MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82d440b0f4ab1630e2e2cfe49a04ea383657ef055b33fb86db7aaa8131e2933b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82d440b0f4ab1630e2e2cfe49a04ea383657ef055b33fb86db7aaa8131e2933b
SHA3-384 hash: 1219c9bd0c899a2419eecfbec522b414ec6f6654f226fa3c92c4c044257339d5e6394c8764416744234459027082d35e
SHA1 hash: 80363428f99500ca7da13ad4ff5b07a97627507f
MD5 hash: b719cba1a8c6e43a6f106a57b04962e4
humanhash: three-island-north-washington
File name:b719cba1a8c6e43a6f106a57b04962e4
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'445'404 bytes
First seen:2021-07-22 06:19:35 UTC
Last seen:2021-07-22 06:54:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a011f8d93026fd9f5e9442faeeff606d (8 x RedLineStealer, 2 x ModiLoader, 1 x ServHelper)
ssdeep 24576:R7WlojQhPB1wjR2wgkIvSgO6S9ZuGT0fJ3jddMEe8CdULSMmvuPz6Z:JgqF224S75if9xdJevULSnvgc
Threatray 257 similar samples on MalwareBazaar
TLSH T110652346FBD2E9FED0EB26B45D44A9B959B96F380F000D871B851A0FECF62815137A07
dhash icon 20e4c4c88e8ecccc (1 x RaccoonStealer)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.228.114.197/ https://threatfox.abuse.ch/ioc/162057/

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b719cba1a8c6e43a6f106a57b04962e4
Verdict:
Suspicious activity
Analysis date:
2021-07-22 06:22:55 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/02c7a1b4-b583-49b3-abcf-cc57f9741594

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173232/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop18.4975.15883.26815.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aadce14d-146d-4d91-aedf-3497989138dd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/819957
Signature
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Drops PE files with a suspicious file extension
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Drops script at startup location
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452368 Sample: adAQOQu2kz Startdate: 22/07/2021 Architecture: WINDOWS Score: 84 58 Multi AV Scanner detection for submitted file 2->58 60 Sigma detected: Drops script at startup location 2->60 62 Sigma detected: Copying Sensitive Files with Credential Data 2->62 9 adAQOQu2kz.exe 7 2->9         started        12 wscript.exe 2->12         started        14 sKzQItwjjc.exe.com 2->14         started        process3 dnsIp4 68 Contains functionality to register a low level keyboard hook 9->68 17 cmd.exe 1 9->17         started        70 Creates processes via WMI 12->70 48 ozIyJaJmgOhlA.ozIyJaJmgOhlA 14->48 signatures5 process6 signatures7 50 Submitted sample is a known malware sample 17->50 52 Obfuscated command line found 17->52 54 Uses ping.exe to sleep 17->54 56 Uses ping.exe to check the status of other devices and networks 17->56 20 cmd.exe 3 17->20         started        23 conhost.exe 17->23         started        process8 signatures9 64 Obfuscated command line found 20->64 66 Uses ping.exe to sleep 20->66 25 Bordatino.exe.com 20->25         started        28 PING.EXE 1 20->28         started        31 findstr.exe 1 20->31         started        process10 dnsIp11 72 Drops PE files with a suspicious file extension 25->72 34 Bordatino.exe.com 6 25->34         started        46 127.0.0.1 unknown unknown 28->46 42 C:\Users\user\AppData\...\Bordatino.exe.com, Targa 31->42 dropped file12 signatures13 process14 dnsIp15 44 ozIyJaJmgOhlA.ozIyJaJmgOhlA 34->44 38 C:\Users\user\AppData\...\sKzQItwjjc.exe.com, PE32 34->38 dropped 40 C:\Users\user\AppData\...\sKzQItwjjc.url, MS 34->40 dropped file16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82d440b0f4ab1630e2e2cfe49a04ea383657ef055b33fb86db7aaa8131e2933b/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 19:03:39 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qlkebmhuvmldbyxcz7sjubhkha3fp3yflmz7xbw3pkvicmpcsm5q._file
Verdict:
malicious
Similar samples:
845f1bcb80321f9183258fdcd714a4ca61a26b02590dd02cf4bd4cb07c757cdd
RaccoonStealer
9431f9d5bf8a3d2ee34dc7624d8996e87af05e91ecb27b50843d5ddcb2f8f6bd
RaccoonStealer
9946d190d1959c1528763ea9d0c8bd9f3b8bb9af65078035609527e81e742302
RaccoonStealer
9bae907c90204ebf2ac85fe63e96ffb3422505631698ce9165053ab0125d1d9a
RaccoonStealer
aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202
RaccoonStealer
ac5df971e605c439d1851391f51ae799b24823c47aea5c0ac177f00e5d4cc1f2
RaccoonStealer
b459692e802efcbc858497ef0d54eb5f30d2ae75e703d4cb85ce29d895adc911
RaccoonStealer
d47844ec0804c45feddfb89791832c4040754a703e46454cf571a2d30ac83124
RaccoonStealer
fdec7bb225d252d1a257304a2e8dd58aa5ef1828f9ac653924c4e54bf71725a6
RaccoonStealer
+ 247 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210722-929w1qyndj/
Behaviour
Gathers network information
Modifies system certificate store
Runs ping.exe
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
30804a15a8d5ae952f964dfa07e921b8b39971cb0e123e3eee72b5ec269a3a2b
MD5 hash:
0ed0b118375f8fcb90cdb69809ea9522
SHA1 hash:
d3587d6a303532f2ef76f824f3ee32f6fc51396c
Link:
https://www.unpac.me/results/4b606eac-9031-406e-982b-cbc09f891da0/
SH256 hash:
0c084b4e76bbc086358e62a60f0bb25e878e34c83f7db9b5509325e9284c238b
MD5 hash:
722665d569645fdcbfc26802b405e4cd
SHA1 hash:
48d50791bb6c5a2dbc08e4aeceeb87e96d6a1736
Link:
https://www.unpac.me/results/4b606eac-9031-406e-982b-cbc09f891da0/
SH256 hash:
82d440b0f4ab1630e2e2cfe49a04ea383657ef055b33fb86db7aaa8131e2933b
MD5 hash:
b719cba1a8c6e43a6f106a57b04962e4
SHA1 hash:
80363428f99500ca7da13ad4ff5b07a97627507f
Link:
https://www.unpac.me/results/4b606eac-9031-406e-982b-cbc09f891da0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82d440b0f4ab1630e2e2cfe49a04ea383657ef055b33fb86db7aaa8131e2933b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 82d440b0f4ab1630e2e2cfe49a04ea383657ef055b33fb86db7aaa8131e2933b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173232/
  
URLhaus
https://urlhaus.abuse.ch/url/1472761/

Comments


Avatar
zbet commented on 2021-07-22 06:19:36 UTC

url : hxxp://136.144.41.201/USA/moet.exe