MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9937b021c7034a3099202be72b2027920c919d62976a4a62dc5488d6914b697. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9937b021c7034a3099202be72b2027920c919d62976a4a62dc5488d6914b697
SHA3-384 hash: f9b99c82f38439a195b1cde104c280e7ba408189591104ed8630b00118f7e45eceb0fe7ed9773ef3686dcac1a8d04add
SHA1 hash: b3e0ea1c58db90c027516617f3f0ead02f9bd2e5
MD5 hash: 315a2814329e4da0c14184c6d049899e
humanhash: wisconsin-nineteen-lithium-kilo
File name:315a2814329e4da0c14184c6d049899e.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'041'856 bytes
First seen:2021-10-07 09:04:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 94e2b0572ac9e87d08b3c525a2cff4f7 (16 x RedLineStealer, 4 x RaccoonStealer, 2 x ArkeiStealer)
ssdeep 49152:79qU20GdyVCh0hS6rn13jeecERVuoFng/poEDGfH/p:79tUdPyB1TLurp7Gv/p
Threatray 2'325 similar samples on MalwareBazaar
TLSH T1C39533286AFC6A8BCA4C5BFB5E15400571D19CFC0E63E43559293AF8FA355E2378F604
File icon (PE):PE icon
dhash icon f0e894aaaca4c8f0 (4 x RedLineStealer, 2 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
315a2814329e4da0c14184c6d049899e.exe
Verdict:
Malicious activity
Analysis date:
2021-10-07 10:00:51 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/ae94598f-9a6c-41cf-982b-55acbf7576ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195748/
Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/615eb84598a6280f393385b7/reports/109d4410-5a54-4b84-b7a4-773b22d82a83/overview
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866260
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
DLL side loading technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 498689 Sample: kARSx3Wv9S.exe Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 62 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->62 64 Multi AV Scanner detection for domain / URL 2->64 66 Found malware configuration 2->66 68 9 other signatures 2->68 10 kARSx3Wv9S.exe 2->10         started        13 sihost.exe 2 2->13         started        15 sihost.exe 1 2->15         started        17 sihost.exe 1 2->17         started        process3 signatures4 78 Query firmware table information (likely to detect VMs) 10->78 80 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 10->80 82 Writes to foreign memory regions 10->82 84 3 other signatures 10->84 19 RegSvcs.exe 84 10->19         started        24 conhost.exe 13->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        process5 dnsIp6 56 91.219.236.103, 49746, 80 SERVERASTRA-ASHU Hungary 19->56 58 jqueri-web.at 77.83.36.33, 443, 49751 DINET-ASRU Ukraine 19->58 60 teletop.top 104.21.17.146, 49745, 80 CLOUDFLARENETUS United States 19->60 48 C:\Users\user\AppData\...\zZ41wG7f3W.exe, PE32 19->48 dropped 50 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 19->50 dropped 52 C:\Users\user\AppData\LocalLow\...\nss3.dll, PE32 19->52 dropped 54 57 other files (1 malicious) 19->54 dropped 70 Tries to steal Mail credentials (via file access) 19->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 19->72 74 Tries to harvest and steal browser information (history, passwords, etc) 19->74 76 2 other signatures 19->76 30 zZ41wG7f3W.exe 19->30         started        33 cmd.exe 1 19->33         started        file7 signatures8 process9 signatures10 86 Query firmware table information (likely to detect VMs) 30->86 88 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->88 90 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 30->90 92 4 other signatures 30->92 35 RegSvcs.exe 1 30->35         started        38 conhost.exe 33->38         started        40 timeout.exe 1 33->40         started        process11 file12 46 C:\Users\user\AppData\Roaming\...\sihost.exe, PE32 35->46 dropped 42 schtasks.exe 1 35->42         started        process13 process14 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9937b021c7034a3099202be72b2027920c919d62976a4a62dc5488d6914b697/
Threat name:
Win32.Packed.Themida
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 14:02:35 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  1/5
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0c73474ceb5c96ff4c0231b9d542d65c1d78b82de926bbfd4413d81684d78e58
RaccoonStealer
2232ded5541847acb7f73006ebe047b9008b4876f90590d9ffd324360f785037
RaccoonStealer
47ecf9882778e09cd99f29b89aa75d4396e783c1ef5c8e931601d6c1957fb3e5
RaccoonStealer
71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862
RaccoonStealer
8e1744ef99e2d9e8aa9447dd7495ea10c66c50d03125eda0574c1e29c71237ff
RaccoonStealer
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
RaccoonStealer
9a1f36511ec56cbf0cf30080cdc11d8f261823079838cedd5ce0e6391ec815ef
RaccoonStealer
a52de63a368575c4aded6fee0452dc23043e4c260388caac93c2242f0bdfe97c
RaccoonStealer
a98b37b337927ef6cea8a053a4ea676646de4dfbf6ce9619593246a1ecc362b6
RaccoonStealer
dd75325c7035eee20647ca9d5a101167165d2dba88f6bf54a7afc50c276aba90
RaccoonStealer
+ 2'315 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:a65985d73dfa7a1c2c623a62f64e718a91445eae evasion stealer trojan
Link:
https://tria.ge/reports/211007-k1nkpscbb9/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Unpacked files
SH256 hash:
e848256d169bab52594070dd2e29e7b6e5c990a31055ab46d360922f59562c87
MD5 hash:
333e1e4c382fe0be7037ec0bb4095487
SHA1 hash:
69c99d57e6c77ef96471fb7366a6853ba79437ba
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/373c440f-170a-412d-8fc3-3a0d3585538b/
SH256 hash:
aa7416a693fbc8bc607d19177e37ddcd3de84a71e9861af5a350edc81e23ad64
MD5 hash:
24346309265aea1fbfe35bcdd007634b
SHA1 hash:
90320fbff0687ca9a6f61e2644a7cf2b82d19945
Link:
https://www.unpac.me/results/373c440f-170a-412d-8fc3-3a0d3585538b/
SH256 hash:
e9937b021c7034a3099202be72b2027920c919d62976a4a62dc5488d6914b697
MD5 hash:
315a2814329e4da0c14184c6d049899e
SHA1 hash:
b3e0ea1c58db90c027516617f3f0ead02f9bd2e5
Link:
https://www.unpac.me/results/373c440f-170a-412d-8fc3-3a0d3585538b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/e9937b021c7034a3099202be72b2027920c919d62976a4a62dc5488d6914b697

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe e9937b021c7034a3099202be72b2027920c919d62976a4a62dc5488d6914b697

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/195748/
  
URLhaus
https://urlhaus.abuse.ch/url/1642512/
  
Delivery method
Distributed via web download

Comments