MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91612c1717b0ab29feab36e67851807692e3ddcf6c34931be5ed4cdcb2471a9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91612c1717b0ab29feab36e67851807692e3ddcf6c34931be5ed4cdcb2471a9b
SHA3-384 hash: c6596172b9da7bf382289d71a62579927cb5be7a84d48529d9c5637567816385e5cbcedae080bda3fd08a37f8e2668fd
SHA1 hash: b6d8f64426a92a3dd9064dcbdab6d694a382df9b
MD5 hash: 5202d7fba99f2ff44933cc498f702e3b
humanhash: video-harry-princess-vermont
File name:5202d7fba99f2ff44933cc498f702e3b.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:561'664 bytes
First seen:2021-07-08 13:05:53 UTC
Last seen:2021-07-08 13:48:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:pIPlQA/CdgNgNgA4PiiwgPxQvq0j+kOG8JPdJcQKBiZ2LvmE+:CPeA/CaNugHZxt0TE1qQKBsE
Threatray 1'088 similar samples on MalwareBazaar
TLSH T153C42332272AD4D9FAD545374EC7944442F0FFBA6862F39E58C81E9C2E337A5E64D202
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.89.184.90/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.89.184.90/ https://threatfox.abuse.ch/ioc/158448/

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5202d7fba99f2ff44933cc498f702e3b.exe
Verdict:
Malicious activity
Analysis date:
2021-07-08 13:08:04 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/3a43cb78-a083-4ff6-80aa-63a16d25e90f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170445/
Detection(s):
SecuriteInfo.com.Variant.Bulz.552667.13247.18988.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c11eb45-7c55-42ac-8da2-ecd5392aa7bc
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813489
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Csc.exe Source File Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Powershell dedcode and execute
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445900 Sample: atZhandwbP.exe Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 86 Found malware configuration 2->86 88 Antivirus detection for URL or domain 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 9 other signatures 2->92 11 atZhandwbP.exe 5 2->11         started        process3 file4 68 C:\Users\user\AppData\...\atZhandwbP.exe, PE32 11->68 dropped 70 C:\Users\...\atZhandwbP.exe:Zone.Identifier, ASCII 11->70 dropped 72 C:\Users\user\AppData\...\atZhandwbP.exe.log, ASCII 11->72 dropped 102 Writes to foreign memory regions 11->102 104 Injects a PE file into a foreign processes 11->104 15 atZhandwbP.exe 82 11->15         started        20 atZhandwbP.exe 11->20         started        22 atZhandwbP.exe 11->22         started        signatures5 process6 dnsIp7 74 tttttt.me 95.216.186.40, 443, 49748 HETZNER-ASDE Germany 15->74 76 tulgerosp.us 192.64.117.221, 443, 49753, 49754 NAMECHEAP-NETUS United States 15->76 78 34.89.184.90, 49749, 80 GOOGLEUS United States 15->78 56 C:\Users\user\AppData\...behaviorgraphCIn50QE9v.exe, PE32+ 15->56 dropped 58 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 15->58 dropped 60 C:\Users\user\AppData\...\vcruntime140.dll, PE32 15->60 dropped 62 57 other files (none is malicious) 15->62 dropped 80 Tries to steal Mail credentials (via file access) 15->80 82 Tries to harvest and steal browser information (history, passwords, etc) 15->82 24 GCIn50QE9v.exe 3 15->24         started        27 cmd.exe 1 15->27         started        84 Contains functionality to steal Internet Explorer form passwords 20->84 file8 signatures9 process10 signatures11 94 Writes to foreign memory regions 24->94 96 Allocates memory in foreign processes 24->96 98 Modifies the context of a thread in another process (thread injection) 24->98 100 Injects a PE file into a foreign processes 24->100 29 vbc.exe 4 24->29         started        32 conhost.exe 27->32         started        34 timeout.exe 1 27->34         started        process12 signatures13 106 Bypasses PowerShell execution policy 29->106 36 powershell.exe 39 29->36         started        process14 file15 64 C:\Users\user\AppData\...\t1ukcgge.cmdline, UTF-8 36->64 dropped 39 csc.exe 36->39         started        42 powershell.exe 36->42         started        44 powershell.exe 36->44         started        46 2 other processes 36->46 process16 file17 66 C:\Users\user\AppData\Local\...\t1ukcgge.dll, PE32 39->66 dropped 48 cvtres.exe 39->48         started        50 conhost.exe 42->50         started        52 conhost.exe 44->52         started        54 conhost.exe 46->54         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91612c1717b0ab29feab36e67851807692e3ddcf6c34931be5ed4cdcb2471a9b/
Threat name:
ByteCode-MSIL.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 06:50:42 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sfqsyfyxwcvst7vlg3thqumao2johxopnq2jgg7f5vgnzmshdknq._file
Verdict:
malicious
Similar samples:
070c45432f832f1b39c1882b4f5ef8729343f24665b6b5a090ee775dbc116540
RaccoonStealer
24a722ce99ba486cf511c6534f66b8e8c9e7f90836dbcbd46e608dc085657a1c
RaccoonStealer
3bbc9dc239950316f60ce159afff3e7d7d1ea57c0feb1288a699da981662b9d5
RaccoonStealer
3d528b742ada6b08740dd5413b53471fadd61ca065332bd768904603bd640fa6
RaccoonStealer
5146dcf82d334df70b5d75763f4625af0694934aa667e9faaadfad02c56c85a9
RaccoonStealer
5ca87d23b76747cc2710bede0dd15ca05f21e1ca1df959e95aebf49304a677a0
RaccoonStealer
839844cd03415c7ae12a412f2e8f9a6365f87731534a351ea67bfdc6dd36f590
RaccoonStealer
8eb065a0ab7b4771f2fb1ec4264cd0c1505a948b358e200b46ce5e540fcbdbf5
RaccoonStealer
b066989014bb1fa69020b9615b5d8074818ac1315eb541ff9e6a2711f0d5d7cb
RaccoonStealer
d9e7255ce5340bd66977f3ed25d3dbe54c275c37e79f2d87f6222ecefb710cd1
RaccoonStealer
+ 1'078 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon discovery persistence spyware stealer upx
Link:
https://tria.ge/reports/210708-h7xnxsch2e/
Behaviour
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry key
Modifies system certificate store
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies RDP port number used by Windows
Sets DLL path for service in the registry
UPX packed file
Core1 .NET packer
Grants admin privileges
Raccoon
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Unpacked files
SH256 hash:
2d724ff07f588ca1e43723d751e9f3ee14b45da55c47568c10b4d141c2809d7b
MD5 hash:
10e0c0545794c41a7246548f9dcbcac3
SHA1 hash:
d406a565e33124abbb548d08ae6cdb93947f000d
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/b4344567-b22b-47c7-9e80-db4090601ac5/
SH256 hash:
60fc80ac44851031b182a1f6c597edd55420d821f4854a178f1e02e455df2baa
MD5 hash:
0d67b2b4688eebd501e8a9a0ce8757a8
SHA1 hash:
ac9d056ff2ba13cfc8ebd44c0df09fe46a7195ae
Link:
https://www.unpac.me/results/b4344567-b22b-47c7-9e80-db4090601ac5/
SH256 hash:
f58b08200aa9266a46e47b0ea14e4159fc4d5349e0b8a8c5f102b40a7a0ff2f4
MD5 hash:
c95636a74c35cb11191c825f991ede02
SHA1 hash:
7456597bf86c9ffce7ac51e64a66081ec4254c60
Link:
https://www.unpac.me/results/b4344567-b22b-47c7-9e80-db4090601ac5/
SH256 hash:
e335eeb0398ad994554ba7dbff9d48c48f7bd041f8107fe53951497d84533b90
MD5 hash:
5b171b4a8b055e26df9a6c82b199f005
SHA1 hash:
061603a3f47209c96596fd807b318f9877e90449
Link:
https://www.unpac.me/results/b4344567-b22b-47c7-9e80-db4090601ac5/
SH256 hash:
91612c1717b0ab29feab36e67851807692e3ddcf6c34931be5ed4cdcb2471a9b
MD5 hash:
5202d7fba99f2ff44933cc498f702e3b
SHA1 hash:
b6d8f64426a92a3dd9064dcbdab6d694a382df9b
Link:
https://www.unpac.me/results/b4344567-b22b-47c7-9e80-db4090601ac5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91612c1717b0ab29feab36e67851807692e3ddcf6c34931be5ed4cdcb2471a9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 91612c1717b0ab29feab36e67851807692e3ddcf6c34931be5ed4cdcb2471a9b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1427014/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170445/

Comments