MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebb715e3c800f236717aaa889623d3cd1abb481199b3f4d9a3457fc65fface9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 6


Intelligence 6 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebb715e3c800f236717aaa889623d3cd1abb481199b3f4d9a3457fc65fface9b
SHA3-384 hash: 8110ebaad362cb7da0a1e72811d9fb4ad31d696c5fc8b4f7f2d153ec5e47f7b791085dba25e32f22dac57b87c9f82188
SHA1 hash: 97000dd31152e66c70495fb1a5a52a7c880981b1
MD5 hash: 0871a6601c5ea2dbf8f8045a713b8f8a
humanhash: oranges-mango-zulu-pip
File name:0871A6601C5EA2DBF8F8045A713B8F8A.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:25'959'962 bytes
First seen:2021-08-30 22:01:57 UTC
Last seen:2021-08-30 23:19:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2fb819a19fe4dee5c03e8c6a79342f79 (56 x Adware.InstallCore, 8 x RedLineStealer, 7 x Adware.ExtenBro)
ssdeep 786432:WnFL6zPMcha0zP8fXOM9zMV+F48LE7MQ12q1n:WnFmwchrPEXOCYp8LEJh
TLSH T1A74733A402484CFDD4033B397FE271151B577F2AA93C3A076B99FE889E9D113E94E186
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://5.181.156.120/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.120/ https://threatfox.abuse.ch/ioc/203162/

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0871A6601C5EA2DBF8F8045A713B8F8A.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-30 22:06:15 UTC
Tags:
installer
Link:
https://app.any.run/tasks/50c35095-0dbb-427c-be3b-294a1474a629

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Bingoml.cfrn.16530.21457.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Sending a UDP request
Result
Threat name:
Raccoon RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
74 / 100
Link:
https://www.joesandbox.com/analysis/842011
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Check external IP via Powershell
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 474442 Sample: 3MoUaeJmNn.exe Startdate: 31/08/2021 Architecture: WINDOWS Score: 74 45 t.me 149.154.167.99, 443, 49707 TELEGRAMRU United Kingdom 2->45 47 adi64.com 91.216.107.198, 49719, 49720, 49723 RMI-FITECHFR France 2->47 49 5 other IPs or domains 2->49 57 Antivirus detection for URL or domain 2->57 59 Antivirus detection for dropped file 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 15 other signatures 2->63 9 3MoUaeJmNn.exe 2 2->9         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\3MoUaeJmNn.tmp, PE32 9->35 dropped 12 3MoUaeJmNn.tmp 30 60 9->12         started        process6 file7 37 C:\Program Files (x86)\My app\is-QATLR.tmp, PE32 12->37 dropped 39 C:\Program Files (x86)\My app\5.exe (copy), PE32 12->39 dropped 41 0fd9ce44914b3beda3...2f035620.dll (copy), PE32 12->41 dropped 43 22 other files (none is malicious) 12->43 dropped 15 5.exe 4 12->15         started        18 cmd.exe 1 12->18         started        20 powershell.exe 15 21 12->20         started        23 2 other processes 12->23 process8 dnsIp9 67 Adds a directory exclusion to Windows Defender 15->67 69 Injects a PE file into a foreign processes 15->69 25 certreq.exe 3 18->25         started        29 conhost.exe 18->29         started        51 iplogger.org 20->51 71 May check the online IP address of the machine 20->71 31 conhost.exe 20->31         started        53 iplogger.org 23->53 33 conhost.exe 23->33         started        signatures10 process11 dnsIp12 55 iplogger.org 88.99.66.31, 443, 49703, 49704 HETZNER-ASDE Germany 25->55 65 May check the online IP address of the machine 25->65 signatures13
Gathering data
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-08-28 01:54:32 UTC
AV detection:
7 of 26 (26.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5o3rly6iadzdm4l2vkejmi6tzunlwsartgz7jwndiv74mx72z2nq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210830-hqcc2xhea6/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ebb715e3c800f236717aaa889623d3cd1abb481199b3f4d9a3457fc65fface9b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments