MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d03f0739a3840f5461af1d6ffa96a34c8a0df1b428b58825d95fe3a43a55d92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d03f0739a3840f5461af1d6ffa96a34c8a0df1b428b58825d95fe3a43a55d92
SHA3-384 hash: a838c34d252041b601dabee2901a2e45ffb954146c1021569088f668b4493e617702718bfee4d0fa9b847ba2d5e4542e
SHA1 hash: bebc66726f0c51243c789b7783893accf7734717
MD5 hash: e547317c7c8b33e16f2a0b23f7790915
humanhash: artist-kitten-salami-charlie
File name:E547317C7C8B33E16F2A0B23F7790915.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'439'810 bytes
First seen:2021-06-01 07:50:53 UTC
Last seen:2021-06-01 08:53:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 011a034751880c1944da3b5ecc18520d (8 x RedLineStealer, 4 x CryptBot, 3 x ArkeiStealer)
ssdeep 24576:e9btxEOqJ7X7agBge3wKSa95hiZekBVhWiBI/otvP/II83Mdxy0YLCQjVGFmrsh:eNNarWgBRDSc5hi7Vh3BI/cw3MeLCph
Threatray 210 similar samples on MalwareBazaar
TLSH 5365231177C5C9FAD18141785C80B7BA24AA9E260B509EEFBBD43B0F1B337C2E539649
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://193.203.203.233/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://193.203.203.233/ https://threatfox.abuse.ch/ioc/68025/

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7zip (3).exe
Verdict:
Suspicious activity
Analysis date:
2021-05-31 11:46:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/09459aac-6848-4513-9451-fc19dd6231d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/163737/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Deleting a recently created file
DNS request
Sending a UDP request
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/795071
Signature
Contains functionality to register a low level keyboard hook
Deletes itself after installation
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 427467 Sample: vbt850UB2Q.exe Startdate: 01/06/2021 Architecture: WINDOWS Score: 68 40 Multi AV Scanner detection for submitted file 2->40 9 vbt850UB2Q.exe 7 2->9         started        process3 signatures4 42 Contains functionality to register a low level keyboard hook 9->42 12 cmd.exe 1 9->12         started        process5 signatures6 44 Submitted sample is a known malware sample 12->44 46 Obfuscated command line found 12->46 48 Uses ping.exe to sleep 12->48 50 Uses ping.exe to check the status of other devices and networks 12->50 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 54 Obfuscated command line found 15->54 56 Uses ping.exe to sleep 15->56 20 Riparo.exe.com 15->20         started        22 PING.EXE 1 15->22         started        25 findstr.exe 1 15->25         started        process9 dnsIp10 28 Riparo.exe.com 20->28         started        34 127.0.0.1 unknown unknown 22->34 36 192.168.2.1 unknown unknown 22->36 32 C:\Users\user\AppData\...\Riparo.exe.com, Targa 25->32 dropped file11 process12 dnsIp13 38 VbQnayWYsqRkZ.VbQnayWYsqRkZ 28->38 52 Deletes itself after installation 28->52 signatures14
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9d03f0739a3840f5461af1d6ffa96a34c8a0df1b428b58825d95fe3a43a55d92/
Threat name:
Win32.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-29 01:08:26 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tub7a442hbapkrq26hlp7klkgtekbxy3ikfvras5sx7duq5flwja._file
Verdict:
suspicious
Similar samples:
01e0e8312ba9622a57dfbf40615513bf2a01c38d9fba806e1bc9c08364b2041f
RaccoonStealer
03110bdd6c0d0f027422de86d47ce39cfb8cae70c04a616cbb8c325c03853ef6
RaccoonStealer
418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
RaccoonStealer
84d476538f65a15834800d95f0056d5e0f1efcadbc7dc6155185286c6af962c2
RaccoonStealer
9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186
RaccoonStealer
de92c18843a74125a6adbfdcffe97c597d88ae21a8cdc560aa10b33870f6a472
RaccoonStealer
e31da697e1f30aca20cb88b09a69ed60bdbba9b3c4da0e67e2654ecb541964f2
RaccoonStealer
f611711bbcb210e6e679026be24fd78215dc623abfb926d6811274eec16a3ca7
RaccoonStealer
f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca
RaccoonStealer
f87674db0a46d9903b10a9103dd2cad5b0d1ff7cccaaec2cc47231d5fc32007d
RaccoonStealer
+ 200 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:06394accf82ea147e8aaf9fad05193b7b0899411 stealer
Link:
https://tria.ge/reports/210601-amgwf462ls/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Executes dropped EXE
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d03f0739a3840f5461af1d6ffa96a34c8a0df1b428b58825d95fe3a43a55d92

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163737/

Comments