MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 794d2eb60364e0f5ddc9e557cf3e33b67666ed688580c15bd858a27871b184aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 3 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 794d2eb60364e0f5ddc9e557cf3e33b67666ed688580c15bd858a27871b184aa
SHA3-384 hash: dbc48f98d89fa28858f0858f55d1284163b6ea9673c9d1166a8dcd23127afffb12a61104d91b92be57a4e267a5e301d2
SHA1 hash: 190ac7ce94a98fd213b9039db05f1f24fa36dceb
MD5 hash: 590f546423761972e4441b07762457c3
humanhash: thirteen-spring-artist-purple
File name:590F546423761972E4441B07762457C3.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:417'792 bytes
First seen:2021-08-13 17:57:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cc4caabe2c1a9c923331965c9764375d (3 x Pitou, 2 x RedLineStealer, 2 x GCleaner)
ssdeep 6144:Ka9zHt2qx/TlV+DwMZ0k3cGLdq+cCZ0iRvQMksFiEbXj1/LYQSwfiMcALqTWbg:bHth5iDwMZNccdqwtFfNL8scALqab
Threatray 4'255 similar samples on MalwareBazaar
TLSH T10194BE30A790C035F5B312F845BA937CA92D3EA15B3451CF92E51AEE57346E9AC30787
dhash icon 0ee2d83c6c98f24e (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.77.115.2/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ggc-partners.info/stats/remember.php https://threatfox.abuse.ch/ioc/184297/
http://ggc-partners.info/dlc/distribution.php https://threatfox.abuse.ch/ioc/184298/
http://34.77.115.2/ https://threatfox.abuse.ch/ioc/185163/

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
590F546423761972E4441B07762457C3.exe
Verdict:
No threats detected
Analysis date:
2021-08-13 18:00:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/03506d82-7755-46f7-b0c0-659b493ddbcc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Gcleaner
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179066/
Detection(s):
Win.Dropper.Raccoon-9885142-0
Create hunting rule

Win.Dropper.Fragtor-9885200-0
Create hunting rule

Win.Packed.Fragtor-9885389-0
Create hunting rule

Win.Packed.Generic-9885397-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02b5f53f-dd74-4206-b102-a3612cb2307c
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832608
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Country aware sample found (crashes after keyboard check)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465037 Sample: ASynOS0B6d.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 45 telete.in 2->45 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 6 other signatures 2->59 8 ASynOS0B6d.exe 19 2->8         started        signatures3 process4 dnsIp5 47 ggc-partners.info 5.101.44.156, 49755, 49762, 80 LLHOSTM247EU Russian Federation 8->47 49 ggc-partners.in 8->49 27 C:\Users\user\AppData\...\89218762661.exe, PE32 8->27 dropped 29 C:\Users\user\AppData\Local\...\null[1], PE32 8->29 dropped 31 C:\Users\user\AppData\Local\...\null[1], PE32 8->31 dropped 12 cmd.exe 8->12         started        14 WerFault.exe 9 8->14         started        18 WerFault.exe 9 8->18         started        20 6 other processes 8->20 file6 process7 dnsIp8 22 89218762661.exe 12->22         started        25 conhost.exe 12->25         started        51 192.168.2.1 unknown unknown 14->51 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->33 dropped 35 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->35 dropped 37 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->37 dropped 39 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->39 dropped 41 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->41 dropped 43 3 other malicious files 20->43 dropped file9 process10 signatures11 61 Detected unpacking (changes PE section rights) 22->61 63 Detected unpacking (overwrites its own PE header) 22->63 65 Machine Learning detection for dropped file 22->65 67 Contains functionality to steal Internet Explorer form passwords 22->67
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/794d2eb60364e0f5ddc9e557cf3e33b67666ed688580c15bd858a27871b184aa/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 13:39:43 UTC
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pfgs5nqdmtqplxoj4vl46prtwz3gn3liqwamcw6ylcrhq4nrqsva._file
Verdict:
unknown
Similar samples:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
RaccoonStealer
322e2172b60d694797e91a98109d97e2b167953bb82f8f0b007b159351f8350e
RaccoonStealer
8f2789b6a628a92f9f6313305b255c405f867c49161bb864263dcfef5a6f712d
RaccoonStealer
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
RaccoonStealer
b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317
RaccoonStealer
d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702
RaccoonStealer
d9b6ded9a373ec4acf4b426c4ad5fd318b6a3f8077429e9fe5b27bd66d6b5be6
RaccoonStealer
fe5254468c8a6c7a17dc11f3e85b00db1b5b2b3c26919bdefb8d917ce35cb4d5
RaccoonStealer
+ 4'245 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:raccoon family:redline botnet:022f7f19749a47aa4d6a10b25bfd352ecb963373 botnet:mix 14.08 discovery infostealer spyware stealer suricata
Link:
https://tria.ge/reports/210813-185esdvqwj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Raccoon
Raccoon Stealer Payload
RedLine
RedLine Payload
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE GCleaner Downloader Activity M2
suricata: ET MALWARE GCleaner Downloader Activity M3
suricata: ET MALWARE GCleaner Related Downloader User-Agent
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
lysano52.top
morecj05.top
185.215.113.17:18597
Unpacked files
SH256 hash:
bd69fc833aed94efaa8d71ad68a7d1a630fb56ac08a0035417d4ac5d0c1c7a28
MD5 hash:
1837eebd43f1bcec9bc5c8af2519cf9e
SHA1 hash:
f3af3d1070673e8afe1148fcfb4a4404607068d7
Link:
https://www.unpac.me/results/6eea1f9e-0e48-49ad-b77e-5cf1b2509fdf/
SH256 hash:
794d2eb60364e0f5ddc9e557cf3e33b67666ed688580c15bd858a27871b184aa
MD5 hash:
590f546423761972e4441b07762457c3
SHA1 hash:
190ac7ce94a98fd213b9039db05f1f24fa36dceb
Link:
https://www.unpac.me/results/6eea1f9e-0e48-49ad-b77e-5cf1b2509fdf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/794d2eb60364/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/794d2eb60364e0f5ddc9e557cf3e33b67666ed688580c15bd858a27871b184aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179066/

Comments