MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d0839a6710bb4300081bc7502826a403c693a90349c2af945ab464c372a8184. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d0839a6710bb4300081bc7502826a403c693a90349c2af945ab464c372a8184
SHA3-384 hash: 3b9242602c7df467ba1a4466b1537196f9a805d3d7f67cd87dde30741484b2060685e2c5ceabb1ae9b4a2f1a87e36594
SHA1 hash: 234a58e3b65de210445662e741e516b8bffbb8bb
MD5 hash: 9d74f779a30f3072787c58659d101fc3
humanhash: two-twelve-mars-yankee
File name:9D74F779A30F3072787C58659D101FC3.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'186'816 bytes
First seen:2021-08-15 17:51:15 UTC
Last seen:2021-08-15 18:58:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:lHN22uVc9SBhm1Pm4hX1I0erPRcioCg13E9/P2:lHN2hVBhm1rherZoCghA/P
Threatray 2'056 similar samples on MalwareBazaar
TLSH T1A645124273988754DA8464B2E1EB843903F0EC97AB72F7463F99777916703269D0A38F
dhash icon b2e0b496a6cada72 (3 x LummaStealer, 2 x Adware.InstallUnion, 1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.45.248/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.45.248/ https://threatfox.abuse.ch/ioc/188584/

Intelligence

File Origin
# of uploads :
2
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9D74F779A30F3072787C58659D101FC3.exe
Verdict:
Malicious activity
Analysis date:
2021-08-15 18:04:09 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/38d2f67e-4c12-48dd-86bf-bbd4f801b62f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179374/
Detection(s):
SecuriteInfo.com.Heuristic.HEUR.AGEN.1143908.21064.30342.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac66aee4-d8d2-48d7-a07e-13ff64bc04de
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833185
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465615 Sample: TBpSTFuVmN.exe Startdate: 15/08/2021 Architecture: WINDOWS Score: 100 60 sanctam.net 185.65.135.248, 49743, 49744, 58899 ESAB-ASSE Sweden 2->60 62 bitbucket.org 104.192.141.1, 443, 49745, 49746 AMAZON-02US United States 2->62 64 www.google.com 2->64 74 Multi AV Scanner detection for submitted file 2->74 76 Yara detected Clipboard Hijacker 2->76 78 Yara detected AntiVM3 2->78 80 8 other signatures 2->80 10 TBpSTFuVmN.exe 3 2->10         started        14 spoolsv.exe 2->14         started        signatures3 process4 dnsIp5 52 C:\Users\user\AppData\...\TBpSTFuVmN.exe.log, ASCII 10->52 dropped 92 Injects a PE file into a foreign processes 10->92 17 TBpSTFuVmN.exe 85 10->17         started        70 sanctam.net 14->70 72 bitbucket.org 14->72 file6 signatures7 process8 dnsIp9 54 45.153.230.19, 49727, 80 TEAM-HOSTASRU Russian Federation 17->54 56 telete.in 195.201.225.248, 443, 49726 HETZNER-ASDE Germany 17->56 58 cdn.discordapp.com 162.159.135.233, 443, 49731 CLOUDFLARENETUS United States 17->58 42 C:\Users\user\AppData\...\mxkuBrtRzp.exe, PE32+ 17->42 dropped 44 C:\Users\user\AppData\...\KDqHrYtXvL.exe, PE32 17->44 dropped 46 C:\Users\user\AppData\...\vcruntime140.dll, PE32 17->46 dropped 48 58 other files (none is malicious) 17->48 dropped 82 Tries to steal Mail credentials (via file access) 17->82 84 Tries to harvest and steal browser information (history, passwords, etc) 17->84 22 mxkuBrtRzp.exe 5 17->22         started        26 KDqHrYtXvL.exe 15 3 17->26         started        29 cmd.exe 17->29         started        file10 signatures11 process12 dnsIp13 50 C:\Users\user\AppData\Roaming\spoolsv.exe, PE32+ 22->50 dropped 86 Drops PE files with benign system names 22->86 31 cmd.exe 22->31         started        66 www.google.com 216.58.215.228, 443, 49737, 49740 GOOGLEUS United States 26->66 68 192.168.2.1 unknown unknown 26->68 88 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->88 90 Injects a PE file into a foreign processes 26->90 34 conhost.exe 29->34         started        36 timeout.exe 29->36         started        file14 signatures15 process16 signatures17 94 Uses schtasks.exe or at.exe to add and modify task schedules 31->94 38 conhost.exe 31->38         started        40 schtasks.exe 31->40         started        process18
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8d0839a6710bb4300081bc7502826a403c693a90349c2af945ab464c372a8184/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 23:08:32 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ruedtjtrbo2daaebxr2qfatkia6gsouqgsocv6kfvndeynzkqgca._file
Verdict:
malicious
Similar samples:
0942b0bd255b0ec2b3ee637482262a7cd9116701853c96d662019a192cbf34a6
RaccoonStealer
2b49d6c607ec59ab95f8473169f8673b7d6772252092e1ce2ecb9b63d2255b96
RaccoonStealer
6f14afbba1fb3f07259d7153604a7877f9a0be968b600e2f82b6b491d4e994a6
RaccoonStealer
9a525086779f276a19bbe2a131cfbd575ade18a4eb6e46f308536d518f0a5210
RaccoonStealer
ddaa218a629d5d9c1cbc4158b6fba8f0e02c6bfa58afb79cb87947aef81e062d
RaccoonStealer
debc1a729e69d48bab2082aab44d8aae428066d42379838464dadecba5066852
RaccoonStealer
eef5d903a7e1eb2b6ecd93316efad2bf00def8fd4466dae0157615726a46ba4b
RaccoonStealer
+ 2'046 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:95ddd68c501dee5af06b5d38a630c8c5e02817b3 agilenet discovery spyware stealer
Link:
https://tria.ge/reports/210815-dnsyhqb7t2/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Raccoon Stealer Payload
Unpacked files
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/906c2c9f-1cdb-4f45-a58d-dc74b9c993c8/
SH256 hash:
7a611935446b969c280563c22bd1ea8291339c639054471632a8acb4cd44732f
MD5 hash:
cbd6166032afe9782e6a3aabeca87ecb
SHA1 hash:
c6a84a47c4d4b8bf0fc85c8c0ebc8336bf378a80
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/906c2c9f-1cdb-4f45-a58d-dc74b9c993c8/
Parent samples :
8d0839a6710bb4300081bc7502826a403c693a90349c2af945ab464c372a8184
24f1f46002ef225c8890e14f154852514104c0c13bc527459f05dc2882da743a
SH256 hash:
29975247ea25c244fda098e82e88b9fe2a79379247645df6656469148dc49747
MD5 hash:
b60d218dea33a0c13d145a8603038ca5
SHA1 hash:
89cfd4d323b41e60cc769f28a685cee6b4c8061c
Link:
https://www.unpac.me/results/906c2c9f-1cdb-4f45-a58d-dc74b9c993c8/
SH256 hash:
796a8051ef00bdb096d74b2de9d1f61767e4fe12e9dbe435033304db77b26c9f
MD5 hash:
7170bec60e1bf3648a963ec28da22cc3
SHA1 hash:
75198cb35a62c340f18c3e38982b8fbc083b1852
Link:
https://www.unpac.me/results/906c2c9f-1cdb-4f45-a58d-dc74b9c993c8/
SH256 hash:
8d0839a6710bb4300081bc7502826a403c693a90349c2af945ab464c372a8184
MD5 hash:
9d74f779a30f3072787c58659d101fc3
SHA1 hash:
234a58e3b65de210445662e741e516b8bffbb8bb
Link:
https://www.unpac.me/results/906c2c9f-1cdb-4f45-a58d-dc74b9c993c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d0839a6710bb4300081bc7502826a403c693a90349c2af945ab464c372a8184

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179374/

Comments