MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e41aed6074d680185b632966edaa41496aebf79def64a6ebadf3e3706fa2eded. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e41aed6074d680185b632966edaa41496aebf79def64a6ebadf3e3706fa2eded
SHA3-384 hash: 1ea00d654ba8e0032cffb610d6d2303de85f421478a66e5036dfb6b3e3e819bb9dee14fc5f5c9cb6ec5d20fe01855b8b
SHA1 hash: 71725fdd14b27f04b5a68ec3518a1d8d67d0c464
MD5 hash: 8e6dc50d58102bcd7003af90d629e7b3
humanhash: floor-east-crazy-ack
File name:71725fdd14b27f04b5a68ec3518a1d8d67d0c464.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:273'408 bytes
First seen:2021-08-19 17:41:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e13582e50ecb7af95558f57b919f6a34 (2 x RaccoonStealer, 1 x DanaBot)
ssdeep 3072:mio82AGb5hfTV1B/qe+PlfE2moxPozoOh7IAJDSAR5YyDyJlBNIOR7QuKT0yB3G+:Nwp1Bh+l8D8QodYDSAR5YyDCLWlu
TLSH T1A144E12273D2D1B3C097053844A2FBE196A9BD81E721C2572B597A6F1F723D1933638B
dhash icon 1ee2d89c6cbcb0c2 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.135.32.61/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.135.32.61/ https://threatfox.abuse.ch/ioc/192233/

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e4
Verdict:
Malicious activity
Analysis date:
2021-08-17 08:28:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fda03476-d34f-4d7c-a3ea-4f3da1d3da52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180756/
Detection(s):
Win.Dropper.Jaik-9886586-0
Create hunting rule

Win.Malware.Generic-9886591-0
Create hunting rule

Win.Malware.Glupteba-9886621-1
Create hunting rule

Win.Packed.Generic-9886967-0
Create hunting rule

Win.Packed.Generic-9887016-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending an HTTP GET request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Connection attempt to an infection source
Sending an HTTP POST request
Sending a UDP request
Creating a file
Reading critical registry keys
Sending a custom TCP request
Searching for the window
Creating a window
Delayed reading of the file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file in the Program Files subdirectories
Launching cmd.exe command interpreter
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Launching a tool to kill processes
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/112061eb-1dd0-4ed9-b2d2-6f023802f5d8
Result
Threat name:
Cryptbot Glupteba Raccoon
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835957
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample or dropped binary is a compiled AutoHotkey binary
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Autohotkey Downloader Generic
Yara detected Cryptbot
Yara detected Evader
Yara detected Glupteba
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 468388 Sample: RJ7W5fGpRN.exe Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 78 fYkRnLiyNmVjHRcBr.fYkRnLiyNmVjHRcBr 2->78 102 Multi AV Scanner detection for domain / URL 2->102 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 10 other signatures 2->108 10 RJ7W5fGpRN.exe 26 2->10         started        signatures3 process4 dnsIp5 96 hypercustom.top 194.87.236.205, 49720, 49721, 49733 MTW-ASRU Russian Federation 10->96 98 sarfri06.top 45.130.151.13, 49715, 49716, 49717 MARKTELRU Russian Federation 10->98 100 4 other IPs or domains 10->100 70 C:\Users\user\AppData\...\81247140184.exe, PE32 10->70 dropped 72 C:\Users\user\AppData\...\65364519078.exe, PE32 10->72 dropped 74 C:\Users\user\AppData\...\43856181049.exe, PE32 10->74 dropped 76 6 other files (none is malicious) 10->76 dropped 124 May check the online IP address of the machine 10->124 15 cmd.exe 10->15         started        17 cmd.exe 10->17         started        19 cmd.exe 10->19         started        21 10 other processes 10->21 file6 signatures7 process8 dnsIp9 25 65364519078.exe 15->25         started        30 conhost.exe 15->30         started        32 81247140184.exe 17->32         started        34 conhost.exe 17->34         started        36 43856181049.exe 19->36         started        38 conhost.exe 19->38         started        80 192.168.2.1 unknown unknown 21->80 50 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->50 dropped 52 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->52 dropped 54 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->54 dropped 56 6 other malicious files 21->56 dropped 40 conhost.exe 21->40         started        42 taskkill.exe 21->42         started        file10 process11 dnsIp12 82 telete.in 195.201.225.248, 443, 49719 HETZNER-ASDE Germany 25->82 84 34.135.32.61, 49724, 80 ATGS-MMD-ASUS United States 25->84 58 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 25->58 dropped 60 C:\Users\user\AppData\...\vcruntime140.dll, PE32 25->60 dropped 62 C:\Users\user\AppData\...\ucrtbase.dll, PE32 25->62 dropped 68 56 other files (none is malicious) 25->68 dropped 110 Detected unpacking (changes PE section rights) 25->110 112 Tries to steal Mail credentials (via file access) 25->112 114 Contains functionality to steal Internet Explorer form passwords 25->114 44 cmd.exe 25->44         started        86 hypercustom.top 32->86 88 iplogger.org 32->88 116 May check the online IP address of the machine 32->116 118 Creates HTML files with .exe extension (expired dropper behavior) 32->118 120 Sample or dropped binary is a compiled AutoHotkey binary 32->120 90 knuxiq42.top 213.252.245.216, 49736, 80 IST-ASLT Lithuania 36->90 92 morumd04.top 142.11.209.158, 49738, 80 HOSTWINDSUS United States 36->92 94 3 other IPs or domains 36->94 64 C:\Users\user\AppData\Local\Temp\Filett.exe, PE32 36->64 dropped 66 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 36->66 dropped 122 Tries to harvest and steal browser information (history, passwords, etc) 36->122 file13 signatures14 process15 process16 46 conhost.exe 44->46         started        48 timeout.exe 44->48         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e41aed6074d680185b632966edaa41496aebf79def64a6ebadf3e3706fa2eded/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 01:18:43 UTC
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4qno2ydu22abqw3dffto3ksbjfvox54555skn25n6prxa35c5xwq._file
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:danabot family:raccoon botnet:00bdd6858c3856861f0d81937643f61ec7429443 botnet:4 banker discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/210819-zdtk4j694j/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Danabot
Danabot Loader Component
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
knuxiq42.top
morumd04.top
23.229.29.48:443
152.89.247.31:443
192.210.222.81:443
Unpacked files
SH256 hash:
119510d0f994a0c798ee95315bd95aac4fb77cca93b3eeb9968dd0add21c69ac
MD5 hash:
dcb8e1397386ce5476bb692769c0f8aa
SHA1 hash:
8b8b8d9b25560816f3dfb7667202007fba4856e4
Link:
https://www.unpac.me/results/5aab69a3-b665-4117-8934-11a8d0e77baa/
SH256 hash:
e41aed6074d680185b632966edaa41496aebf79def64a6ebadf3e3706fa2eded
MD5 hash:
8e6dc50d58102bcd7003af90d629e7b3
SHA1 hash:
71725fdd14b27f04b5a68ec3518a1d8d67d0c464
Link:
https://www.unpac.me/results/5aab69a3-b665-4117-8934-11a8d0e77baa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e41aed6074d680185b632966edaa41496aebf79def64a6ebadf3e3706fa2eded

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180756/

Comments