MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79e74116d9b6641a89f62b78d9b51450612c33cb346d1c86521ce5a8313d24c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79e74116d9b6641a89f62b78d9b51450612c33cb346d1c86521ce5a8313d24c6
SHA3-384 hash: 7c67d0160e2184f60b143e95d9d3777eb9ba156a3c4da9eabadb4c90468d4fcc65994b9ae7d728394d7b5a8545138e23
SHA1 hash: f813c4b15688d02a467155148c95b75e85aa449f
MD5 hash: 4f9a9b1b7da87ecd06db9996d7d4acfe
humanhash: table-alpha-lamp-victor
File name:AdGuard.v7.7.3715.0.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:25'326'080 bytes
First seen:2021-10-16 14:41:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 393216:3spvgNx6jckByvGeTE0xwtL32JZSlkjWRtuK9JlLir2DrdGPpViRzieLbrK:gvSxBxamXSlll9JZ+0rdyiRzdL
Threatray 7'658 similar samples on MalwareBazaar
TLSH T1B74733113B9B4225C261FF3666D9EE146D77EC3CF467B4BA1F832A2DD4E04225109EE2
File icon (PE):PE icon
dhash icon 70f0c6e8d0e071b2 (1 x RaccoonStealer)
Reporter JaffaCakes118
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
500
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AdGuard.v7.7.3715.0.exe
Verdict:
No threats detected
Analysis date:
2021-10-16 14:43:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d46aab2a-3364-4a39-83fc-99300d4d591d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Backdoor.tc.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Deleting a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit greyware hacktool keylogger nymeria packed racealer razy virus
Link:
https://www.filescan.io/uploads/616ae4bedb358dd15ebd410b/reports/d5ddddb6-aa47-4ae2-a0bb-ef76f9b86c63/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871584
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Changes security center settings (notifications, updates, antivirus, firewall)
DLL side loading technique detected
Downloads files with wrong headers with respect to MIME Content-Type
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Bypass UAC via Fodhelper.exe
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 504008 Sample: AdGuard.v7.7.3715.0.exe Startdate: 16/10/2021 Architecture: WINDOWS Score: 100 95 local.adguard.org 2->95 97 filters.adtidy.org 2->97 99 2 other IPs or domains 2->99 115 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->115 117 Multi AV Scanner detection for domain / URL 2->117 119 Antivirus detection for dropped file 2->119 121 9 other signatures 2->121 10 AdGuard.v7.7.3715.0.exe 5 2->10         started        13 msiexec.exe 104 156 2->13         started        15 fodhelper.exe 2->15         started        18 9 other processes 2->18 signatures3 process4 file5 69 C:\...\AdGuard.v7.7.3715.0.Svc_1FxSY.exe, PE32 10->69 dropped 71 C:\Users\user\AppData\Local\...\autEDCB.tmp, PE32 10->71 dropped 73 C:\Users\user\AppData\Local\...\autE7BF.tmp, PE32 10->73 dropped 75 C:\...\AdGuard.v7.7.3715.0_p8828.exe, PE32 10->75 dropped 20 AdGuard.v7.7.3715.0.Svc_1FxSY.exe 84 10->20         started        25 AdGuard.v7.7.3715.0_p8828.exe 3 109 10->25         started        77 C:\...\AdGuardTrialReset.exe, PE32 13->77 dropped 79 C:\Windows\Installer\...79ewIcon1.exe, PE32 13->79 dropped 81 C:\Windows\Installer\...81ewIcon.exe, PE32 13->81 dropped 83 91 other files (none is malicious) 13->83 dropped 27 msiexec.exe 13->27         started        131 Query firmware table information (likely to detect VMs) 15->131 133 Tries to detect sandboxes and other dynamic analysis tools (window names) 15->133 135 Hides threads from debuggers 15->135 137 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->137 139 Changes security center settings (notifications, updates, antivirus, firewall) 18->139 141 DLL side loading technique detected 18->141 29 MpCmdRun.exe 18->29         started        signatures6 process7 dnsIp8 101 5.181.156.229, 49758, 80 MIVOCLOUDMD Moldova Republic of 20->101 103 5.181.156.175, 49766, 80 MIVOCLOUDMD Moldova Republic of 20->103 105 4 other IPs or domains 20->105 53 C:\Users\user\AppData\...\H77NN1vlnf.exe, PE32 20->53 dropped 55 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 20->55 dropped 57 C:\Users\user\AppData\...\vcruntime140.dll, PE32 20->57 dropped 65 57 other files (none is malicious) 20->65 dropped 123 Query firmware table information (likely to detect VMs) 20->123 125 Tries to steal Mail credentials (via file access) 20->125 127 Tries to harvest and steal browser information (history, passwords, etc) 20->127 129 2 other signatures 20->129 31 H77NN1vlnf.exe 20->31         started        35 cmd.exe 20->35         started        59 C:\ProgramData\Package Cache\...\sqlite3.dll, PE32 25->59 dropped 61 C:\ProgramData\Package Cache\...\softokn3.dll, PE32 25->61 dropped 63 C:\ProgramData\Package Cache\...\smime3.dll, PE32 25->63 dropped 67 81 other files (none is malicious) 25->67 dropped 37 msiexec.exe 5 25->37         started        39 rundll32.exe 27->39         started        41 rundll32.exe 27->41         started        43 conhost.exe 29->43         started        file9 signatures10 process11 file12 85 C:\Users\user\AppData\...\fodhelper.exe, PE32 31->85 dropped 107 Query firmware table information (likely to detect VMs) 31->107 109 Uses schtasks.exe or at.exe to add and modify task schedules 31->109 111 Hides threads from debuggers 31->111 113 Tries to detect sandboxes / dynamic malware analysis system (registry check) 31->113 45 schtasks.exe 31->45         started        47 conhost.exe 35->47         started        49 timeout.exe 35->49         started        87 Microsoft.Deployme...indowsInstaller.dll, PE32 39->87 dropped 89 C:\Windows\...\Adguard.CustomActions.dll, PE32 39->89 dropped 91 Microsoft.Deployme...indowsInstaller.dll, PE32 41->91 dropped 93 C:\Windows\...\Adguard.CustomActions.dll, PE32 41->93 dropped signatures13 process14 process15 51 conhost.exe 45->51         started       
Gathering data
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2021-10-16 14:42:09 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
71335267a0a48bbcf678e354b421445d3db926ec5dd9b40c2a004cebb9b166f0
RaccoonStealer
88ceee260ee9b4baa66e0aeb88821c2edbfebdb3f946cb8e1d3c4850ab0a0365
RaccoonStealer
b09fdc39338aacafb7eb0163757d2b9863f78e5467af017ff4ad2f09e0e266a2
RaccoonStealer
b5225e4f19b8f43d98a52808829087a9019cf247fb6a3f6acd6ae30eccb9e8b1
RaccoonStealer
c46c1d3ce137b855a860af126e8986175501defc0a3f69c5472bf9d905c05bb4
RaccoonStealer
e9714695528eb1f8786fe8a7250f952f23b3205a4e2a60073668717eb2f5dc2b
RaccoonStealer
f3037e5e047b6bfbfb11c453d1d836217e8c7ec606eacce69dfe31bf8b260821
RaccoonStealer
f8efe3e66289ce15fd9b0f85a3e0d90660cae9f12385f69e81cfb6f2e3ece3c7
RaccoonStealer
+ 7'648 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion macro themida trojan xlm
Link:
https://tria.ge/reports/211016-r211rachaq/
Behaviour
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Enumerates connected drives
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Suspicious Office macro
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79e74116d9b6641a89f62b78d9b51450612c33cb346d1c86521ce5a8313d24c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 79e74116d9b6641a89f62b78d9b51450612c33cb346d1c86521ce5a8313d24c6

(this sample)

  
Delivery method
Distributed via web download

Comments