MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5990480cda6207bf008957ae5a3fa3debe6303fd19c3babc3f2223bf769479c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5990480cda6207bf008957ae5a3fa3debe6303fd19c3babc3f2223bf769479c
SHA3-384 hash: 2272e7faddc6a11fb434321eda92d6052942cc072c19e049a3a23f5ec139c602fb12f4534c571cfb52d4dd7c60d2350e
SHA1 hash: 8eadece945d635093c04a9d871ea0ead59d8e89f
MD5 hash: 356dc1680475998c7c23e199f2c2e9ca
humanhash: six-music-three-july
File name:C++ Dropper.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:18'432 bytes
First seen:2021-04-12 06:36:59 UTC
Last seen:2021-04-12 09:55:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 68c97f4638ec4d8784dccbf5cd2aa30e (1 x RaccoonStealer)
ssdeep 384:XbRIvCAcTljSxyW79lxqZQC7ZHLh2jSVe0J7OseTe:3jSxykxqhZHLZVnJ7OxTe
Threatray 184 similar samples on MalwareBazaar
TLSH B482F643BE928B62C52545781872DAF580BEB535AF2503DFF7D04E2A021D5E1AC36D2F
Reporter JAMESWT_WT
Tags:RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C++ Dropper.exe
Verdict:
Malicious activity
Analysis date:
2021-04-12 00:20:14 UTC
Tags:
evasion loader trojan stealer
Link:
https://app.any.run/tasks/dcfe4a00-6503-4c9d-8810-b0d79861c7b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133670/
Detection(s):
SecuriteInfo.com.Variant.Zusy.376248.9199.21016.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a file in the Windows subdirectories
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f390729-047f-4e75-9377-fd16ef786324
Result
Threat name:
Glupteba Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/672572
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Performs DNS TXT record lookups
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected Glupteba
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385235 Sample: C++ Dropper.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 91 penyanntel.xyz 79.141.170.43 HZ-UK-ASGB Bulgaria 2->91 93 humisnee.com 172.67.206.104 CLOUDFLARENETUS United States 2->93 95 23 other IPs or domains 2->95 127 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->127 129 Found malware configuration 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 12 other signatures 2->133 9 C++ Dropper.exe 31 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 113 iplogger.org 88.99.66.31, 443, 49694, 49715 HETZNER-ASDE Germany 9->113 115 45.15.143.191, 49695, 80 DEDIPATH-LLCUS Latvia 9->115 117 jaishomo.info 104.21.50.92, 49705, 80 CLOUDFLARENETUS United States 9->117 83 helperwBCsY5XL4Gad...7ZWSHFIpQqj2zDP.exe, PE32 9->83 dropped 85 helperhSfUY1oT2kCE...XHdjslPazeNbBAD.exe, PE32 9->85 dropped 87 helperd2ZkhMzBJrgO...W3y71mV9bKFLAeq.exe, PE32 9->87 dropped 89 11 other files (3 malicious) 9->89 dropped 19 helperFNi8O9qk6DRaAuh7m5BLfybJxsCodv3V.exe 23 9->19         started        24 helperd2ZkhMzBJrgO0G4SwW3y71mV9bKFLAeq.exe 9->24         started        26 helperUoZPd6tSi1vfeQYVJGknIEmzXC7HcM90.exe 22 9->26         started        28 4 other processes 9->28 119 127.0.0.1 unknown unknown 13->119 file6 process7 dnsIp8 97 gclean.in 176.103.61.84, 49697, 49703, 80 XSERVER-IP-NETWORK-ASUA Ukraine 19->97 99 tapewormorchestra.top 195.123.215.115, 443, 49698, 49707 ITL-LV Bulgaria 19->99 103 3 other IPs or domains 19->103 63 C:\Users\user\AppData\...\74933959138.exe, PE32 19->63 dropped 65 C:\Users\user\AppData\...\56422338466.exe, PE32 19->65 dropped 135 Detected unpacking (changes PE section rights) 19->135 137 Detected unpacking (overwrites its own PE header) 19->137 139 May check the online IP address of the machine 19->139 30 cmd.exe 1 19->30         started        32 cmd.exe 19->32         started        34 cmd.exe 19->34         started        141 Injects a PE file into a foreign processes 24->141 36 helperd2ZkhMzBJrgO0G4SwW3y71mV9bKFLAeq.exe 24->36         started        101 iplogger.org 26->101 67 C:\Users\user\AppData\...\47953181928.exe, PE32 26->67 dropped 69 C:\Users\user\AppData\...\85343140594.exe, PE32 26->69 dropped 71 C:\Users\user\AppData\...\phantom[1].exe, PE32 26->71 dropped 73 3 other files (none is malicious) 26->73 dropped 41 cmd.exe 26->41         started        143 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->143 145 Performs DNS queries to domains with low reputation 28->145 147 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->147 43 helperwBCsY5XL4Gad39htn7ZWSHFIpQqj2zDP.exe 28->43         started        file9 signatures10 process11 dnsIp12 45 56422338466.exe 30->45         started        49 conhost.exe 30->49         started        51 74933959138.exe 32->51         started        53 conhost.exe 32->53         started        55 conhost.exe 34->55         started        57 taskkill.exe 34->57         started        105 tapewormorchestra.top 36->105 107 tttttt.me 95.216.186.40, 443, 49709 HETZNER-ASDE Germany 36->107 75 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 36->75 dropped 77 C:\Users\user\AppData\...\vcruntime140.dll, PE32 36->77 dropped 79 C:\Users\user\AppData\...\ucrtbase.dll, PE32 36->79 dropped 81 56 other files (none is malicious) 36->81 dropped 149 Tries to steal Mail credentials (via file access) 36->149 59 47953181928.exe 41->59         started        61 conhost.exe 41->61         started        109 api.ip.sb 43->109 111 yertarend.site 5.101.66.180 PINDC-ASRU Russian Federation 43->111 151 Tries to harvest and steal browser information (history, passwords, etc) 43->151 153 Tries to steal Crypto Currency Wallets 43->153 file13 signatures14 process15 dnsIp16 121 telete.in 195.201.225.248, 443, 49704 HETZNER-ASDE Germany 45->121 123 tapewormorchestra.top 45->123 125 192.168.2.1 unknown unknown 45->125 155 Detected unpacking (changes PE section rights) 45->155 157 Detected unpacking (overwrites its own PE header) 45->157 159 Tries to steal Mail credentials (via file access) 45->159 161 Tries to harvest and steal browser information (history, passwords, etc) 51->161 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5990480cda6207bf008957ae5a3fa3debe6303fd19c3babc3f2223bf769479c/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 00:52:30 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
17 of 48 (35.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4wmqjagnuyqhx4aisv5oli72hxv6mmb72godxk6d6irdx53ji6oa._file
Verdict:
malicious
Similar samples:
02cc17250b31fad5f305a6336430bc862392b79384acf7523178bb2178c422ce
RaccoonStealer
0b02739c5fd7a7fa53410bc2287c42cf66a3a6d51ecc9570e76e4f0f8129f2d7
RaccoonStealer
0bae510b7238c821877790333b381f4ddd42034c5b799a3d7c1e0bff3fdcb940
RaccoonStealer
29aa6e0f133e3987c66880baada023ddb1d31b29969d39797a1b944097d928b1
RaccoonStealer
39a27d15f3d6175331a974825a440d7475187bae0c133a48a1a5155b49a82537
RaccoonStealer
451f91c53fae29fef9d405b9b0125ea1bd561c20f2b90b26f609a0adb4aea9a8
RaccoonStealer
68e7b4aa89f3f204e8e2d158c4a0892ff43980870e1907d4ed1dc1b57295bd7f
RaccoonStealer
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
RaccoonStealer
a7b93c2fbb727ed832ef535e78fa66ad027e0ca8c9507ca5001112be967b0fe7
RaccoonStealer
f04e1fb40ef39c3b9fd38123e62b35b6d7fa1d1e685788833b3e028dd1700962
RaccoonStealer
+ 174 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:f55f17175de492dccaffeb57cb41e8ca951c34c4 discovery spyware stealer upx
Link:
https://tria.ge/reports/210412-pt6xbzpxfj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Raccoon
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
e5990480cda6207bf008957ae5a3fa3debe6303fd19c3babc3f2223bf769479c
MD5 hash:
356dc1680475998c7c23e199f2c2e9ca
SHA1 hash:
8eadece945d635093c04a9d871ea0ead59d8e89f
Link:
https://www.unpac.me/results/cbb34e31-595c-4c11-883f-2d2623fa37e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5990480cda6207bf008957ae5a3fa3debe6303fd19c3babc3f2223bf769479c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Ficker
Create hunting rule
Author:ditekSHen
Description:Detects Ficker infostealer
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe e5990480cda6207bf008957ae5a3fa3debe6303fd19c3babc3f2223bf769479c

(this sample)

  
X
https://twitter.com/jstrosch/status/1381402587119845382?s=20
Cape
Cape
https://www.capesandbox.com/analysis/133670/
  
URLhaus
https://urlhaus.abuse.ch/url/1107085/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-14 16:32:18 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0030.002] Command and Control::Receive Data
1) [C0002.006] Communication Micro-objective::Download URL::HTTP Communication
2) [C0021.005] Cryptography Micro-objective::Mersenne Twister::Generate Pseudo-random Sequence
3) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0017] Process Micro-objective::Create Process
6) [C0018] Process Micro-objective::Terminate Process