MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9beda964b8371b181392b0f086a0bb5cee0fc2cedf0bba5753882331d855336. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9beda964b8371b181392b0f086a0bb5cee0fc2cedf0bba5753882331d855336
SHA3-384 hash: a4305816deb06ce79c8d52034a04cbfeb142b51b669fdafe9ea83211685f20cff1a4c388f2c8faa41c6dc280dbd4db96
SHA1 hash: 630b4711ad0e7db299eb30662be5f53bf15c98b9
MD5 hash: 294834fc53ae2b941d748a1a5dd4b97a
humanhash: georgia-equal-yellow-alabama
File name:294834fc53ae2b941d748a1a5dd4b97a
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'410'440 bytes
First seen:2021-11-28 18:36:51 UTC
Last seen:2021-11-28 21:42:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 22301bd01fecfc0f42cc27a9b8788c3a (3 x RaccoonStealer)
ssdeep 24576:f1tqNFaeWrr5Hk7MsPixvPrzjjNzOhko9XiphkqkEaHNYK3wlY9IpkRM:fqNFvUSv+7jNzOmtNaQOe
Threatray 353 similar samples on MalwareBazaar
TLSH T1786533DB53C43C38E3CC08B00D26C7A26F7A69704EF4B6726A569106DFE5F8276191A7
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
294834fc53ae2b941d748a1a5dd4b97a
Verdict:
Suspicious activity
Analysis date:
2021-11-28 18:40:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4413eafc-1cb8-4016-8ee1-3b276abb7f9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed racealer
Link:
https://www.filescan.io/uploads/61a3cc50bbfd2af97cb7f918/reports/d0d3d3b0-a7d3-402a-ad82-e3f1a36765c9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3950569-52c7-40cd-92a6-f6819c075cca
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/897485
Signature
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 529963 Sample: 6VMTIYMbWN Startdate: 28/11/2021 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Multi AV Scanner detection for domain / URL 2->48 50 Antivirus detection for URL or domain 2->50 52 5 other signatures 2->52 7 6VMTIYMbWN.exe 85 2->7         started        process3 dnsIp4 36 host-file-host9.com 95.213.165.229, 49781, 49787, 80 SELECTELRU Russian Federation 7->36 38 5.181.156.4, 49777, 80 MIVOCLOUDMD Moldova Republic of 7->38 40 5 other IPs or domains 7->40 28 C:\Users\user\AppData\...behaviorgraphanSIQevKR.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\...\1QC4GqkTo2.exe, PE32+ 7->30 dropped 32 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 7->32 dropped 34 58 other files (none is malicious) 7->34 dropped 54 Query firmware table information (likely to detect VMs) 7->54 56 May check the online IP address of the machine 7->56 58 Tries to steal Mail credentials (via file / registry access) 7->58 60 4 other signatures 7->60 12 GanSIQevKR.exe 15 7->12         started        16 1QC4GqkTo2.exe 14 3 7->16         started        18 cmd.exe 1 7->18         started        file5 signatures6 process7 dnsIp8 42 ccf9ba3695b15b4f0787e6290e0f63allcomejroo839jxi13.xyz 207.244.237.176, 49790, 80 CONTABOUS United States 12->42 62 Performs DNS queries to domains with low reputation 12->62 20 conhost.exe 12->20         started        44 www.google.com 142.250.184.36, 49832, 80 GOOGLEUS United States 16->44 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->64 22 WerFault.exe 20 11 16->22         started        24 conhost.exe 18->24         started        26 timeout.exe 1 18->26         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9beda964b8371b181392b0f086a0bb5cee0fc2cedf0bba5753882331d855336/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-11-28 16:36:00 UTC
File Type:
PE (Exe)
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
4c08d306d3272e38e7e592e6dd2f269ab79d9e375dbf2bc5911cadd10fb5755e
RaccoonStealer
50d77a8a5e5ced0e79891d026a9329744a23b75e80359e4a2b23bab1eaa95188
RaccoonStealer
6077f0663a7475cff6c26539fca712b3300c21d81a9439b3f76900457532c401
RaccoonStealer
8814614df44496c1fedda481b646d666a99b3ddd34353e04cb5a0f374ad93e25
RaccoonStealer
afd37b61d3d84da8f08b21408b000e33a8c63966ad9860f5f582e8dc9934b109
RaccoonStealer
c0187c53d096fcf18afd91727cda5ed43f290a33b948d9d11afc0f65e2cc4b23
RaccoonStealer
cbeafcb1b8e209794f255e1f689a636a22e2e4fc9017a9cfb839ac02e99c378e
RaccoonStealer
daf995a3344ff3e6b10ccf2ca7145711277dddeff4eba00ecfe7fbad87bed2c7
RaccoonStealer
fd0b13334b1cd15dd3e73f91d4840e370504b1d14a750e9b657ac9869ceada02
RaccoonStealer
+ 343 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:fe1f102f3334068962b64125bcb00816dba46087 evasion stealer trojan
Link:
https://tria.ge/reports/211128-w9gdjaacel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
1c1b1413b3e02be03b8fc1cdb2dd064d96ae17c7c16f4251155cf904d8244fd0
MD5 hash:
d6cdfe50a95ddea2562f3b90b2fac7b3
SHA1 hash:
805e4d996ee1af3dd24917419dfd17e885465c23
Link:
https://www.unpac.me/results/b953a411-d126-4423-a756-9a6a8796d178/
SH256 hash:
a9beda964b8371b181392b0f086a0bb5cee0fc2cedf0bba5753882331d855336
MD5 hash:
294834fc53ae2b941d748a1a5dd4b97a
SHA1 hash:
630b4711ad0e7db299eb30662be5f53bf15c98b9
Link:
https://www.unpac.me/results/b953a411-d126-4423-a756-9a6a8796d178/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a9beda964b83/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9beda964b8371b181392b0f086a0bb5cee0fc2cedf0bba5753882331d855336

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe a9beda964b8371b181392b0f086a0bb5cee0fc2cedf0bba5753882331d855336

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1829390/

Comments


Avatar
zbet commented on 2021-11-28 18:36:52 UTC

url : hxxp://coin-coin-coin-2.com/files/4489_1638103654_7284.exe