MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 819e5d9898ec33babab2fe49e72681fd6b389951fddce04b7ebf636155596997. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 819e5d9898ec33babab2fe49e72681fd6b389951fddce04b7ebf636155596997
SHA3-384 hash: 642b1c18a2cbe540deece6db350800c7bff1035a8ec0df69a9827290099db982a4b2a42950a3ddbc5250c75d8e9a3fa7
SHA1 hash: cbe88f6f1df5f505e683a628cb59325e005ef3e6
MD5 hash: 16fb693824cbe17d8db70f90e83fc22a
humanhash: coffee-alanine-bakerloo-delaware
File name:16FB693824CBE17D8DB70F90E83FC22A.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'102'848 bytes
First seen:2021-08-19 22:16:15 UTC
Last seen:2021-08-19 22:51:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:7/HRdF8+zXzOMnBT92eRcF8Td733q/JkYepju6I2cJfBj3z2Kjy:jH/F8+XVfRI8Tdz6/dyjluF
Threatray 605 similar samples on MalwareBazaar
TLSH T17935121AB3A4EF42C76524B6C1E7D52803BBD5432673E7473AC802E60E477F95C4678A
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.140.147.35/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.140.147.35/ https://threatfox.abuse.ch/ioc/192382/

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
16FB693824CBE17D8DB70F90E83FC22A.exe
Verdict:
Malicious activity
Analysis date:
2021-08-19 22:18:27 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/88bac4ea-9865-4545-b868-7edd324ebae1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180802/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37419301.21068.13932.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Connection attempt to an infection source
Deleting a recently created file
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e141eef0-97d6-49a6-8ed7-f9c5eaf95bd6
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836088
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 468519 Sample: 8T2bbP1rLq.exe Startdate: 20/08/2021 Architecture: WINDOWS Score: 100 76 Antivirus / Scanner detection for submitted sample 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Yara detected Clipboard Hijacker 2->80 82 6 other signatures 2->82 10 8T2bbP1rLq.exe 3 2->10         started        process3 file4 52 C:\Users\user\AppData\...\8T2bbP1rLq.exe.log, ASCII 10->52 dropped 90 Injects a PE file into a foreign processes 10->90 14 8T2bbP1rLq.exe 85 10->14         started        signatures5 process6 dnsIp7 66 45.140.147.35, 49701, 80 SYNLINQsynlinqdeDE United Kingdom 14->66 68 telete.in 195.201.225.248, 443, 49695 HETZNER-ASDE Germany 14->68 70 aun3xk189.fun 37.140.192.110, 443, 49702 AS-REGRU Russian Federation 14->70 54 C:\Users\user\AppData\...\ktTblbIBgq.exe, PE32 14->54 dropped 56 C:\Users\user\AppData\...\gYUxI94KRu.exe, PE32 14->56 dropped 58 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 14->58 dropped 60 58 other files (none is malicious) 14->60 dropped 72 Tries to steal Mail credentials (via file access) 14->72 74 Tries to harvest and steal browser information (history, passwords, etc) 14->74 19 ktTblbIBgq.exe 7 14->19         started        23 gYUxI94KRu.exe 15 3 14->23         started        26 cmd.exe 1 14->26         started        file8 signatures9 process10 dnsIp11 50 C:\Users\user\AppData\...\AppVSmhNotify.exe, PE32+ 19->50 dropped 84 Contains functionality to register a low level keyboard hook 19->84 28 cmd.exe 19->28         started        31 AppVSmhNotify.exe 19->31         started        64 www.google.com 142.250.185.196, 443, 49703 GOOGLEUS United States 23->64 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->86 88 Injects a PE file into a foreign processes 23->88 34 gYUxI94KRu.exe 23->34         started        36 conhost.exe 26->36         started        38 timeout.exe 1 26->38         started        file12 signatures13 process14 file15 92 Uses schtasks.exe or at.exe to add and modify task schedules 28->92 40 conhost.exe 28->40         started        62 C:\Users\user\AppData\...\AudUService64.exe, PE32+ 31->62 dropped 42 cmd.exe 31->42         started        44 WerFault.exe 34->44         started        signatures16 process17 process18 46 conhost.exe 42->46         started        48 schtasks.exe 42->48         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/819e5d9898ec33babab2fe49e72681fd6b389951fddce04b7ebf636155596997/
Threat name:
ByteCode-MSIL.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 22:03:59 UTC
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qgpf3gey5qz3vovs7ze6ojub7vvtrgkr7xooas36x5rwcvkznglq._file
Verdict:
malicious
Similar samples:
0ddd995a4e7c7322e3552bdaa5df41a6a8e4db14054f0a4a410231092ac3c6de
RaccoonStealer
2b49d6c607ec59ab95f8473169f8673b7d6772252092e1ce2ecb9b63d2255b96
RaccoonStealer
2dfdc495160b8492466dfe6108702ea44b5a7ff1b8d439d6a6dc9af9359a0838
RaccoonStealer
3cc3678682dc887a9f5e168717967fc266e266a5fd5dfe10e210d26b7246e5c4
RaccoonStealer
455c9a38ec39915d187e3d1093eb3456798f01ffd9f925b2e15e10beced936f0
RaccoonStealer
561b3cf57b33e115cabbb36756579d7fb15ae90656b826cbd286673b2eaef227
RaccoonStealer
57430cbbfebdef7c54698b00102dbd2098aef53ba4bd5fa43660c2e306f53482
RaccoonStealer
8d0839a6710bb4300081bc7502826a403c693a90349c2af945ab464c372a8184
RaccoonStealer
d96b12587bf342e3a99493402b3ede54ef5b3f31ff4b09a6710f1443a66f2683
RaccoonStealer
debc1a729e69d48bab2082aab44d8aae428066d42379838464dadecba5066852
RaccoonStealer
+ 595 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:4bef66f8138585a66c6d2f5396aaccdae864cd1e agilenet discovery spyware stealer
Link:
https://tria.ge/reports/210819-zp8fjdcagn/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Unpacked files
SH256 hash:
6e164f66bf9c89e304b067c6b133251c5e4ff00bb49fa8ffcf17692e65dee95a
MD5 hash:
7753d5e70fe43d3549d8bc43bf02f0b6
SHA1 hash:
d1f09dd0c50e192929d127379b58563be7779498
Link:
https://www.unpac.me/results/5a7df9d5-5ab8-472b-8c7b-940735e0ce10/
SH256 hash:
9e7158e9250cc8bce475b5b9572910bbf6248cff7a8b8c0aee4d185a6b5a6d22
MD5 hash:
56f6dedd63785af34cca276e122d4ba3
SHA1 hash:
890d49e1ac2e26c51c024fbd95ba4b0db3d36929
Link:
https://www.unpac.me/results/5a7df9d5-5ab8-472b-8c7b-940735e0ce10/
SH256 hash:
33ac6b8012ce739e72022086b5d39b7fc030c20fa72988f76957685509d5c041
MD5 hash:
83f8ae95a7e6f016f6b00482588086e6
SHA1 hash:
70392939d6d60a913b51084ec1d98eaae8ca4868
Link:
https://www.unpac.me/results/5a7df9d5-5ab8-472b-8c7b-940735e0ce10/
SH256 hash:
49e68184229f6fed7e3cfcaf23223e80cfcc22f5719b2037b78c1a64e199b424
MD5 hash:
76732f92b1fd74ca4798584f04ce0f9d
SHA1 hash:
59c3fed7c652799d38cb6eaf7cfdd6e561690ffe
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/5a7df9d5-5ab8-472b-8c7b-940735e0ce10/
SH256 hash:
819e5d9898ec33babab2fe49e72681fd6b389951fddce04b7ebf636155596997
MD5 hash:
16fb693824cbe17d8db70f90e83fc22a
SHA1 hash:
cbe88f6f1df5f505e683a628cb59325e005ef3e6
Link:
https://www.unpac.me/results/5a7df9d5-5ab8-472b-8c7b-940735e0ce10/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/819e5d9898ec33babab2fe49e72681fd6b389951fddce04b7ebf636155596997

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180802/

Comments