MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86fc3e58537ac903356866de03df56baaba69b2641f90da283560a08fc60786b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86fc3e58537ac903356866de03df56baaba69b2641f90da283560a08fc60786b
SHA3-384 hash: 1d7602295d48cf7e817eb34a5c0cac786ce5c4b90801379f840e10aea7a39f57c5a29ec5cbf1f126ed5c2a2f53aac03d
SHA1 hash: 49d0242a76f03f8df4e1e9a32bf87977ae752060
MD5 hash: c66fae0f5e7dd0ed0ee19d329d10ddae
humanhash: zulu-stream-oregon-hamper
File name:c66fae0f5e7dd0ed0ee19d329d10ddae.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'302'080 bytes
First seen:2020-07-18 08:54:09 UTC
Last seen:2020-07-18 11:53:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4e4f14125466f692963bec87bd1b404f (1 x RaccoonStealer, 1 x Amadey)
ssdeep 12288:yxSm/zjsvUVZY8+yInqvnT9v6+sic5Plkx6jSteAKl6GxgsL/sfW/S/kSp:zqXXaqvp6+uPa6jwrzsFq/N
Threatray 447 similar samples on MalwareBazaar
TLSH 6355F509B8C04F9EE2E6587679A1D3240D9AEE0E5753F50F03A4F6D1B7B3BF15A80285
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.65.10.107/gate/log.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27679/
Detection(s):
SecuriteInfo.com.Mal.EncPk-APV.366.24084.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Amadey Raccoon
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/388564
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionality to steal Internet Explorer form passwords
Contains functionalty to change the wallpaper
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadey\'s stealer DLL
Yara detected Keylogger Generic
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246455 Sample: gPxxS2DlIG.exe Startdate: 18/07/2020 Architecture: WINDOWS Score: 100 118 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->118 120 Multi AV Scanner detection for domain / URL 2->120 122 Found malware configuration 2->122 124 9 other signatures 2->124 10 gPxxS2DlIG.exe 97 2->10         started        15 taskeng.exe 1 2->15         started        process3 dnsIp4 100 telete.in 195.201.225.248, 443, 49159, 49186 HETZNER-ASDE Germany 10->100 102 stationery.best 172.67.211.140, 49164, 80 CLOUDFLARENETUS United States 10->102 104 34.65.10.107, 49162, 49163, 49194 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 10->104 80 C:\Users\user\AppData\...\k7T8sM2wGU.exe, PE32 10->80 dropped 82 C:\Users\user\AppData\...\SdWtHpvPdT.exe, PE32 10->82 dropped 84 C:\Users\user\AppData\Local\...\ama[1].exe, PE32 10->84 dropped 86 2 other files (none is malicious) 10->86 dropped 156 Detected unpacking (changes PE section rights) 10->156 158 Detected unpacking (overwrites its own PE header) 10->158 160 Tries to steal Mail credentials (via file access) 10->160 162 Contains functionality to steal Internet Explorer form passwords 10->162 17 k7T8sM2wGU.exe 4 10->17         started        21 SdWtHpvPdT.exe 27 10->21         started        23 cmd.exe 10->23         started        25 bdif.exe 15->25         started        file5 signatures6 process7 file8 62 C:\ProgramData\1321ba6d1f\bdif.exe, PE32 17->62 dropped 126 Detected unpacking (changes PE section rights) 17->126 128 Detected unpacking (overwrites its own PE header) 17->128 130 Creates files in alternative data streams (ADS) 17->130 27 bdif.exe 16 17->27         started        64 C:\Users\user\AppData\...\client32.exe, PE32 21->64 dropped 66 C:\Users\user\AppData\Roaming\...\PCICL32.DLL, PE32 21->66 dropped 68 C:\Users\user\AppData\...\remcmdstub.exe, PE32 21->68 dropped 70 6 other files (none is malicious) 21->70 dropped 32 client32.exe 15 21->32         started        132 Deletes itself after installation 23->132 34 timeout.exe 23->34         started        signatures9 process10 dnsIp11 106 217.8.117.52, 49165, 49168, 49169 CREXFEXPEX-RUSSIARU Russian Federation 27->106 108 stationery.best 27->108 110 104.27.132.53, 49173, 80 CLOUDFLARENETUS United States 27->110 88 C:\Users\user\AppData\Local\Temp\cred.dll, PE32 27->88 dropped 90 C:\Users\user\AppData\Local\...\cred[1].dll, PE32 27->90 dropped 92 C:\ProgramData\1321ba6d1f\wusa.exe, PE32 27->92 dropped 94 4 other files (none is malicious) 27->94 dropped 164 Multi AV Scanner detection for dropped file 27->164 166 Detected unpacking (changes PE section rights) 27->166 168 Detected unpacking (overwrites its own PE header) 27->168 170 Uses cmd line tools excessively to alter registry or file data 27->170 36 wusa.exe 27->36         started        41 rundll32.exe 27->41         started        43 ldr.exe 27->43         started        45 5 other processes 27->45 112 Ysanhumeg1.com 62.173.138.41, 2071, 49167 SPACENET-ASInternetServiceProviderRU Russian Federation 32->112 114 geography.netsupportsoftware.com 195.171.92.116, 49166, 80 BT-UK-ASBTnetUKRegionalnetworkGB United Kingdom 32->114 116 geo.netsupportsoftware.com 32->116 172 Contains functionalty to change the wallpaper 32->172 174 Delayed program exit found 32->174 176 Contains functionality to detect sleep reduction / modifications 32->176 file12 signatures13 process14 dnsIp15 96 telete.in 36->96 72 C:\Users\user\AppData\...\wSslEIj29Q.exe, PE32 36->72 dropped 74 C:\Users\user\AppData\...\machineinfo.txt, ASCII 36->74 dropped 76 C:\Users\user\AppData\...\ozalphJBJt.exe, PE32 36->76 dropped 78 59 other files (none is malicious) 36->78 dropped 134 Multi AV Scanner detection for dropped file 36->134 136 Detected unpacking (changes PE section rights) 36->136 138 Detected unpacking (overwrites its own PE header) 36->138 140 Tries to harvest and steal browser information (history, passwords, etc) 36->140 47 wSslEIj29Q.exe 36->47         started        50 ozalphJBJt.exe 36->50         started        52 cmd.exe 36->52         started        98 192.168.2.2, 2071, 443, 49159 unknown unknown 41->98 142 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->142 144 Tries to steal Instant Messenger accounts or passwords 41->144 146 Tries to steal Mail credentials (via file access) 41->146 148 Tries to harvest and steal ftp login credentials 41->148 54 client32.exe 43->54         started        150 System process connects to network (likely due to code injection or exploit) 45->150 152 Creates an undocumented autostart registry key 45->152 154 Creates multiple autostart registry keys 45->154 56 schtasks.exe 45->56         started        file16 signatures17 process18 signatures19 178 Detected unpacking (changes PE section rights) 47->178 180 Detected unpacking (overwrites its own PE header) 47->180 58 client32.exe 50->58         started        60 timeout.exe 52->60         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86fc3e58537ac903356866de03df56baaba69b2641f90da283560a08fc60786b/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-18 08:56:07 UTC
AV detection:
37 of 48 (77.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q36d4wctpleqgnlim3pahx2wxkv2ngzgih4q3iudkyfar7dapbvq._file
Verdict:
malicious
Similar samples:
45c6b831ec78d08c7d56bf15c39a52ee8fdb027c8d18c0136c42a5edb5b79318
RaccoonStealer
503311813dc1f9a073a98f1ced16614b35d5dfeb01667d716ccf21892a5e060d
RaccoonStealer
68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345
RaccoonStealer
7854ae1001f4d622470b340baef2c1c775f17c16185c1009edc87c33ff03cfc8
RaccoonStealer
89f500dbe860086de0c24dee8e0007194813bf98860de6d5cb32d17b528c8c2f
RaccoonStealer
991e57f51de81c5f2dd536ad9e5e5caf867103277042be27647bf2210bfcc789
RaccoonStealer
a20a42d2cf9ea181e993049d66dcbbaba6c1ea178fa268e4977c654499984a03
RaccoonStealer
b929a2d2be1f50e60c681f02caf9d8f9a259412e0950e1413be26102c616ec7d
RaccoonStealer
cb506273e06bdf86fc982d0856e21042aca6208abd36584bf15c82cede8dedca
RaccoonStealer
fe271b4266e4d1da6cd411a99f35ef14bba6e93354d43f4b790008d9222e0ba7
RaccoonStealer
+ 437 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware discovery persistence stealer family:raccoon
Link:
https://tria.ge/reports/200718-jqq82mders/
Behaviour
Modifies system certificate store
NTFS ADS
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Adds Run key to start application
JavaScript code in executable
Checks installed software on the system
Reads user/profile data of local email clients
Loads dropped DLL
Deletes itself
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Blacklisted process makes network request
Raccoon log file
Raccoon
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86fc3e58537ac903356866de03df56baaba69b2641f90da283560a08fc60786b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_amadey_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_raccoon_a0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 86fc3e58537ac903356866de03df56baaba69b2641f90da283560a08fc60786b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/27679/
  
URLhaus
https://urlhaus.abuse.ch/url/414730/
  
Delivery method
Distributed via web download

Comments