MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c39778737ab289b8253a0c33f9fb9a0fd23492d2a0679d1759180b93ce110899. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c39778737ab289b8253a0c33f9fb9a0fd23492d2a0679d1759180b93ce110899
SHA3-384 hash: c4e7ccf9cca035b6b8a945a520f9cc3c391d55f412db3997fdf54c5b8a815e2d6eecf962956eaf5cfa1720890d70c1ba
SHA1 hash: d018af4f99d9385de24214cecc0632a4f1aa0ebc
MD5 hash: 8e59ca175fec51b753f178d488291ca3
humanhash: oranges-quiet-venus-nebraska
File name:8E59CA175FEC51B753F178D488291CA3.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'193'861 bytes
First seen:2021-07-08 13:26:18 UTC
Last seen:2021-07-08 13:48:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 41999ec9d2bb54af1616c904a0650895 (1 x DarkComet, 1 x AsyncRAT, 1 x RaccoonStealer)
ssdeep 24576:QQQ66X+aQ7wbGJ0wvgp2ksCsd39JKixu4J/SxXxxIHH485g04CaW/cKl6iqNV3:O66X+aEunXxxInZlHHc2/eV3
Threatray 917 similar samples on MalwareBazaar
TLSH T15B45CF23E390A149D45680B058AAE6B97A192C781441AE47F3C0BF4F35B26E3F7B571F
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.89.184.90/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.89.184.90/ https://threatfox.abuse.ch/ioc/158448/

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8E59CA175FEC51B753F178D488291CA3.exe
Verdict:
Malicious activity
Analysis date:
2021-07-08 13:28:04 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/2c72ce8a-667f-4545-9407-09da8e381f5d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170448/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.13453.31132.31836.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a97931f-515d-4de7-b3bc-4d0fa46e9da7
Result
Threat name:
AsyncRAT BitRAT Raccoon Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813500
Signature
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AsyncRAT
Yara detected BitRAT
Yara detected Raccoon Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 445911 Sample: aY5UWK4jxg.exe Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 55 maidright.chickenkiller.com 2->55 69 Multi AV Scanner detection for domain / URL 2->69 71 Found malware configuration 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 7 other signatures 2->75 9 aY5UWK4jxg.exe 2->9         started        signatures3 process4 process5 11 RegSvcs.exe 108 9->11         started        16 WerFault.exe 23 9 9->16         started        dnsIp6 59 telete.in 195.201.225.248, 443, 49720 HETZNER-ASDE Germany 11->59 61 34.89.184.90, 49722, 80 GOOGLEUS United States 11->61 63 bravestone.ru 172.67.175.80, 443, 49729 CLOUDFLARENETUS United States 11->63 45 C:\Users\user\AppData\...\95W3M9QMLc.exe, PE32 11->45 dropped 47 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 11->47 dropped 49 C:\Users\user\AppData\LocalLow\...\nss3.dll, PE32 11->49 dropped 53 58 other files (1 malicious) 11->53 dropped 81 Tries to steal Mail credentials (via file access) 11->81 83 Tries to harvest and steal browser information (history, passwords, etc) 11->83 85 DLL side loading technique detected 11->85 18 vqfWSvAGfP.exe 14 288 11->18         started        22 95W3M9QMLc.exe 11->22         started        25 cmd.exe 1 11->25         started        51 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->51 dropped file7 signatures8 process9 dnsIp10 57 192.168.2.1 unknown unknown 18->57 37 C:\Users\user\AppData\...\editorpro.exe, PE32 18->37 dropped 39 C:\Users\user\AppData\...\tsharkdecode.dll, PE32+ 18->39 dropped 41 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32+ 18->41 dropped 43 12 other files (none is malicious) 18->43 dropped 27 editorpro.exe 18->27         started        77 Sample uses process hollowing technique 22->77 31 vbc.exe 2 22->31         started        33 conhost.exe 25->33         started        35 timeout.exe 1 25->35         started        file11 signatures12 process13 dnsIp14 65 185.157.162.75 OBE-EUROPEObenetworkEuropeSE Sweden 27->65 79 Hides threads from debuggers 27->79 67 maidright.chickenkiller.com 45.83.220.209 ESAB-ASSE Sweden 31->67 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c39778737ab289b8253a0c33f9fb9a0fd23492d2a0679d1759180b93ce110899/
Threat name:
Win32.Trojan.Johnnie
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 21:50:00 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yolxq432wke3qjj2bqz7t642b7jdjewsubtz2f2zdafzhtqrbcmq._file
Verdict:
malicious
Similar samples:
012d5c894ccd2bf291fef8f312c37efdcaae7375c2d65bfa8b9d55f43e4c072a
RaccoonStealer
10d9ab7f8640e19022c6222361b655356f7edbe4bf51708f0b94be96bc167085
RaccoonStealer
10fb27aeb699fab2c1e2c4be638674d6fc421553ed87373d3d8483e8bdc29047
RaccoonStealer
1c1cac311f126dd8a0a2b969af40fccbe62c6569fc9c1aea7ee7054f48f1d033
RaccoonStealer
3ec3b418b0e06128ef80ff02866d30c8071ba54066411760b6f71cab0f4c24f9
RaccoonStealer
499e3672259c28f6bd35d790c2ec4f52835cfcd46c8ddf279df4b02d4d07d7e5
RaccoonStealer
706a3b4438e7b883d8c3cd66ffabfbb3e3495b3b7c6f9b48adf7a5c8cdd0c3c1
RaccoonStealer
78f5967d8bd5d31343632e8558b9315d9d44d009c923b9c41d417943906f2849
RaccoonStealer
9dd2f0820d5c7b60732575bb24c85f74dc2b128eb154ba93bd9845d136130f55
RaccoonStealer
ceb40abe1bf14b26e4fc311c373a43770dfc67c8a9d0801d8ae7509e3507eebd
RaccoonStealer
+ 907 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:raccoon botnet:e769a3b57d823e6577700a58ab4a4a547b9f01be discovery rat stealer
Link:
https://tria.ge/reports/210708-978hfwg1ee/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Async RAT payload
AsyncRat
Raccoon
Malware Config
C2 Extraction:
maidright.chickenkiller.com:54856
Unpacked files
SH256 hash:
758b0fcad0950b63607f06609bc9ffd7953206111f04adfbf40bfc1c0b5ed2c0
MD5 hash:
dfd72cf998be69be0418701a0dee0272
SHA1 hash:
16ec42de83a698415daa33b47a5363fb289a4f6f
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/8c386195-692b-4701-b144-1a49ef2643d6/
Parent samples :
9fe5d38a3eaacddf0cfbfcdbb0d84c8399a510872b53610638087f4d9553ac82
c39778737ab289b8253a0c33f9fb9a0fd23492d2a0679d1759180b93ce110899
758b0fcad0950b63607f06609bc9ffd7953206111f04adfbf40bfc1c0b5ed2c0
SH256 hash:
c39778737ab289b8253a0c33f9fb9a0fd23492d2a0679d1759180b93ce110899
MD5 hash:
8e59ca175fec51b753f178d488291ca3
SHA1 hash:
d018af4f99d9385de24214cecc0632a4f1aa0ebc
Link:
https://www.unpac.me/results/8c386195-692b-4701-b144-1a49ef2643d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c39778737ab289b8253a0c33f9fb9a0fd23492d2a0679d1759180b93ce110899

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170448/

Comments