MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b99ac985c91f5a5e0c2ab8c5b92cb644cea66cb3336c2b6665274e78151cc372. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b99ac985c91f5a5e0c2ab8c5b92cb644cea66cb3336c2b6665274e78151cc372
SHA3-384 hash: e66ad8d76b3802491f50f2868baeb119dec9486a105fedcf6f0ae5f154d14aab11229f1c1ef9d39fe7ca663c8f49c50a
SHA1 hash: c5b3e85f19ef84f45001e11af2f3bdc5454b6b16
MD5 hash: 614ecf4d0a5f0d42655fedf09b82813d
humanhash: rugby-eighteen-orange-social
File name:614ECF4D0A5F0D42655FEDF09B82813D.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:473'600 bytes
First seen:2021-08-07 18:05:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2ba8e1f75a8e02687cc194905c50074 (12 x RaccoonStealer, 1 x Stop, 1 x ArkeiStealer)
ssdeep 6144:XwbL+OU1hFakiHQxRgdaSdFGwh5+HvfMlt2g8uuMFD144IZNz:XaC1HPoaS3GI5IvfMX2Nj4D6h
Threatray 2'282 similar samples on MalwareBazaar
TLSH T11CA4122135A1C0B3E4215AB05829C2B67EBE7C350D688D9F3B91E36C6F751E1DF2A346
dhash icon 1272d292105c5c03 (31 x RaccoonStealer, 6 x Smoke Loader, 4 x Loki)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://94.158.245.253/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.253/ https://threatfox.abuse.ch/ioc/166000/

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
x86_x64_setup.exe
Verdict:
Malicious activity
Analysis date:
2021-08-04 20:56:16 UTC
Tags:
evasion trojan rat redline opendir stealer raccoon vidar
Link:
https://app.any.run/tasks/ef620f33-4a1e-4c4f-a44b-cbe11b08fc62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177182/
Detection(s):
Win.Malware.Generic-9883819-0
Create hunting rule

Win.Packed.Generic-9883938-0
Create hunting rule

Win.Dropper.Ursnif-9884109-0
Create hunting rule

Win.Trojan.Generic-9884138-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07b80e6d-6f48-4bab-b8e3-d348f2f1f7a0
Result
Threat name:
Raccoon Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828671
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
DLL side loading technique detected
Found malware configuration
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 461102 Sample: xvaSjYrQkw.exe Startdate: 07/08/2021 Architecture: WINDOWS Score: 100 79 Sigma detected: Xmrig 2->79 81 Multi AV Scanner detection for domain / URL 2->81 83 Found malware configuration 2->83 85 12 other signatures 2->85 8 xvaSjYrQkw.exe 83 2->8         started        13 svchost.exe 2->13         started        15 SgrmBroker.exe 2->15         started        17 13 other processes 2->17 process3 dnsIp4 65 telete.in 195.201.225.248, 443, 49709 HETZNER-ASDE Germany 8->65 67 ck37505.tmweb.ru 188.225.63.143, 443, 49721 TIMEWEB-ASRU Russian Federation 8->67 69 94.158.245.253, 49711, 80 MIVOCLOUDMD Moldova Republic of 8->69 57 C:\Users\user\AppData\...\zgo63ngwYs.exe, PE32+ 8->57 dropped 59 C:\Users\user\AppData\...\vcruntime140.dll, PE32 8->59 dropped 61 C:\Users\user\AppData\...\ucrtbase.dll, PE32 8->61 dropped 63 57 other files (none is malicious) 8->63 dropped 95 Detected unpacking (changes PE section rights) 8->95 97 Detected unpacking (overwrites its own PE header) 8->97 99 Tries to steal Mail credentials (via file access) 8->99 101 Tries to harvest and steal browser information (history, passwords, etc) 8->101 19 zgo63ngwYs.exe 11 4 8->19         started        23 cmd.exe 1 8->23         started        103 Changes security center settings (notifications, updates, antivirus, firewall) 13->103 25 MpCmdRun.exe 13->25         started        105 DLL side loading technique detected 15->105 71 127.0.0.1 unknown unknown 17->71 27 WerFault.exe 17->27         started        file5 signatures6 process7 file8 55 C:\Users\user\AppData\...\win32update.exe, PE32+ 19->55 dropped 87 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->87 89 Writes to foreign memory regions 19->89 91 Allocates memory in foreign processes 19->91 93 4 other signatures 19->93 29 InstallUtil.exe 19->29         started        33 powershell.exe 19->33         started        35 powershell.exe 24 19->35         started        43 3 other processes 19->43 37 conhost.exe 23->37         started        39 timeout.exe 23->39         started        41 conhost.exe 25->41         started        signatures9 process10 dnsIp11 73 94.23.247.226, 3333, 49726 OVHFR France 29->73 75 192.168.2.1 unknown unknown 29->75 77 2 other IPs or domains 29->77 107 Query firmware table information (likely to detect VMs) 29->107 45 conhost.exe 29->45         started        109 Disable Windows Defender notifications (registry) 33->109 47 conhost.exe 33->47         started        49 conhost.exe 35->49         started        51 conhost.exe 43->51         started        53 conhost.exe 43->53         started        signatures12 111 Detected Stratum mining protocol 73->111 process13
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b99ac985c91f5a5e0c2ab8c5b92cb644cea66cb3336c2b6665274e78151cc372/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 16:52:07 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xgnmtbojd5nf4dbkxdc3slfwithkm3ftgnwcwztfe5hhqfi4ynza._file
Verdict:
malicious
Similar samples:
11a5764ca8d515eb745b67a1d693fa3747873f80855cefd5eb7bf890cf0a7a8a
RaccoonStealer
2b505b7621740d052a23d450a9e6e0b599063739aacc0825c0a409926a8a8abe
RaccoonStealer
4afb5969afd2c92b331d1fef3412103b6fa4d1ab3f386b9cf505b694038790bc
RaccoonStealer
4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
RaccoonStealer
5b46df5a271c4e35adf1027792e4035301ae87fe4a112f89f507b37522b541be
RaccoonStealer
cc734514a9be905018d6f5fb5c1382a610fcd9c01348d969682d2160dc03b1fb
RaccoonStealer
+ 2'272 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:xmrig botnet:2ca2376c561d1af7f8b9e6f3256b06220a3db187 discovery miner persistence spyware stealer upx
Link:
https://tria.ge/reports/210807-5caxw1z11s/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
XMRig Miner Payload
Raccoon
Raccoon Stealer Payload
xmrig
Unpacked files
SH256 hash:
6b3cb79e70b64516a491f38393de2bcbaeefe09e1aebf6900dc467441785db36
MD5 hash:
78142aaf4e92aa7b4883c0a81751c2a4
SHA1 hash:
3643762f4dd5fb81dd00ea49a6acfe0e362d8abe
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/d5addad9-e887-4114-b1b3-e0bc70d1409c/
Parent samples :
11a5764ca8d515eb745b67a1d693fa3747873f80855cefd5eb7bf890cf0a7a8a
5b46df5a271c4e35adf1027792e4035301ae87fe4a112f89f507b37522b541be
b99ac985c91f5a5e0c2ab8c5b92cb644cea66cb3336c2b6665274e78151cc372
SH256 hash:
b99ac985c91f5a5e0c2ab8c5b92cb644cea66cb3336c2b6665274e78151cc372
MD5 hash:
614ecf4d0a5f0d42655fedf09b82813d
SHA1 hash:
c5b3e85f19ef84f45001e11af2f3bdc5454b6b16
Link:
https://www.unpac.me/results/d5addad9-e887-4114-b1b3-e0bc70d1409c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b99ac985c91f5a5e0c2ab8c5b92cb644cea66cb3336c2b6665274e78151cc372

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177182/

Comments