188.40.106.215, 49759, 49760, 80 HETZNER-ASDE Germany 30->88 90 142.251.36.14 GOOGLEUS United States 30->90 42 C:\Users\user\AppData\...\itdownload.dll, PE32 30->42 dropped 44 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 30->44 dropped 48 2 other files (none is malicious) 30->48 dropped file12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73c1188d93bd4318a830cb6d891aae7580a61c396ce37ba3676a321bbd3a137e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-05 00:32:00 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oparrdmtxvbrrkbqznwysgvoowakmhbzntrxxi3hnizbxpj2cn7a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
4569c2ca16175dd869475526af97004f47e2918edb583043b609fceb86b35161
RaccoonStealer
51bf9ff43b1aedfebfcf03c71e5bba10a6704b2cf4503e5bbe680221652cc458
RaccoonStealer
a58198274fe278903f5cc16907437a6198725be5bc248d2b6155cd702caf3ed3
RaccoonStealer
d99ac72301d4d4c55ee0c6e33ad4e4551bac90b71f80515eea1a3dfe426abf23
RaccoonStealer
f2dc381b529cbc75c03ca8bf1886b0ee6b1e2622f8918a27a876c50889e2ae7e
RaccoonStealer
f7873cf1b6200ab714ca6d6ff929fc4192d91a1cfc6d685cc734d8f1decb691d
RaccoonStealer
ff1ddb96f4984d4ed65016ca7814432d51a08fe090fae4907e85926469e880da
RaccoonStealer
+ 405 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:netsupport family:raccoon botnet:208cae76e27fe102019484f9b1e2c6db71cd743e discovery evasion persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/210907-vctrxsdab7/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
NetSupport
Process spawned unexpected child process
Raccoon
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/56f1fee9-763a-4215-8974-8cc67e6d1433/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/56f1fee9-763a-4215-8974-8cc67e6d1433/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/56f1fee9-763a-4215-8974-8cc67e6d1433/
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/56f1fee9-763a-4215-8974-8cc67e6d1433/
SH256 hash:
f670a341d04478b5fe903f80216dfa7629a98fbc58a3f30d9da6b013c2d70306
MD5 hash:
77b0aa53469d5e8d9c786f2a2c37a7f1
SHA1 hash:
8994d3f16f6e58ff80e78d5e25312887d3a7327a
Link:
https://www.unpac.me/results/56f1fee9-763a-4215-8974-8cc67e6d1433/
SH256 hash:
e2a652f0d48dd116e6cbfa0a4ee7cd626a188b536767728b95515aa4ed49332d
MD5 hash:
b5ac3301996922db16b590f16c80143f
SHA1 hash:
51147ea003dcc78b47655edf5ab11f7959988aba
Link:
https://www.unpac.me/results/56f1fee9-763a-4215-8974-8cc67e6d1433/
SH256 hash:
a246e5f381091e87e66164a61caf24f0e02c86968f20db0b598dbd221ea9b484
MD5 hash:
7064d14d36e2f5965e73b20f1b30946e
SHA1 hash:
28871103d351fa77adf47ec7be9c6de866c8d53f
Link:
https://www.unpac.me/results/56f1fee9-763a-4215-8974-8cc67e6d1433/
SH256 hash:
47cc5d4b4ec43fa4626be162644c5d91b31ee633fd6e0dd7aa8567839a83ab87
MD5 hash:
9a6dfb3ec3019dab882459cdb0959819
SHA1 hash:
1cd81499af8596a0425d3dbaba541b9f1f6ea09e
Link:
https://www.unpac.me/results/56f1fee9-763a-4215-8974-8cc67e6d1433/
SH256 hash:
e6402a0e291f2ce891698a1fc118d74c0837f272179f7c2f6e9509ce5eae03a3
MD5 hash:
6434a9a321174487767c903778a4c6af
SHA1 hash:
a88d59a69cde6d67b610597ce2920e24f9f0dafb
Link:
https://www.unpac.me/results/56f1fee9-763a-4215-8974-8cc67e6d1433/
SH256 hash:
c9ab7aabe34cc486366056debab3391081da13e714f9bfb08ddf4a3325d2f796
MD5 hash:
ada4c154b4e9992967dc60cc7c98404a
SHA1 hash:
f297f146eb720c2e0118520f98b10f6405a4180c
Link:
https://www.unpac.me/results/56f1fee9-763a-4215-8974-8cc67e6d1433/
SH256 hash:
c8a1449d9c16c3fb38710348c83a38e834b929ad6929b5815bf79000cd92f9ae
MD5 hash:
c7633919523384bad8b8af2aab837d11
SHA1 hash:
d245db91cec8030f9cde941fffe6dbc84da97b24
Link:
https://www.unpac.me/results/56f1fee9-763a-4215-8974-8cc67e6d1433/
SH256 hash:
6937a756f72556261d6d75e224098b8d7e52cf19ccbf9ba4623046a8ae93f03f
MD5 hash:
0dbc8f165535ed543bb7662f7864865e
SHA1 hash:
64e361b57c1fc8c578f7bb249f2b3665ea28846a
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/56f1fee9-763a-4215-8974-8cc67e6d1433/
SH256 hash:
73c1188d93bd4318a830cb6d891aae7580a61c396ce37ba3676a321bbd3a137e
MD5 hash:
de210ff368c5f737e0e60dc752d7671a
SHA1 hash:
50e4bf720d7915cc91019ab9be13139f3fae47a3
Link:
https://www.unpac.me/results/56f1fee9-763a-4215-8974-8cc67e6d1433/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73c1188d93bd4318a830cb6d891aae7580a61c396ce37ba3676a321bbd3a137e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186089/

Comments