MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5bc0b147e9bacda1b3d5c8ba9fcfffc3fc4776c17763463d5a21e51b8bc811a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5bc0b147e9bacda1b3d5c8ba9fcfffc3fc4776c17763463d5a21e51b8bc811a
SHA3-384 hash: fbc641d6002847e2a17db6880443aeaf56df0877710193feb455192723bc18fc796d91da18db1824fe22b620a8575b87
SHA1 hash: d9a58768537b9fee5c7f44fe297f953d44ffb196
MD5 hash: 9100a533fc62f65efba1b86d2c83a5be
humanhash: muppet-oregon-summer-oregon
File name:9100a533fc62f65efba1b86d2c83a5be
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:958'976 bytes
First seen:2021-12-19 04:06:02 UTC
Last seen:2021-12-19 05:29:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:UbkpCRDALJmt2bOfrv1MsBdUzmbetEQ0POP:U4wRDUJsbjdMwmyKEh
Threatray 11'512 similar samples on MalwareBazaar
TLSH T1FE15234013CB9729E5BF3774E93156A087B0F8A56C38D55EBD819CEE203A7844F9236B
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AsyncMine_1_2.exe
Verdict:
Malicious activity
Analysis date:
2021-12-16 04:00:24 UTC
Tags:
evasion trojan loader opendir rat redline stealer vidar raccoon
Link:
https://app.any.run/tasks/f1066092-9eee-48c9-8c47-8b04f08a036b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215216/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.16860.26895.3686.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
DNS request
Launching a process
Сreating synchronization primitives
Creating a file
Sending a custom TCP request
Forced shutdown of a system process
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed racealer redline spybot virus
Link:
https://www.filescan.io/uploads/61beafb1ec6c6c14a9e18ccf/reports/0e417e3c-bc6b-44d1-8377-317391a5f1a4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a06d0f79-66a1-4fc1-9a94-218d83e79a9e
Result
Threat name:
Raccoon Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909720
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Sigma detected: Xmrig
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 542198 Sample: Fiifdd61rB Startdate: 19/12/2021 Architecture: WINDOWS Score: 100 48 192.110.160.114, 3333, 49788 IOFLOODUS United States 2->48 50 iplogger.org 148.251.234.83, 443, 49780 HETZNER-ASDE Germany 2->50 52 3 other IPs or domains 2->52 62 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->62 64 Sigma detected: Xmrig 2->64 66 Antivirus detection for URL or domain 2->66 68 15 other signatures 2->68 8 Fiifdd61rB.exe 1 2->8         started        12 svchost.exe 2->12         started        14 SgrmBroker.exe 2->14         started        16 8 other processes 2->16 signatures3 process4 file5 40 C:\Users\user\AppData\...\Fiifdd61rB.exe.log, ASCII 8->40 dropped 76 Writes to foreign memory regions 8->76 78 Allocates memory in foreign processes 8->78 80 Injects a PE file into a foreign processes 8->80 18 aspnet_wp.exe 83 8->18         started        23 aspnet_regiis.exe 8->23         started        82 Changes security center settings (notifications, updates, antivirus, firewall) 12->82 84 DLL side loading technique detected 14->84 signatures6 process7 dnsIp8 54 178.62.232.173, 49757, 80 DIGITALOCEAN-ASNUS European Union 18->54 56 theperfumeplus.com 216.172.184.156, 49760, 80 UNIFIEDLAYER-AS-1US United States 18->56 58 194.180.174.53, 49756, 80 MIVOCLOUDMD unknown 18->58 32 C:\Users\user\AppData\...\uIOiARMw3B.exe, PE32 18->32 dropped 34 C:\Users\user\AppData\...\O4FQgLrJ0l.exe, PE32 18->34 dropped 36 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 18->36 dropped 38 58 other files (2 malicious) 18->38 dropped 70 Tries to steal Mail credentials (via file / registry access) 18->70 72 Tries to harvest and steal browser information (history, passwords, etc) 18->72 74 DLL side loading technique detected 18->74 25 uIOiARMw3B.exe 2 18->25         started        29 O4FQgLrJ0l.exe 15 6 18->29         started        file9 signatures10 process11 dnsIp12 42 C:\Users\user\AppData\...\fodhelper.exe, PE32 25->42 dropped 86 Query firmware table information (likely to detect VMs) 25->86 88 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->88 90 Uses schtasks.exe or at.exe to add and modify task schedules 25->90 92 Tries to detect sandboxes / dynamic malware analysis system (registry check) 25->92 60 blvckxxx.beget.tech 91.106.207.6, 49782, 80 BEGET-ASRU Russian Federation 29->60 44 C:\Users\user\AppData\Roaming\...\Driver.exe, MS-DOS 29->44 dropped 46 C:\Users\user\AppData\Roaming\...\Driver.url, MS 29->46 dropped 94 Detected unpacking (changes PE section rights) 29->94 96 Tries to evade analysis by execution special instruction which cause usermode exception 29->96 98 Hides threads from debuggers 29->98 file13 100 Detected Stratum mining protocol 60->100 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5bc0b147e9bacda1b3d5c8ba9fcfffc3fc4776c17763463d5a21e51b8bc811a/
Threat name:
ByteCode-MSIL.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 18:08:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
30 of 43 (69.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uw6awfd6townugz5lsf2t7h77q74i53mc53diy6vuipfdof4qena._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
ryuk
Create hunting rule
Similar samples:
173240b443fdb5cc7ed97cf6eedeb0d823924df3dab6d468c9da2898443f3ac6
RaccoonStealer
2793bbaba9d12a4a740b6c957143367ce1fb13bb98ecb122e2cb41728bed525e
RaccoonStealer
2fbf6c5454bb88073ecbc13b293375ec58a9f8636c188881ffd7a3573f3c1cac
RaccoonStealer
49295679ed4ec1998dac9dba9840de0b3968dfc2d4bd8289af6f6bb36d576127
RaccoonStealer
596e82d24c64a373095159ee769df582d6f34fde24eb537aca442d8f01c491db
RaccoonStealer
5d91391caa4520c281f6b5cab65914417fed0445d836067c7f70c77795417af6
RaccoonStealer
69fac4fe77b6da550498724f01e6db66d5c18a19c185d824bf62afdaccb0a7d6
RaccoonStealer
721bf1dd5787108ecf31dd3bbab5e355ca55bdc68eb2358ce891290a7ce2048c
RaccoonStealer
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
RaccoonStealer
8f983b92dea0643ef2b8411e5506def0c0235b1addd4daa9d13e59ff4f88a1ef
RaccoonStealer
+ 11'502 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:6abe6cc89c2932cbb05f828aa46e3b25ff0da6dd stealer
Link:
https://tria.ge/reports/211219-en442aggbn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Raccoon
Unpacked files
SH256 hash:
3316c386496fd9786b7d3a48c4055959ed865e4261b9a7971a100c971a137c29
MD5 hash:
863e37cf5ef04f1642db786499d7891f
SHA1 hash:
a01381577544ea81b118dbf28a03c65a053711c8
Link:
https://www.unpac.me/results/46ea30cf-3291-4f63-83b4-bba35565ae72/
SH256 hash:
4a20ba2e779a2e7ffa52a18a846f8859c2fae6d11ddd4cc8cbd4af7124b184d2
MD5 hash:
aab2492acfb998e21f11b365c6864c41
SHA1 hash:
693308a58160cbb2367b3b3d76494c11aec120b1
Link:
https://www.unpac.me/results/46ea30cf-3291-4f63-83b4-bba35565ae72/
SH256 hash:
496532f8b93f154945505e49c20d922640740824e2532f37232c56a54fcdc0c5
MD5 hash:
b880ebfe5e0ddd69a167f530632106a6
SHA1 hash:
4fe60138fa29e18c40c01bdfc04b7503ea428851
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/46ea30cf-3291-4f63-83b4-bba35565ae72/
SH256 hash:
d5f90f085a618f484220dba52ae2938959c119c3ecbdcc06fe2fb32597a6d0f9
MD5 hash:
cf8c9f0fdbd2335bcbc0e1051a40f5eb
SHA1 hash:
21591052be26ab63466ade35093b6ee295e8b0a5
Link:
https://www.unpac.me/results/46ea30cf-3291-4f63-83b4-bba35565ae72/
SH256 hash:
a5bc0b147e9bacda1b3d5c8ba9fcfffc3fc4776c17763463d5a21e51b8bc811a
MD5 hash:
9100a533fc62f65efba1b86d2c83a5be
SHA1 hash:
d9a58768537b9fee5c7f44fe297f953d44ffb196
Link:
https://www.unpac.me/results/46ea30cf-3291-4f63-83b4-bba35565ae72/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5bc0b147e9bacda1b3d5c8ba9fcfffc3fc4776c17763463d5a21e51b8bc811a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe a5bc0b147e9bacda1b3d5c8ba9fcfffc3fc4776c17763463d5a21e51b8bc811a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1897326/
Cape
Cape
https://www.capesandbox.com/analysis/215216/

Comments


Avatar
zbet commented on 2021-12-19 04:06:03 UTC

url : hxxp://coin-coin-data-6.com/files/2340_1639502188_7736.exe