MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75c3a83073d9b15d4f47308b5d688f1ec07422419e3bd54e78f6ef8683d42e5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75c3a83073d9b15d4f47308b5d688f1ec07422419e3bd54e78f6ef8683d42e5c
SHA3-384 hash: c4ac91b4a016b18af55b2d9ae415428ff3287d50a979d5e69f3f2a17003924b0a18b36ff2c63624f7b9fdf0129b41477
SHA1 hash: 3cfaf4f2bc92c52bafd9ff46d9950b8128dd9006
MD5 hash: 705e3e540053591142af5a8f4bac8c09
humanhash: item-blossom-utah-seven
File name:705e3e540053591142af5a8f4bac8c09.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:898'560 bytes
First seen:2021-05-07 12:12:28 UTC
Last seen:2021-05-07 13:03:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fafec3728fea7e7bd44424f344c75130 (1 x RaccoonStealer)
ssdeep 24576:TnbQ/EEUzoxpV5tJXzMuHZ0FQ5NmPyY52hT:TWEfzUpV5nDMuq1PuT
Threatray 91 similar samples on MalwareBazaar
TLSH 0615F121BBA0C432E6B712F549BB867DA0287DA1572460CB53E46BEE46347E4BC31F47
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/152673/
Detection(s):
SecuriteInfo.com.Heur.Mint.Titirez.2q0@0SqR1nO.28005.2546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Sending an HTTP GET request
Creating a process from a recently created file
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/719750
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes many files with high entropy
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 408805 Sample: jS00M196gM.exe Startdate: 09/05/2021 Architecture: WINDOWS Score: 100 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Found ransom note / readme 2->59 61 3 other signatures 2->61 8 jS00M196gM.exe 2->8         started        11 jS00M196gM.exe 2->11         started        13 jS00M196gM.exe 2->13         started        15 jS00M196gM.exe 2->15         started        process3 signatures4 65 Detected unpacking (changes PE section rights) 8->65 67 Detected unpacking (overwrites its own PE header) 8->67 69 Contains functionality to inject code into remote processes 8->69 71 Writes many files with high entropy 8->71 17 jS00M196gM.exe 1 18 8->17         started        73 Injects a PE file into a foreign processes 11->73 21 jS00M196gM.exe 13 11->21         started        23 jS00M196gM.exe 13 13->23         started        25 jS00M196gM.exe 15->25         started        process5 dnsIp6 51 api.2ip.ua 77.123.139.190, 443, 49721, 49725 VOLIA-ASUA Ukraine 17->51 45 C:\Users\...\jS00M196gM.exe:Zone.Identifier, ASCII 17->45 dropped 27 jS00M196gM.exe 17->27         started        30 icacls.exe 17->30         started        53 192.168.2.1 unknown unknown 25->53 file7 process8 signatures9 75 Injects a PE file into a foreign processes 27->75 32 jS00M196gM.exe 1 18 27->32         started        process10 dnsIp11 47 jfus.top 32->47 49 api.2ip.ua 32->49 37 C:\Users\...\Built-In Building Blocks.dotx, DOS 32->37 dropped 39 C:\Users\user\AppData\Local\...\spartan.edb, DOS 32->39 dropped 41 C:\Users\user\AppData\...behaviorgraphoogle Profile.ico, DOS 32->41 dropped 43 187 other files (178 malicious) 32->43 dropped 63 Modifies existing user documents (likely ransomware behavior) 32->63 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75c3a83073d9b15d4f47308b5d688f1ec07422419e3bd54e78f6ef8683d42e5c/
Threat name:
Win32.Trojan.MintTitirez
Create hunting rule
Status:
Malicious
First seen:
2021-05-07 12:13:13 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
02d61f5f80a30ae80912d6ffcaf78e85fe6871b1bba5633a78a41c9f1ad13d1a
RaccoonStealer
0552149181395fb0685b2dfa9b123334cb598173a13fbedf458f8c3613f8ff81
RaccoonStealer
0e55e17532909ad5ad34eb4e35d791b27c6951dd15a8baba34c29ae572c884d0
RaccoonStealer
20ebe8ff1da6f2023a43b3e3cbe14479961699f9dec0324f72070fa2b275eaae
RaccoonStealer
496b5885ff8f521c91ca037338e188ea0374bf86816d0c804d3010fd2f5fec38
RaccoonStealer
712e9e9e2976782e38288d45a2d177f1dc3757c7610b4b9bae9e35be9f20b913
RaccoonStealer
7c75df63bc40beca5ccf65db76c33539ee9f3468a4149e1a0c0bfd30949f4b4d
RaccoonStealer
869bd0ca39150a6e0f87609ca7e927211ba9cf636b69c33c3cd09db85922dd94
RaccoonStealer
e81e9dfe89a98449992b1ca9e4acb9905b606dc3de186b9de94241bde3b230be
RaccoonStealer
e8bcd430d48c430ced6992340cbce21ffc1a4d8cc60e6255b76870d33a5ea6b9
RaccoonStealer
+ 81 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1d76a465540f6a904ac9f1310fe3a3824b5b4549 discovery evasion persistence stealer
Link:
https://tria.ge/reports/210507-6jly4chezs/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Deletes Windows Defender Definitions
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
9b3dc949d6d3cce7f9dd94b51ba8d822ee345d0df2f90f8a6618684824e2b95b
MD5 hash:
a6fe56089c98ee5373b4cf22d4b16d74
SHA1 hash:
120c33917ab39703c4ada6789748c8eed157c164
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/baba9707-4ced-4fb6-8f73-99b91fac3987/
Parent samples :
7ef335f3910936afe2ffdcaeff03ee06af59ab221b7106cac4724c954ad73913
cba06b69cbe644420f5cfb726060d77d4abca93e1acb3815a465f1b00cf111e1
a2cc7061a035063d8ac5790c38bd123a632d43a1af2514dea36d0c5aaf66d200
31e991e037ef5ee29b3921a8ed21fe3c1284914efb88a12e8bdda2e094a41b18
feaac22107a4c4e6cdcf35878a1296fca8dc6efc970c0ba98b1cf93b80e063aa
3763170476b8a4c3cb592cbea6c4471ba2ea2463db9f7839fda502ef0a06b092
1ed1b4315c2525253918400777d7622581d7f8c161101e918999bd9d8c99be85
8d9062b1794c331d8a460427f88ce18b0a8b79204fdae3eb5c144aaacb791c55
c422dca376d729a0c4a92257bba7fd8bd5c46b236746edf45b0e1f6331bd7e9d
2518104c566d86c2a2876c2c030a1c54f300726d8a15b39e67d10725f7a51110
4db37a46432a8cf387a6ba70d689db2675c3a6f5294fe5ff7db3d785f068671f
c5ed16a495c5efbbf19918adfe4a954decc118b18691f38741d12d4f465948a5
8f9f63245c270e8442f15043c540d52aee08f4b3532d8df265d5244dc5644ce8
8f4d8aa16d1bfe09808ce2c6b24c3ad550bc41643bc5624a9506c66873c172a8
2fb3d980507741c8bbe5ddaa3ccee423d774bb9ec2f1c21c74b2eef05a5c62c1
d9aa00965d02283e49858296e530b1c730d7a427c36970f4d8d36d2f5e78d0ce
e0fffaaa25dc5ace2bf9e00b3787ebb45299f98fc8d4dbe6aad888c03e6164aa
fe2ff75d50ee83ff92a927eb120cd0f5997df50f204d47919e4b7ad3a909ed69
50164e878b632fdf08b4f0de2060872ede8970238cbcfc55e32bfc1f81dfb4e2
44d267b517f8af6f68f9548528ccfe6f532e6f18ac6f4ba32c4363afd29d59f8
4191eab7dce6ae84489c20d6ac93d123e42bf0019060847cf76e7be00139eb1c
869bd0ca39150a6e0f87609ca7e927211ba9cf636b69c33c3cd09db85922dd94
c97b731d2d70f964dbe2775fcf0fd7cf0d7ff68a0fdb31c3038a9c97ca4da6b4
6e8dafc9ac2e48e6b42dd15ce4c49d0dc0a83e6ca93fafeec8b87244ec05dea0
ec6a8a30d1d66e885ef75aaf70786fb1c05ccb1ae252c918a62a882a3babf591
f896070688915d517ec78e784f370089c15b012806dd3a3d33557e2bc3d44e2c
4176503a6e226f3ee78f38f37bd7fd9cb38e834def41ce5395a0fde5a4acfb7b
badb76b10b7d736402cc13fcd7330d29afc485da7b54c3372a78d5c98114c93f
09d2850085ff6cbe46fb427311af739e0628572289ceb4c3180ee50682070b98
27ac1959b9c2137b608a59a1cdfbad3d398941c92f590a1d92a9fbe004d27ef9
2edaa364594d0abb1ed74bf9ef76616c483c7cb77482c1189730f2da8cb3084e
17d78ceccf9fd168bf7e1d92260e5369bbd058639587ab92ea78763aafe0e5ee
2b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7
81fb516d3efaf5c684ef50221e3f4bfb084b0d718d59bac7f6bbe8ea4c632f27
b17ca3bc83d7293660a4ede593c2147ee8b4a982cfdef50868e4157c0548e891
cb69509065e372794a18a74fa502f7bca8fa6e4be5a0fdb09c4c13dcceb364b6
f93b5dd205a567ba3445a361220e4da8a8652a9ef3f06a14d0e33f71bee0ee52
75c3a83073d9b15d4f47308b5d688f1ec07422419e3bd54e78f6ef8683d42e5c
06db31be7914d281c35acd803c526fc82e474aa2dc340806b76ee4ab0be240bd
924c25e503792d12b9c161919878e29f47c1acce08cc4c03976bbc0e60ce181e
f0cda71528dfdf5b3fbc8af58a61aef5f9d6432c0359ab8d9df62209e6ce6d01
b9aaf852417503d7ff055b60e91d326743e7f0e225d51ba63b726e137aa64810
6751f6f222501da88e6c56d558b2032906130558fc993e184ff173850f2b6154
6a67b3b72238ab1e9ede09686b226413829c7a48a858845f09e8abd0dd094823
4fc4936de4eb693ec57ae17e722c1c68e46afbc0c82f3c45d254c39571008f8b
101648667ad547177c6a6bfd210af66397cd0a7e0ec3e4b2b98ecfe5963a293c
SH256 hash:
75c3a83073d9b15d4f47308b5d688f1ec07422419e3bd54e78f6ef8683d42e5c
MD5 hash:
705e3e540053591142af5a8f4bac8c09
SHA1 hash:
3cfaf4f2bc92c52bafd9ff46d9950b8128dd9006
Link:
https://www.unpac.me/results/baba9707-4ced-4fb6-8f73-99b91fac3987/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75c3a83073d9b15d4f47308b5d688f1ec07422419e3bd54e78f6ef8683d42e5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_STOP
Create hunting rule
Author:ditekSHen
Description:Detects STOP ransomware
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 75c3a83073d9b15d4f47308b5d688f1ec07422419e3bd54e78f6ef8683d42e5c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/152673/
  
URLhaus
https://urlhaus.abuse.ch/url/1195796/
  
Delivery method
Distributed via web download

Comments