MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cc9a90e31f1486a991360c25209f1b08aec5bd7e084de748e73ebef6deca38d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cc9a90e31f1486a991360c25209f1b08aec5bd7e084de748e73ebef6deca38d
SHA3-384 hash: 57236e50b74dbbbb292f536ba3b15cd41b1e5815ccff09e462e2839d0adfcefddb8b63926041da4003e68dc1d1b7b76d
SHA1 hash: 845f59d0324b2577979b51a8e66689f6f604ecde
MD5 hash: af067a53dcecb2f527a351a6491c56b9
humanhash: bacon-delta-ceiling-green
File name:1_cr
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:867'840 bytes
First seen:2021-01-19 09:05:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:TAHnh+eWsN3skA4RV1Hom2KXMmHamV55:eh+ZkldoPK8Yamt
Threatray 343 similar samples on MalwareBazaar
TLSH 75058B0273D1C036FFABA2739B6AF64156BC79254133852F13981DB9BD701B2263E663
Reporter JAMESWT_WT
Tags:RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1_cr
Verdict:
Malicious activity
Analysis date:
2021-01-19 09:07:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1131a579-c86f-4394-aabf-4140f09315b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112836/
Detection(s):
Win.Malware.Autoit-9820421-0
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/584740
Signature
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Contains functionality to steal Internet Explorer form passwords
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Very long command line found
Writes to foreign memory regions
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341405 Sample: 1_cr Startdate: 19/01/2021 Architecture: WINDOWS Score: 92 42 Multi AV Scanner detection for domain / URL 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Raccoon Stealer 2->46 48 4 other signatures 2->48 9 1_cr.exe 15 2->9         started        process3 dnsIp4 38 paste.ee 104.21.45.223, 443, 49704, 49729 CLOUDFLARENETUS United States 9->38 30 C:\Users\user\AppData\Local\...\mByZgmXsR.ps1, ASCII 9->30 dropped 56 Binary is likely a compiled AutoIt script file 9->56 14 powershell.exe 25 9->14         started        file5 signatures6 process7 dnsIp8 40 192.168.2.1 unknown unknown 14->40 58 Very long command line found 14->58 18 powershell.exe 15 14 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 32 paste.ee 18->32 50 Writes to foreign memory regions 18->50 52 Injects a PE file into a foreign processes 18->52 24 MSBuild.exe 18->24         started        signatures12 process13 dnsIp14 34 telete.in 195.201.225.248, 443, 49731 HETZNER-ASDE Germany 24->34 36 puffpuffpuff419.top 24->36 54 Contains functionality to steal Internet Explorer form passwords 24->54 28 WerFault.exe 24->28         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cc9a90e31f1486a991360c25209f1b08aec5bd7e084de748e73ebef6deca38d/
Verdict:
malicious
Similar samples:
0546cc2b40978832d956bb5e4267652609bb8873a3675928bd50ba3753199aea
RaccoonStealer
17e1ef78f68371282d030616c47734fa831864cac7fc0ed3171cdc0087bcc894
RaccoonStealer
3cc66db6e76b9b4e3713fcf69438cd1ec43253165f3fe1e05593580da9737d3b
RaccoonStealer
4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea
RaccoonStealer
50835c6c6d8bd3415be9849c272876e863b792c035f052a03449aefb646a600a
RaccoonStealer
525019392f589015d4cb657058ad8421ac258cfcf1d08913eba3a91e6fdbe658
RaccoonStealer
7432ea3b561da4e75f3e81b511b0a2b4d9f9d63e293fd1babd22b20c1b27db3c
RaccoonStealer
b7b5a82b1c9b3c2ffeedcc57b2bef35f61c7e93ec2d5ae784f667e4d8d534009
RaccoonStealer
b9f26773127ea443af79c294d1b3a16f8d98556976780aff8e98f37a2ac5ad99
RaccoonStealer
ebe987a5cb9ad1bcc702dc23a1baccbc8e7200ce2c7a2d4bb2d7c91110abf48b
RaccoonStealer
+ 333 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon stealer
Link:
https://tria.ge/reports/210119-lsk3mtwvbj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
Dropper Extraction:
httPs://paste.ee/r/3ml51
httPs://paste.ee/r/a3wil
Unpacked files
SH256 hash:
9cc9a90e31f1486a991360c25209f1b08aec5bd7e084de748e73ebef6deca38d
MD5 hash:
af067a53dcecb2f527a351a6491c56b9
SHA1 hash:
845f59d0324b2577979b51a8e66689f6f604ecde
Link:
https://www.unpac.me/results/2fdffcbd-4d6f-4cb8-aea7-c10c84876efd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/9cc9a90e31f1486a991360c25209f1b08aec5bd7e084de748e73ebef6deca38d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 9cc9a90e31f1486a991360c25209f1b08aec5bd7e084de748e73ebef6deca38d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/971590/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/112836/

Comments