MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0b4ea79bfa3aad2d6343a52811b837c45229253cda7abb26b4df2107ab52d58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0b4ea79bfa3aad2d6343a52811b837c45229253cda7abb26b4df2107ab52d58
SHA3-384 hash: afc5e0953285455d17d0db47b41ad1b3438ec6e77a5dbcdc2f06790335a4c7b397386157554a956b5ae3171df7746894
SHA1 hash: fcd70c339f3761e987894fa59cfb6f7237e92a56
MD5 hash: b3e9f226fa3385d959d9c9c7572e919f
humanhash: moon-violet-stream-low
File name:b3e9f226fa3385d959d9c9c7572e919f.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'604'096 bytes
First seen:2021-03-08 13:55:43 UTC
Last seen:2021-03-08 16:03:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:IaRaQxcx4mYWWqeUayGz+u2PVtoE2LObxC4CTK8:I1QxcWUzGzVE2UU4CT
Threatray 375 similar samples on MalwareBazaar
TLSH 88759C0EBFA4BF56D11A0F7A8907811882F9C563A333F34F79D06CE229227894E5F556
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b3e9f226fa3385d959d9c9c7572e919f.exe
Verdict:
Malicious activity
Analysis date:
2021-03-08 13:58:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7083fb48-5e0e-4e0f-81a9-7b9716e0037f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122785/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36467846.17328.446.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a UDP request
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Creating a process with a hidden window
Running batch commands
Launching a process
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/631245
Signature
Binary is likely a compiled AutoIt script file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 364591 Sample: ehZRj5xO98.exe Startdate: 08/03/2021 Architecture: WINDOWS Score: 96 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 3 other signatures 2->71 10 ehZRj5xO98.exe 15 4 2->10         started        14 libmfxsw32.exe 2->14         started        16 libmfxsw32.exe 2->16         started        process3 file4 53 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 10->53 dropped 55 C:\Users\user\AppData\...\ehZRj5xO98.exe.log, ASCII 10->55 dropped 79 Writes to foreign memory regions 10->79 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->81 83 Injects a PE file into a foreign processes 10->83 18 AddInProcess32.exe 85 10->18         started        signatures5 process6 dnsIp7 57 telete.in 195.201.225.248, 443, 49714 HETZNER-ASDE Germany 18->57 59 thereisnoscheme.top 35.232.94.42, 443, 49721, 49722 GOOGLEUS United States 18->59 61 2 other IPs or domains 18->61 45 C:\Users\user\AppData\...\q9IUSIut2I.exe, PE32 18->45 dropped 47 C:\Users\user\AppData\...\vcruntime140.dll, PE32 18->47 dropped 49 C:\Users\user\AppData\...\ucrtbase.dll, PE32 18->49 dropped 51 56 other files (none is malicious) 18->51 dropped 73 Tries to steal Mail credentials (via file access) 18->73 23 q9IUSIut2I.exe 14 3 18->23         started        26 cmd.exe 1 18->26         started        file8 signatures9 process10 signatures11 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->75 77 Injects a PE file into a foreign processes 23->77 28 q9IUSIut2I.exe 7 23->28         started        31 conhost.exe 26->31         started        33 timeout.exe 1 26->33         started        process12 dnsIp13 63 iplogger.org 88.99.66.31, 443, 49735 HETZNER-ASDE Germany 28->63 35 cmd.exe 28->35         started        process14 process15 37 conhost.exe 35->37         started        39 icacls.exe 35->39         started        41 icacls.exe 35->41         started        43 icacls.exe 35->43         started       
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-07 16:11:03 UTC
AV detection:
16 of 47 (34.04%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
18f6edcc25f8528d841203138beedaee611f3b3d17fbc5e13be8fd744ca413ed
RaccoonStealer
352f3584318b67778fd06d1d96962117d12cff0a5945b6ae8825e2c1bbdf8b8c
RaccoonStealer
7298ca6edb5f8ea41d3d1cb2fd50768a50db1749e75c9a2f39a6dc1cd3a1ddf2
RaccoonStealer
72f30e8884110e06b133ecabfdbf523aef8cc5533273aa3e12afee785a5a45bc
RaccoonStealer
854d167ff218c5caa012baaa7bb80a2bfdd1ec9c4c6b3a66bef57240ade29422
RaccoonStealer
afeb708ad46713f215fe9e8bfada31b7b518fcd081f1592778d514fc41012d3f
RaccoonStealer
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d
RaccoonStealer
de79f76f370c9eaa2f7fc5b169f414860d283607fdc4ea9b3980b31cf211da03
RaccoonStealer
e51a5ecb5c7ab754cccf2531882b6e724dcd0b15a9c3978384480605549096c5
RaccoonStealer
f3955ec185341df0ba244092025e241a6410a45f1700f406e61397ff40f94192
RaccoonStealer
+ 365 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:0af651a4bbdfb570b08cae586e11f04751033448 stealer
Link:
https://tria.ge/reports/210308-mcwctx6pex/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Raccoon
Unpacked files
SH256 hash:
d0b4ea79bfa3aad2d6343a52811b837c45229253cda7abb26b4df2107ab52d58
MD5 hash:
b3e9f226fa3385d959d9c9c7572e919f
SHA1 hash:
fcd70c339f3761e987894fa59cfb6f7237e92a56
Link:
https://www.unpac.me/results/199225f3-5c00-4b34-882a-160eba403043/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0b4ea79bfa3aad2d6343a52811b837c45229253cda7abb26b4df2107ab52d58

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe d0b4ea79bfa3aad2d6343a52811b837c45229253cda7abb26b4df2107ab52d58

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1053955/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/122785/

Comments