MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d794e006d6b517389745d3245e17e91771724786ed0a1c0e0f5bac1de66534a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d794e006d6b517389745d3245e17e91771724786ed0a1c0e0f5bac1de66534a9
SHA3-384 hash: fad3d29d295bf32a03dd1aca41e51c774bab200be0954bc5833ae9bdb35dea19754a8625bac55e6580b4b9d74d0dc8a7
SHA1 hash: c1a6ac7eb0bc39f4b9ca55bd17da4b4b724758ef
MD5 hash: 657d1e46f2f6508ed4b3db797b28df1c
humanhash: utah-montana-earth-xray
File name:D794E006D6B517389745D3245E17E91771724786ED0A1.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:35'555'538 bytes
First seen:2021-08-31 12:55:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (54 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 786432:nN3V9hSTeLihOkpSTkNJIp2YSXQbrhZe7NKUiw0elKZn6N+/i:nFV9hSTOiXpSuIpLzrGxKE1NR
Threatray 143 similar samples on MalwareBazaar
TLSH T1A3773337736AA039D0791F3403A25512DEB7E6689D976F1A29B0C09DCF390D30D3AA5B
dhash icon 70f2869797c6f270 (2 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://5.181.156.120/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.120/ https://threatfox.abuse.ch/ioc/203162/

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
D794E006D6B517389745D3245E17E91771724786ED0A1.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-31 16:15:23 UTC
Tags:
installer
Link:
https://app.any.run/tasks/fd662425-3b03-4bb6-951d-9c23255c0bda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file
Moving a recently created file
Sending a UDP request
Deleting a recently created file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
40 / 100
Link:
https://www.joesandbox.com/analysis/842630
Signature
Antivirus / Scanner detection for submitted sample
Detected VMProtect packer
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is protected by VMProtect
Sample uses process hollowing technique
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 475060 Sample: D794E006D6B517389745D3245E1... Startdate: 31/08/2021 Architecture: WINDOWS Score: 40 70 173.255.195.56 LINODE-APLinodeLLCUS United States 2->70 72 142.250.181.237 GOOGLEUS United States 2->72 74 19 other IPs or domains 2->74 82 Antivirus / Scanner detection for submitted sample 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 2 other signatures 2->88 10 D794E006D6B517389745D3245E17E91771724786ED0A1.exe 2 2->10         started        13 svchost.exe 1 2->13         started        15 svchost.exe 1 2->15         started        17 svchost.exe 1 2->17         started        signatures3 process4 file5 54 D794E006D6B5173897...1771724786ED0A1.tmp, PE32 10->54 dropped 19 D794E006D6B517389745D3245E17E91771724786ED0A1.tmp 5 14 10->19         started        process6 file7 44 C:\...\is-0GD2P.tmp, PE32 19->44 dropped 46 C:\...\aFCDKiW1DOxXjGm.exe (copy), PE32 19->46 dropped 48 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->48 dropped 50 2 other files (none is malicious) 19->50 dropped 22 setup UltData.exe 2 19->22         started        25 aFCDKiW1DOxXjGm.exe 13 19->25         started        process8 file9 52 C:\Users\user\AppData\...\setup UltData.tmp, PE32 22->52 dropped 28 setup UltData.tmp 30 518 22->28         started        90 Maps a DLL or memory area into another process 25->90 92 Sample uses process hollowing technique 25->92 signatures10 process11 dnsIp12 76 208.95.112.1 TUT-ASUS United States 28->76 78 8.8.8.8 GOOGLEUS United States 28->78 80 2 other IPs or domains 28->80 56 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 28->56 dropped 58 C:\Users\user\AppData\...\SoftwareLog1.dll, PE32 28->58 dropped 60 C:\...\zlibwapi.dll (copy), PE32 28->60 dropped 62 172 other files (none is malicious) 28->62 dropped 32 UltData.exe 6 74 28->32         started        file13 process14 dnsIp15 64 142.250.185.238 GOOGLEUS United States 32->64 66 104.21.56.69 CLOUDFLARENETUS United States 32->66 68 3 other IPs or domains 32->68 36 C:\Users\user\AppData\...\msvcr120.dll, PE32 32->36 dropped 38 C:\Users\user\AppData\...\msvcp120.dll, PE32 32->38 dropped 40 C:\Users\user\AppData\Roaming\...\log4net.dll, PE32 32->40 dropped 42 11 other files (none is malicious) 32->42 dropped file16
Gathering data
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 01:11:09 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=26koabwwwultrf2f2msf4f7jc5yxer4g5ufbydqplowb3ztfgsuq._file
Verdict:
malicious
Similar samples:
111d1529eb5320465bc09a12146b321b0f4409372a8b73048b7798904082068c
RaccoonStealer
36dbd261a7559865cd8fcf4b437758e113c89cfd05dda604a646f343dda2abe6
RaccoonStealer
43fd44a53e16097ae8b813e48be98cddfce369cd515efa1383fd0ea0b5a4c0bc
RaccoonStealer
4bb96e7c641e9f343965704cf4e7327e4448b83fc97cf1766f82ce61ac54d48a
RaccoonStealer
55b8487b8a8ca2990bdc80cdce9c5006ae886dfcba120679ac2df2078f7e0050
RaccoonStealer
7130f3050718b8dc5bcf760bf129dc68da5285d058d59d27ae3f2c667c7a8809
RaccoonStealer
9de4c4ea8541a897ad40111d20ef352dcf686ba20b008c15e80ab373e0ca068d
RaccoonStealer
a21bb77cbf31a4d7221c1d831b120f285c9e1dd20098313fa7ccd3f7d7138f2d
RaccoonStealer
+ 133 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:3d83c8094c6b459cebcc2b5d02b97f18b6ef7f1e stealer
Link:
https://tria.ge/reports/210831-f1dw4h5cwj/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Raccoon
Raccoon Stealer Payload
Malware family:
Raccoon v1.7
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d794e006d6b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d794e006d6b517389745d3245e17e91771724786ed0a1c0e0f5bac1de66534a9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments