MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e97f71d3020b3cf4c3d22ebe380a902fddc0e5ce666cc1b0059efe8e67860a72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e97f71d3020b3cf4c3d22ebe380a902fddc0e5ce666cc1b0059efe8e67860a72
SHA3-384 hash: a857f9583fdf49aeacfeb0141352406f849271d4c601c92c16322a64f66b167386ae37b024a89340b066e32440bac22c
SHA1 hash: 5e6078e228d3e53ffa6784609c0080bb9c48ae88
MD5 hash: dd82037ffc85850a40b6c6561ef03ecb
humanhash: william-aspen-fourteen-king
File name:DD82037FFC85850A40B6C6561EF03ECB.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:5'477'608 bytes
First seen:2021-09-06 22:06:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b9290431b366a1252cf05522cb28180 (8 x RaccoonStealer)
ssdeep 98304:V7njkuDBfNr0RMqY8t5ls7PqLcGOd8BRJTIRp6huMl7SIE:dwUVNrJ807iLcLduRLuE7SIE
Threatray 24 similar samples on MalwareBazaar
TLSH T10D4612B3D2548061D1FB873A8526AD9430F17D6F8A8D9C78F2B9BDC1363ACD1AE06543
dhash icon d486e0cccce8b4a8 (2 x RaccoonStealer, 2 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.142.215.237/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.237/ https://threatfox.abuse.ch/ioc/216755/

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Discord_Nitro_Generator.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-05 05:48:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/757ea7ea-d628-4c7e-ade0-d407d42e64c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185739/
Detection(s):
SecuriteInfo.com.ML.PE-A.23465.15579.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Sending a UDP request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Creating a file in the %AppData% subdirectories
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/26d14b61-05fd-406c-90fc-5454ba2592f2
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846155
Signature
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 478587 Sample: ZOPvRpVKRp.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 5 other signatures 2->63 8 ZOPvRpVKRp.exe 82 2->8         started        13 sihost.exe 2->13         started        process3 dnsIp4 43 135.181.178.114, 49706, 80 HETZNER-ASDE Germany 8->43 45 telete.in 195.201.225.248, 443, 49701 HETZNER-ASDE Germany 8->45 47 45.142.215.237, 49705, 80 CLOUDSOLUTIONSRU Russian Federation 8->47 33 C:\Users\user\AppData\...\ZEJuNlicKe.exe, PE32 8->33 dropped 35 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 8->35 dropped 37 C:\Users\user\AppData\...\vcruntime140.dll, PE32 8->37 dropped 39 57 other files (none is malicious) 8->39 dropped 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->65 67 Tries to steal Mail credentials (via file access) 8->67 69 Self deletion via cmd delete 8->69 71 Tries to harvest and steal browser information (history, passwords, etc) 8->71 15 ZEJuNlicKe.exe 1 8->15         started        19 cmd.exe 1 8->19         started        73 Tries to evade analysis by execution special instruction which cause usermode exception 13->73 75 Tries to detect virtualization through RDTSC time measurements 13->75 77 Hides threads from debuggers 13->77 21 schtasks.exe 1 13->21         started        file5 signatures6 process7 file8 41 C:\Users\user\AppData\Roaming\...\sihost.exe, PE32 15->41 dropped 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->49 51 Uses schtasks.exe or at.exe to add and modify task schedules 15->51 53 Tries to evade analysis by execution special instruction which cause usermode exception 15->53 55 2 other signatures 15->55 23 schtasks.exe 1 15->23         started        25 conhost.exe 19->25         started        27 timeout.exe 1 19->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 23->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e97f71d3020b3cf4c3d22ebe380a902fddc0e5ce666cc1b0059efe8e67860a72/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 04:36:00 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5f7xduycbm6pjq6sf27dqcuqf7o4bzoomzwmdmaft37i4z4gbjza._file
Verdict:
malicious
Similar samples:
1273c78b4f196fc982cb1e9b7abe9d2b5c4f10c5486e7a891615bb273fef419d
RaccoonStealer
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
RaccoonStealer
35e4927ea02978e01bee3917c5c2c92d46308473bf3eaf4ef1d4d3c0eb0a0d4f
RaccoonStealer
4098b54c9d27b00ce34d04ffac24213ed28993a2854827851b157d63407c2e4e
RaccoonStealer
7dde3de70da44f8e4d3305702e07ab06c5630a10a381adf3453af9424a0755ce
RaccoonStealer
861f5a47b316a7668eedc2c5b7f7780406735223bd41a2a29f5df29331f7e51f
RaccoonStealer
a482e9723d71b2d6c24b51d821ad28e70017c7f99d67173aafccce64a87f22b6
RaccoonStealer
a5c940653c3b19cacd1378f2081feb377f2791257fbef36cd64df3a0b1b7d4b4
RaccoonStealer
bc458042cf51dca5781a9e1da79b5a40103dcdd3b12496321cfdaf13ce85c93c
RaccoonStealer
ebbef474434eab0794928cccebb8db93ed801dc2dd2b3e45f46c736d78718f9e
RaccoonStealer
+ 14 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:a1c0266f96533c41e908a3cd326d2773b7b683e6 discovery spyware stealer
Link:
https://tria.ge/reports/210906-11m7yabec2/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Unpacked files
SH256 hash:
91a58347cc606db471e9a866a9ebad1d0a72609d16f60e141197672bcf03e923
MD5 hash:
6daec4d927c50f97ba8b9e5856b121f9
SHA1 hash:
6785816fc6d7b9fa65321a8286a9996fab38b76b
Link:
https://www.unpac.me/results/edebe880-a8ec-4032-950a-5e9ca2d5f5de/
SH256 hash:
e97f71d3020b3cf4c3d22ebe380a902fddc0e5ce666cc1b0059efe8e67860a72
MD5 hash:
dd82037ffc85850a40b6c6561ef03ecb
SHA1 hash:
5e6078e228d3e53ffa6784609c0080bb9c48ae88
Link:
https://www.unpac.me/results/edebe880-a8ec-4032-950a-5e9ca2d5f5de/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e97f71d3020b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e97f71d3020b3cf4c3d22ebe380a902fddc0e5ce666cc1b0059efe8e67860a72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_033ed5eda065d1b8c91dfcf92a6c9bd8
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificate

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185739/

Comments