MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a786d6cfe052c82e7ab1d5b7f4427c594f2497c4fb374ab852e01c2c1a2b548. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a786d6cfe052c82e7ab1d5b7f4427c594f2497c4fb374ab852e01c2c1a2b548
SHA3-384 hash: 96aa84eb98505b6e0e8812c49794b1fa1d5ad98958ab5465f41d4f33e35dd0b802919947c2eed7171062bb08014eda1b
SHA1 hash: 5785ff4f078301cb45e9a4b1961868b45c665dbe
MD5 hash: 16ee11bae5a0406170b5837c72cd871d
humanhash: green-stairway-kentucky-winner
File name:16EE11BAE5A0406170B5837C72CD871D.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'682'919 bytes
First seen:2021-06-02 17:36:20 UTC
Last seen:2021-06-02 18:50:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 24576:N4nXubIQGyxbPV0db26MbqKnZo+vogz2dbFFv0S6dS/01icZOEOR5QvfG:Nqe3f6Q5O+DidXvh6dS/04OOR5QvfG
Threatray 9 similar samples on MalwareBazaar
TLSH DE75CF3FB268A53EC4AE0B3245B39360997BBA61B81B8C1F47F0490DCF664711E3B655
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://104.155.99.141/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://104.155.99.141/ https://threatfox.abuse.ch/ioc/69470/

Intelligence

File Origin
# of uploads :
2
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
16EE11BAE5A0406170B5837C72CD871D.exe
Verdict:
No threats detected
Analysis date:
2021-06-02 17:41:55 UTC
Tags:
installer
Link:
https://app.any.run/tasks/78b342fe-6011-4563-8b33-ff94dca550db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164164/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
troj.spyw.evad
Score:
36 / 100
Link:
https://www.joesandbox.com/analysis/796124
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Multi AV Scanner detection for submitted file
Opens network shares
Performs DNS queries to domains with low reputation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 428521 Sample: hSRQS7iIWi.exe Startdate: 02/06/2021 Architecture: WINDOWS Score: 36 104 Antivirus detection for URL or domain 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 Contains functionality to detect sleep reduction / modifications 2->108 8 hSRQS7iIWi.exe 2 2->8         started        11 msiexec.exe 3 2->11         started        14 msiexec.exe 4 60 2->14         started        17 10 other processes 2->17 process3 dnsIp4 70 C:\Users\user\AppData\...\hSRQS7iIWi.tmp, PE32 8->70 dropped 19 hSRQS7iIWi.tmp 3 28 8->19         started        72 C:\Users\user\AppData\Local\...\shi2680.tmp, PE32 11->72 dropped 74 C:\Users\user\AppData\Local\...\shi25B4.tmp, PE32 11->74 dropped 112 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->112 114 Opens network shares 11->114 94 pstbbk.com 157.230.96.32, 49734, 80 DIGITALOCEAN-ASNUS United States 14->94 96 collect.installeranalytics.com 52.23.109.145, 443, 49735, 49736 AMAZON-AESUS United States 14->96 76 C:\Users\user\AppData\Local\...\shi40BE.tmp, PE32 14->76 dropped 78 C:\Users\user\AppData\Local\...\shi4031.tmp, PE32 14->78 dropped 24 taskkill.exe 1 14->24         started        98 110.t.keepitpumpin.io 163.172.204.15, 49744, 8080 OnlineSASFR United Kingdom 17->98 100 111.t.keepitpumpin.io 212.83.141.61, 49750, 8080 OnlineSASFR France 17->100 102 13 other IPs or domains 17->102 80 C:\Users\...\Weather_Installation.exe.part, PE32 17->80 dropped 26 conhost.exe 17->26         started        28 conhost.exe 17->28         started        30 conhost.exe 17->30         started        32 3 other processes 17->32 file5 signatures6 process7 dnsIp8 88 st.priceyam.xyz 172.67.195.252, 49800, 80 CLOUDFLARENETUS United States 19->88 90 www.findmemolite.com 46.101.214.246, 49727, 80 DIGITALOCEAN-ASNUS Netherlands 19->90 92 4 other IPs or domains 19->92 62 C:\Users\user\AppData\Local\...\setup_3.exe, PE32 19->62 dropped 64 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 19->64 dropped 66 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 19->66 dropped 68 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->68 dropped 110 Performs DNS queries to domains with low reputation 19->110 34 setup_2.exe 66 19->34         started        38 setup_3.exe 19->38         started        40 conhost.exe 24->40         started        file9 signatures10 process11 dnsIp12 82 54.226.29.2, 443, 49799 AMAZON-AESUS United States 34->82 84 192.168.2.1 unknown unknown 34->84 86 collect.installeranalytics.com 34->86 46 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 34->46 dropped 48 C:\Users\user\AppData\...\Windows Updater.exe, PE32 34->48 dropped 50 C:\Users\user\...\AdvancedWindowsManager.exe, PE32+ 34->50 dropped 58 4 other files (none is malicious) 34->58 dropped 42 msiexec.exe 34->42         started        52 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 38->52 dropped 54 C:\Users\user\AppData\Local\Temp\shi8E.tmp, PE32+ 38->54 dropped 56 C:\Users\user\AppData\Local\Temp\MSI66D.tmp, PE32 38->56 dropped 60 2 other files (none is malicious) 38->60 dropped 44 msiexec.exe 38->44         started        file13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a786d6cfe052c82e7ab1d5b7f4427c594f2497c4fb374ab852e01c2c1a2b548/
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2021-06-01 01:51:38 UTC
AV detection:
8 of 29 (27.59%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pj4g23h6auwifz5ldvnx6rbhywkpesl4j6zxjk4ffya4fqncwvea._file
Verdict:
suspicious
Similar samples:
0240347f0a7e6318facda5d29103c2dba44ef0d45f76706cd5ade058a69c0c55
RaccoonStealer
0ec8d01e78f2157589701925ec97ada690046fa17ca65a0db766d96533529aab
RaccoonStealer
0fbf1658860a6f656fea88c476e1de6302babb5f615d11119fd4c74de7397507
RaccoonStealer
111d1529eb5320465bc09a12146b321b0f4409372a8b73048b7798904082068c
RaccoonStealer
39067a6a8ac06d60189b34afbb9acd73e8e33aba91653c39a037c2f78f972f29
RaccoonStealer
4ce2900b5846f04521fdeb065a8350023c59f1d67b3b9347d505bc4f1796892f
RaccoonStealer
8e4f30afa8d0ce48c46a39e2754d8f7adad90ae8ccaf0132b354be76076b20cc
RaccoonStealer
a4f95464eccef0c4da2d48481ef8b1006a6ed0918fb421db63c793e1001bbeda
RaccoonStealer
bd7b2d30b633986f5eabfd4e1bb561e7cf7e79ee7be5db03bee270c79298d252
RaccoonStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210602-cexne6ge66/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a786d6cfe052c82e7ab1d5b7f4427c594f2497c4fb374ab852e01c2c1a2b548

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/164164/

Comments