MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb37fca86de8379826ad03e0aec2cb160b072a07e57b0090c67648c7602edd54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb37fca86de8379826ad03e0aec2cb160b072a07e57b0090c67648c7602edd54
SHA3-384 hash: 2aa7393452dbc61f223b5acd5d1735e8c498cb5a93ce8b3c8643a6d4a481cb027ab37007b0ed7d4a1773eecee1f09128
SHA1 hash: 44dba002891c289a4b6f3786ee6ffb78f36cf905
MD5 hash: 8a68b15e1ac9fb79edb7234c4c3a3d15
humanhash: mango-tango-dakota-wisconsin
File name:8a68b15e1ac9fb79edb7234c4c3a3d15.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:265'728 bytes
First seen:2021-09-23 21:36:32 UTC
Last seen:2021-09-23 22:53:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cd54f7a5d3fe7d557a4db8d0fab1e2c4 (1 x RaccoonStealer)
ssdeep 6144:uvBMpH/y7NvD29N0Nj2VaG8FhqA3fJN4pzsaaHqrs5:QMpfaD1Nj2VaGyhqAPT4pyAe
Threatray 7 similar samples on MalwareBazaar
TLSH T12D44F54021E078FCE6EB3A32E35AD1194D1BBE620E179B2B174C03B7A633C974EA7555
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://194.180.174.112/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.112/ https://threatfox.abuse.ch/ioc/225891/

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cracknet.net
Verdict:
Malicious activity
Analysis date:
2021-09-18 13:42:20 UTC
Tags:
evasion trojan rat azorult stealer fareit pony redline raccoon loader opendir vidar
Link:
https://app.any.run/tasks/f78f30fa-6ce0-4e48-9c08-eebf630b890f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190908/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.15155.29117.17281.UNOFFICIAL
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f106ba5-08ec-41de-9600-9b0650da3195
Result
Threat name:
Raccoon RedLine Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856941
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Sigma detected: Xmrig
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 489370 Sample: ZamCfP5Dev.exe Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 77 185.199.110.154, 443, 49813, 49819 FASTLYUS Netherlands 2->77 79 pool.minexmr.com 2->79 81 4 other IPs or domains 2->81 111 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->111 113 Sigma detected: Xmrig 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 7 other signatures 2->117 9 ZamCfP5Dev.exe 38 2->9         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 105 ip-api.com 208.95.112.1, 49760, 80 TUT-ASUS United States 9->105 107 evaexpand.com 185.92.244.225, 443, 49761, 49762 PROFESIONALHOSTINGES Spain 9->107 109 2 other IPs or domains 9->109 69 C:\Users\user\AppData\Roaming\55B4.tmp.exe, PE32+ 9->69 dropped 71 C:\Users\user\AppData\Roaming\5006.tmp.exe, PE32 9->71 dropped 73 C:\Users\user\AppData\Roaming\4B23.tmp.exe, PE32 9->73 dropped 75 5 other files (1 malicious) 9->75 dropped 151 May check the online IP address of the machine 9->151 153 Self deletion via cmd delete 9->153 155 Contains functionality to inject code into remote processes 9->155 20 370D.tmp.exe 80 9->20         started        25 55B4.tmp.exe 1 15 9->25         started        27 4B23.tmp.exe 9->27         started        31 2 other processes 9->31 29 WerFault.exe 14->29         started        file6 signatures7 process8 dnsIp9 93 194.180.174.112, 49778, 80 MIVOCLOUDMD unknown 20->93 95 t.me 149.154.167.99, 443, 49775 TELEGRAMRU United Kingdom 20->95 57 C:\Users\user\AppData\...\vcruntime140.dll, PE32 20->57 dropped 59 C:\Users\user\AppData\...\ucrtbase.dll, PE32 20->59 dropped 61 C:\Users\user\AppData\...\softokn3.dll, PE32 20->61 dropped 67 56 other files (none is malicious) 20->67 dropped 127 Detected unpacking (changes PE section rights) 20->127 129 Detected unpacking (overwrites its own PE header) 20->129 131 Tries to steal Mail credentials (via file access) 20->131 33 cmd.exe 20->33         started        97 github.com 140.82.121.3, 443, 49784, 49801 GITHUBUS United States 25->97 99 github-releases.githubusercontent.com 185.199.108.154, 443, 49788, 49802 FASTLYUS Netherlands 25->99 103 2 other IPs or domains 25->103 63 C:\Users\user\AppData\Roaming\mmsupdate.exe, PE32+ 25->63 dropped 133 Writes to foreign memory regions 25->133 135 Allocates memory in foreign processes 25->135 137 Modifies the context of a thread in another process (thread injection) 25->137 35 msiexec.exe 25->35         started        39 msiexec.exe 25->39         started        139 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->139 141 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 27->141 143 Injects a PE file into a foreign processes 27->143 41 4B23.tmp.exe 15 32 27->41         started        43 WerFault.exe 27->43         started        101 127.0.0.1 unknown unknown 31->101 65 C:\Users\user\...\Pgb4y7nVvHBO0lL0.exe, PE32 31->65 dropped 145 Detected unpacking (creates a PE file in dynamic memory) 31->145 147 Drops PE files to the startup folder 31->147 149 Uses ping.exe to check the status of other devices and networks 31->149 45 conhost.exe 31->45         started        47 PING.EXE 31->47         started        file10 signatures11 process12 dnsIp13 49 conhost.exe 33->49         started        51 timeout.exe 33->51         started        83 178.32.120.127, 4444, 49807, 49820 OVHFR France 35->83 85 pool.minexmr.com 35->85 119 Query firmware table information (likely to detect VMs) 35->119 53 conhost.exe 39->53         started        87 190.2.145.79, 49806, 80 WORLDSTREAMNL Curacao 41->87 89 api.ip.sb 41->89 121 Tries to harvest and steal browser information (history, passwords, etc) 41->121 123 Tries to steal Crypto Currency Wallets 41->123 55 conhost.exe 41->55         started        91 192.168.2.1 unknown unknown 43->91 signatures14 125 Detected Stratum mining protocol 83->125 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb37fca86de8379826ad03e0aec2cb160b072a07e57b0090c67648c7602edd54/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-09-12 05:32:21 UTC
AV detection:
25 of 27 (92.59%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zm37zkdn5a3zqjvnapqk5qwlcyfqokqh4v5qbeggozemoybo3vka._file
Verdict:
malicious
Similar samples:
4dec399c785ed12108ec1f383345ca6bccf12542d2037ee0d6bee4945fd71fd4
RaccoonStealer
63e0de17e72273ad3de48d28086d7753d537a1ab22e600858818dd11f05c52fd
RaccoonStealer
710f00304004fe991c085c99ef5f98558bb5ef145aa5c0855ce2c0e091aa4743
RaccoonStealer
96b32cf057284f68cfca119a9560954ee76f9a7f7634e545c15d9b3b70566bbb
RaccoonStealer
ad22b1e690fac416da97d49ff6a14c7f5ef7804bfadabff993e7bf9d2570c1fa
RaccoonStealer
c4702d094a59e34bc751b502a0e6f72c8689016e102b06b146306460e78e54a5
RaccoonStealer
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/210923-1ggk2sfcal/
Behaviour
Modifies system certificate store
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Unpacked files
SH256 hash:
cb37fca86de8379826ad03e0aec2cb160b072a07e57b0090c67648c7602edd54
MD5 hash:
8a68b15e1ac9fb79edb7234c4c3a3d15
SHA1 hash:
44dba002891c289a4b6f3786ee6ffb78f36cf905
Link:
https://www.unpac.me/results/a52f5f07-024a-49cf-805a-bc044536076f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cb37fca86de8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb37fca86de8379826ad03e0aec2cb160b072a07e57b0090c67648c7602edd54

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190908/

Comments