MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4702d094a59e34bc751b502a0e6f72c8689016e102b06b146306460e78e54a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4702d094a59e34bc751b502a0e6f72c8689016e102b06b146306460e78e54a5
SHA3-384 hash: 48722f6feb98a73bb17486a06e070966c72ded80427136ba07c3abdee1788dffe4b76862eaaf98df3a2bab38a81665e5
SHA1 hash: 7290bc368a681262195bc3b8c5f31a36af680f51
MD5 hash: f9be348e4643c89925373e4f917cb904
humanhash: comet-romeo-vermont-vegan
File name:f9be348e_by_Libranalysis
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:253'440 bytes
First seen:2021-05-21 15:50:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7319aa0439871227528cd99482fa7fae (1 x RaccoonStealer)
ssdeep 6144:du3ypVzUlerIAA2eYk1N8O2uxFFCMMsTURK0j:du3ypCehZksKoMMsj0j
Threatray 924 similar samples on MalwareBazaar
TLSH 7144F480A3F7823AE13BE83D5BD156BCD8A9B211260BA9A7037A914F5F1C75CCD5F418
Reporter Libranalysis
Tags:RaccoonStealer


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f9be348e_by_Libranalysis
Verdict:
Malicious activity
Analysis date:
2021-05-21 20:07:49 UTC
Tags:
evasion loader miner trojan stealer raccoon
Link:
https://app.any.run/tasks/e7fbabe7-ead8-4f57-8b2e-7ae1744bcb9a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a service
Launching a service
Loading a system driver
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun for a service
Connection attempt to an infection source
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/787690
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 420087 Sample: f9be348e_by_Libranalysis Startdate: 21/05/2021 Architecture: WINDOWS Score: 100 108 Malicious sample detected (through community Yara rule) 2->108 110 Antivirus detection for URL or domain 2->110 112 Antivirus detection for dropped file 2->112 114 8 other signatures 2->114 8 f9be348e_by_Libranalysis.exe 25 2->8         started        13 waupdat3.exe 14 2->13         started        15 waupdat3.exe 2->15         started        17 4 other processes 2->17 process3 dnsIp4 90 www.almanhost.com 8->90 92 almanhost.com 85.214.154.106, 443, 49742, 49745 STRATOSTRATOAGDE Germany 8->92 94 iplogger.org 88.99.66.31, 443, 49740 HETZNER-ASDE Germany 8->94 68 C:\Users\user\AppData\Roaming\F49B.tmp.exe, PE32 8->68 dropped 70 C:\Users\user\AppData\Roaming\F13E.tmp.exe, PE32+ 8->70 dropped 72 C:\Users\user\AppData\Roaming\DDF4.tmp.exe, PE32 8->72 dropped 74 3 other malicious files 8->74 dropped 144 May check the online IP address of the machine 8->144 19 F13E.tmp.exe 1 16 8->19         started        24 DDF4.tmp.exe 8->24         started        26 F49B.tmp.exe 1 8->26         started        28 cmd.exe 1 8->28         started        96 github.xn--com-jxb 13->96 98 github.comr 13->98 100 2 other IPs or domains 13->100 146 Antivirus detection for dropped file 13->146 148 Multi AV Scanner detection for dropped file 13->148 150 Machine Learning detection for dropped file 13->150 152 Injects a PE file into a foreign processes 13->152 30 msiexec.exe 13->30         started        32 msiexec.exe 1 13->32         started        102 2 other IPs or domains 15->102 154 Writes to foreign memory regions 15->154 156 Allocates memory in foreign processes 15->156 158 Modifies the context of a thread in another process (thread injection) 15->158 34 msiexec.exe 15->34         started        36 msiexec.exe 15->36         started        38 WerFault.exe 17->38         started        file5 signatures6 process7 dnsIp8 84 2 other IPs or domains 19->84 64 C:\Users\user\AppData\Roaming\waupdat3.exe, PE32+ 19->64 dropped 116 Antivirus detection for dropped file 19->116 118 Multi AV Scanner detection for dropped file 19->118 120 Machine Learning detection for dropped file 19->120 138 6 other signatures 19->138 40 msiexec.exe 1 19->40         started        44 msiexec.exe 1 19->44         started        86 2 other IPs or domains 24->86 122 Detected unpacking (changes PE section rights) 24->122 124 Detected unpacking (overwrites its own PE header) 24->124 126 Contains functionality to steal Internet Explorer form passwords 24->126 46 WerFault.exe 24->46         started        66 C:\Users\user\...\p0B5iEsZwqmwM9Iq.exe, PE32 26->66 dropped 128 Detected unpacking (creates a PE file in dynamic memory) 26->128 130 Drops PE files to the startup folder 26->130 76 127.0.0.1 unknown unknown 28->76 132 Uses ping.exe to check the status of other devices and networks 28->132 48 conhost.exe 28->48         started        50 PING.EXE 1 28->50         started        78 51.254.84.37, 4444, 49766 OVHFR France 30->78 80 pool.minexmr.com 30->80 134 Query firmware table information (likely to detect VMs) 30->134 52 conhost.exe 30->52         started        54 conhost.exe 32->54         started        82 94.130.165.87, 4444, 49769 HETZNER-ASDE Germany 34->82 88 2 other IPs or domains 34->88 56 conhost.exe 34->56         started        58 conhost.exe 36->58         started        file9 136 Detected Stratum mining protocol 82->136 signatures10 process11 dnsIp12 104 88.99.193.240, 4444, 49756 HETZNER-ASDE Germany 40->104 106 pool.minexmr.com 40->106 140 Query firmware table information (likely to detect VMs) 40->140 60 conhost.exe 40->60         started        62 conhost.exe 44->62         started        signatures13 142 Detected Stratum mining protocol 104->142 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4702d094a59e34bc751b502a0e6f72c8689016e102b06b146306460e78e54a5/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-05-17 22:16:25 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yryc2ckklhruxr2rwubkbzxxfsdisalocavqnmkggbsgbz4okssq._file
Verdict:
malicious
Similar samples:
02cc17250b31fad5f305a6336430bc862392b79384acf7523178bb2178c422ce
RaccoonStealer
1cf375fc2caa68f520a626542f6b285bcd8ad66f93cac008bd9d2226e5641fcf
RaccoonStealer
3f11a6c481b433ce5fa625ae1c43558335c9d281d203f3d5a0653bd2d6053940
RaccoonStealer
451f91c53fae29fef9d405b9b0125ea1bd561c20f2b90b26f609a0adb4aea9a8
RaccoonStealer
5a72b632fb10f52b61d8a39d1b27b238174130632b328b152648ea45e344339d
RaccoonStealer
757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824
RaccoonStealer
7beacccd4af720832723442f9afae77c52095ff5990de1352bb3a8ae1059304e
RaccoonStealer
a034705c6ed17fa615435d02d6419e18ffe9a7f16f1f1c712a657aa1a0d90193
RaccoonStealer
a7b93c2fbb727ed832ef535e78fa66ad027e0ca8c9507ca5001112be967b0fe7
RaccoonStealer
b0fbbee768b77e2fe719f38622b54a01efd763255048374ab0340d56a430325f
RaccoonStealer
+ 914 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:xmrig botnet:e0aa5b6d2491c503baf06d4cfeb218de1cd41474 discovery miner persistence spyware stealer
Link:
https://tria.ge/reports/210521-4j7j7w77ga/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner Payload
Raccoon
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c4702d094a59e34bc751b502a0e6f72c8689016e102b06b146306460e78e54a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-21 16:27:39 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0026.002] Data Micro-objective::XOR::Encode Data
2) [C0052] File System Micro-objective::Writes File
3) [C0007] Memory Micro-objective::Allocate Memory
4) [C0040] Process Micro-objective::Allocate Thread Local Storage
5) [C0041] Process Micro-objective::Set Thread Local Storage Value
6) [C0018] Process Micro-objective::Terminate Process