MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfb78b2b8225b4e1d3533d0ab95357870780c5c6f4dc156381df2c9643874d19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfb78b2b8225b4e1d3533d0ab95357870780c5c6f4dc156381df2c9643874d19
SHA3-384 hash: 0d86b8f1e50e8cdd07a64fc34f9c19b5e7cb282d23a18c76054f16b11d006d5f247c126d8c9a10c7fa2d7d49515bdd6d
SHA1 hash: 9d6231b9a6486801fd10edf4aa2d1219e4c753b9
MD5 hash: b3d831056b7b55304a06d7e0bfafbd44
humanhash: edward-mississippi-ten-lactose
File name:b3d831056b7b55304a06d7e0bfafbd44
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'066'288 bytes
First seen:2021-11-04 12:32:31 UTC
Last seen:2021-11-04 16:05:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 94e2b0572ac9e87d08b3c525a2cff4f7 (16 x RedLineStealer, 4 x RaccoonStealer, 2 x ArkeiStealer)
ssdeep 49152:NIZ3h4Di8Erl4utXqCSNZoP9mRANx1ctd:NIT4Dilrl4uhqliGO
Threatray 2'415 similar samples on MalwareBazaar
TLSH T1FBA53342CEB6DCB5D78FB7F14622DBC306A8F3D4880014A8697BA4926D87E3D573C586
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b3d831056b7b55304a06d7e0bfafbd44
Verdict:
Malicious activity
Analysis date:
2021-11-04 13:32:33 UTC
Tags:
trojan stealer raccoon loader opendir
Link:
https://app.any.run/tasks/c0798edb-4f25-4ba5-8154-50341304fa66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/202317/
Detection(s):
SecuriteInfo.com.Variant.Zusy.405808.8373.2583.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed racealer virus zusy
Link:
https://www.filescan.io/uploads/6183d3008eec3805367db1eb/reports/14bff77f-4da3-4cab-9e6c-7d8efa04dcb8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d5c7ffc-34ca-465e-936d-0f77e8954215
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/883159
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 515591 Sample: lVelRP8iAb Startdate: 04/11/2021 Architecture: WINDOWS Score: 100 53 www.google.com 2->53 73 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->73 75 Found malware configuration 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 5 other signatures 2->79 11 lVelRP8iAb.exe 2->11         started        signatures3 process4 signatures5 89 Query firmware table information (likely to detect VMs) 11->89 91 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 11->91 93 Writes to foreign memory regions 11->93 95 3 other signatures 11->95 14 AppLaunch.exe 84 11->14         started        19 WerFault.exe 23 9 11->19         started        process6 dnsIp7 55 91.219.236.97, 49736, 49776, 80 SERVERASTRA-ASHU Hungary 14->55 57 teleliver.top 104.21.62.135, 49735, 80 CLOUDFLARENETUS United States 14->57 59 62.109.25.138, 49777, 80 THEFIRST-ASRU Russian Federation 14->59 43 C:\Users\user\AppData\...\qidc4wQ0a1.exe, PE32 14->43 dropped 45 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 14->45 dropped 47 C:\Users\user\AppData\LocalLow\...\nss3.dll, PE32 14->47 dropped 51 58 other files (1 malicious) 14->51 dropped 63 Tries to steal Mail credentials (via file / registry access) 14->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 14->65 67 Tries to harvest and steal browser information (history, passwords, etc) 14->67 69 2 other signatures 14->69 21 qidc4wQ0a1.exe 14->21         started        24 TxjJQOKgvR.exe 8 14->24         started        61 192.168.2.1 unknown unknown 19->61 49 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->49 dropped file8 signatures9 process10 file11 81 Query firmware table information (likely to detect VMs) 21->81 83 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->83 85 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 21->85 87 4 other signatures 21->87 27 AppLaunch.exe 2 21->27         started        30 WerFault.exe 19 9 21->30         started        39 C:\Users\user\AppData\...\Louisianian.exe, PE32+ 24->39 dropped 32 Louisianian.exe 24->32         started        signatures12 process13 file14 41 C:\Users\user\AppData\...\fodhelper.exe, PE32 27->41 dropped 35 schtasks.exe 1 27->35         started        71 Detected unpacking (changes PE section rights) 32->71 signatures15 process16 process17 37 conhost.exe 35->37         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dfb78b2b8225b4e1d3533d0ab95357870780c5c6f4dc156381df2c9643874d19/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-11-04 01:11:49 UTC
AV detection:
25 of 45 (55.56%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0c73474ceb5c96ff4c0231b9d542d65c1d78b82de926bbfd4413d81684d78e58
RaccoonStealer
13f9f1b052c5d540b5dfa64f9eafcb962163d3649d222bbb8690182741622420
RaccoonStealer
2232ded5541847acb7f73006ebe047b9008b4876f90590d9ffd324360f785037
RaccoonStealer
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
RaccoonStealer
9a1f36511ec56cbf0cf30080cdc11d8f261823079838cedd5ce0e6391ec815ef
RaccoonStealer
c3f8d6b3e497471cc5e1526d59f7068f0655704f98dca59d79a77b81f1cb7fd5
RaccoonStealer
dd75325c7035eee20647ca9d5a101167165d2dba88f6bf54a7afc50c276aba90
RaccoonStealer
e9937b021c7034a3099202be72b2027920c919d62976a4a62dc5488d6914b697
RaccoonStealer
+ 2'405 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:d4b86a602f26f8f672683c44bb846cf98ddf234a evasion stealer trojan
Link:
https://tria.ge/reports/211104-pq7ytagfa6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
cffb702ac0f48fb9dd5c7fae0c09a848d132e6240009d05bb01836bed381cfff
MD5 hash:
b45e173bf1d3ca6094bc9b6a16795fa2
SHA1 hash:
127cecd459a51d62dcfad4e671d6dd34752efa14
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/48be8882-62f3-4637-8a5f-974b1d1c0d1d/
SH256 hash:
dfb78b2b8225b4e1d3533d0ab95357870780c5c6f4dc156381df2c9643874d19
MD5 hash:
b3d831056b7b55304a06d7e0bfafbd44
SHA1 hash:
9d6231b9a6486801fd10edf4aa2d1219e4c753b9
Link:
https://www.unpac.me/results/48be8882-62f3-4637-8a5f-974b1d1c0d1d/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dfb78b2b8225/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dfb78b2b8225b4e1d3533d0ab95357870780c5c6f4dc156381df2c9643874d19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_62e745e92165213c971f5c490aea12a5
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe dfb78b2b8225b4e1d3533d0ab95357870780c5c6f4dc156381df2c9643874d19

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1751297/
Cape
Cape
https://www.capesandbox.com/analysis/202317/

Comments


Avatar
zbet commented on 2021-11-04 12:32:32 UTC

url : hxxp://host-host-file6.com/files/2939_1635967838_5945.exe