MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4b66c012c3fc7ea1857807a3fba0aa9b5c70d975a3c3152550709aa0d7cb9e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4b66c012c3fc7ea1857807a3fba0aa9b5c70d975a3c3152550709aa0d7cb9e7
SHA3-384 hash: 827388a96e955efadf89e41e9e3003699cfa3a1b5bd332e836192a2bbfa9d3792cafc3fffc01e1f77fc6954c0249e5d3
SHA1 hash: 136bbad1fe5d056c3f7921f2a456740590af0788
MD5 hash: fc06b947ea8808ced38af6df071f1967
humanhash: alabama-moon-victor-thirteen
File name:HDMInstaller.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:912'680 bytes
First seen:2021-02-08 08:36:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:MsJou1xEtMTR2wvqToZf85D2Er6LyGEYy9CZxjgMZ582w+fR0laubWR7G3IMQMTs:Msmu1ziToCLUQrUm0Zqeg4i81j
Threatray 492 similar samples on MalwareBazaar
TLSH 9B15D59D726072EFC857C4729EA81CB4FA6138BB931B4207902715ADDE5D89BCF244F2
Reporter JAMESWT_WT
Tags:RaccoonStealer signed Silvo LLC

Code Signing Certificate

Organisation:Silvo LLC
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2020-08-20T00:00:00Z
Valid to:2021-08-20T23:59:59Z
Serial number: 56d576a062491ea0a5877ced418203a1
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: b22e022f030cf1e760a7df84d22e78087f3ea2ed262a4b76c8b133871c58213b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HDMInstaller.exe
Verdict:
Malicious activity
Analysis date:
2021-02-08 08:37:08 UTC
Tags:
evasion loader
Link:
https://app.any.run/tasks/0f3512db-f11b-4695-b8c2-1df1132541c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116020/
Detection(s):
Win.Trojan.Dangeroussig-9757373-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/601612
Signature
Binary contains a suspicious time stamp
Binary is likely a compiled AutoIt script file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 349820 Sample: HDMInstaller.exe Startdate: 08/02/2021 Architecture: WINDOWS Score: 100 86 telete.in 2->86 92 Multi AV Scanner detection for submitted file 2->92 94 Yara detected Raccoon Stealer 2->94 96 May check the online IP address of the machine 2->96 98 5 other signatures 2->98 11 HDMInstaller.exe 15 5 2->11         started        16 csmrm.exe 2->16         started        18 csmrm.exe 2 2->18         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 90 f0511508.xsph.ru 141.8.193.236, 49738, 49762, 49779 SPRINTHOSTRU Russian Federation 11->90 76 C:\Users\user\...\HDMInstaller.exe.log, ASCII 11->76 dropped 110 Injects a PE file into a foreign processes 11->110 112 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->112 22 winapp.exe 13 11->22         started        25 HDMInstaller.exe 5 11->25         started        29 HDMInstaller.exe 11->29         started        78 C:\Users\user\AppData\Local\Temp\winapp.exe, PE32 16->78 dropped 31 WerFault.exe 18->31         started        file6 signatures7 process8 dnsIp9 104 Detected unpacking (changes PE section rights) 22->104 106 Detected unpacking (overwrites its own PE header) 22->106 108 Maps a DLL or memory area into another process 22->108 33 winapp.exe 94 22->33         started        88 iplogger.org 88.99.66.31, 443, 49739 HETZNER-ASDE Germany 25->88 72 C:\Users\user\AppData\Local\Temp\csmrm.exe, PE32 25->72 dropped 74 C:\Users\user\...\csmrm.exe:Zone.Identifier, ASCII 25->74 dropped 38 cmd.exe 1 25->38         started        file10 signatures11 process12 dnsIp13 80 telete.in 195.201.225.248, 443, 49754 HETZNER-ASDE Germany 33->80 82 globalsalespartscn.top 172.67.157.201, 443, 49756 CLOUDFLARENETUS United States 33->82 84 f0511508.xsph.ru 33->84 64 C:\Users\user\AppData\...\0EbdwKbjtL.exe, PE32 33->64 dropped 66 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 33->66 dropped 68 C:\Users\user\AppData\...\vcruntime140.dll, PE32 33->68 dropped 70 57 other files (none is malicious) 33->70 dropped 100 Tries to steal Mail credentials (via file access) 33->100 102 Tries to harvest and steal browser information (history, passwords, etc) 33->102 40 0EbdwKbjtL.exe 33->40         started        42 cmd.exe 33->42         started        44 conhost.exe 38->44         started        46 schtasks.exe 1 38->46         started        48 choice.exe 1 38->48         started        file14 signatures15 process16 process17 50 cmd.exe 40->50         started        52 conhost.exe 42->52         started        54 timeout.exe 42->54         started        process18 56 conhost.exe 50->56         started        58 icacls.exe 50->58         started        60 icacls.exe 50->60         started        62 icacls.exe 50->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4b66c012c3fc7ea1857807a3fba0aa9b5c70d975a3c3152550709aa0d7cb9e7/
Threat name:
Win32.Trojan.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2021-02-07 20:53:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
98
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4s3gyajmh7d6ugcxqb5d7oqkvg24odmxli6dcusva4e2udl4xhtq._file
Verdict:
malicious
Similar samples:
033dd7d02172855d2e61e1dcfae24bdeb9136310503e06bf7079ef78db9422ae
RaccoonStealer
256344eb42537328e034750e996263275e13fe77e4c5edafd4c625b53db07ae3
RaccoonStealer
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
RaccoonStealer
4d8668325ade88f0c153c36d4c01c38900fa11408b24bbe6c65429215e36f007
RaccoonStealer
61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
RaccoonStealer
9cc9a90e31f1486a991360c25209f1b08aec5bd7e084de748e73ebef6deca38d
RaccoonStealer
c3c2a6747a34c92023bef1d5abc604f697408e60ee64d1155af7a8c62727e894
RaccoonStealer
c686c7b2fff2ad2853c1d450d44fcf96ff3df67f34205b6b4e0352153893c924
RaccoonStealer
ce4c9d123144cb01aaa09ecfc34a21b6808c8d891fdd777e3bc8736fc3d877ca
RaccoonStealer
da045fcbd63520920626c45655b87da65e0e6cdc26f7bc20dfbfb6f667be9dbf
RaccoonStealer
+ 482 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:0fe6e83cccc8eaef9dd7af9c2e1acf59b514423d ransomware stealer
Link:
https://tria.ge/reports/210208-vc1z2jzvln/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Executes dropped EXE
Raccoon
Unpacked files
SH256 hash:
2e64c466a3b9811aac77876ed41f48a52d4773cdebdfa393f359e77f2228205d
MD5 hash:
1749ea20631f1e50a4274f9a7b20267e
SHA1 hash:
eb294466d7d3980479e9c34f255773df85e2b258
Link:
https://www.unpac.me/results/0fb79a1b-fdd2-46ba-a1f7-dfcd640a7f8c/
SH256 hash:
a2a0bbbe8c9ee88441356010f63455c50dfcafe663db757bbc453c815c51d720
MD5 hash:
11e80c54bfeff7f0c120dae46df0a8be
SHA1 hash:
d597b9b0dcac06f0aa00a931bb90de8eba564651
Link:
https://www.unpac.me/results/0fb79a1b-fdd2-46ba-a1f7-dfcd640a7f8c/
SH256 hash:
b1acbf8b5dcc085086640a7df28ff54dd58e2bf84dc40ed3ec1bb52002c866b2
MD5 hash:
2b450fc98b646a943a7d82a3049ba8d0
SHA1 hash:
8066d80308f1d46a2bae299c821cebfe1becdae4
Link:
https://www.unpac.me/results/0fb79a1b-fdd2-46ba-a1f7-dfcd640a7f8c/
SH256 hash:
e4b66c012c3fc7ea1857807a3fba0aa9b5c70d975a3c3152550709aa0d7cb9e7
MD5 hash:
fc06b947ea8808ced38af6df071f1967
SHA1 hash:
136bbad1fe5d056c3f7921f2a456740590af0788
Link:
https://www.unpac.me/results/0fb79a1b-fdd2-46ba-a1f7-dfcd640a7f8c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4b66c012c3fc7ea1857807a3fba0aa9b5c70d975a3c3152550709aa0d7cb9e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cert_blocklist_56d576a062491ea0a5877ced418203a1
Create hunting rule
Author:ReversingLabs
Description:Certificate used for digitally signing malware.
Rule name:INDICATOR_KB_CERT_56d576a062491ea0a5877ced418203a1
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe e4b66c012c3fc7ea1857807a3fba0aa9b5c70d975a3c3152550709aa0d7cb9e7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/994807/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/116020/

Comments