MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f510d87c6a0ac9c5d995ec2d878d130fb6d3442063b604be14f65af69ae9f5af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f510d87c6a0ac9c5d995ec2d878d130fb6d3442063b604be14f65af69ae9f5af
SHA3-384 hash: 5f2acb774c646344c0c785cdd65d508d33f7debfc3ba49c3b9e5af96c8e7aa02598fb9b5abb2de5f96c82dc3adbb6810
SHA1 hash: 22cebdccb9ff2a3947c4a7238193c73d9abdf054
MD5 hash: 176a67399e1fd4d5fc92643e70fdee7f
humanhash: crazy-nine-jupiter-island
File name:176A67399E1FD4D5FC92643E70FDEE7F.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:8'192 bytes
First seen:2021-04-04 19:45:18 UTC
Last seen:2021-04-04 20:39:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 96:lohr2dGlu+hqquOQh4Sl3HIlVLxBZgFOx5v38+D4q4HIZtBfRkQ1GYDBRWBzNt:lQNhj5I4KWnx5vMK4oZtBfR1GYDnWD
Threatray 893 similar samples on MalwareBazaar
TLSH D9F1D614F3F9CA32EABE077E49A7C3514BB4E716DD668B6F14C812C35D27A140A92322
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
188.68.221.233:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
188.68.221.233:80 https://threatfox.abuse.ch/ioc/6765/

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
test.exe
Verdict:
Malicious activity
Analysis date:
2021-04-02 19:49:45 UTC
Tags:
evasion opendir loader trojan ficker stealer raccoon
Link:
https://app.any.run/tasks/8fff4974-d001-45c7-9c5f-3cb8bfa811bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132112/
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.332.29637.8819.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Sending an HTTP GET request
Creating a process from a recently created file
Creating a window
Searching for the window
Launching a process
Launching cmd.exe command interpreter
Creating a process with a hidden window
Running batch commands
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Sending a UDP request
Deleting a recently created file
Reading critical registry keys
Connection attempt
Delayed reading of the file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Launching a tool to kill processes
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/459696bd-41d5-4529-999d-7323a4e30fc0
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665651
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: MSHTA Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 381754 Sample: L87N50MbDG.exe Startdate: 04/04/2021 Architecture: WINDOWS Score: 100 136 cdn.discordapp.com 2->136 138 telete.in 2->138 140 8 other IPs or domains 2->140 178 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->178 180 Found malware configuration 2->180 182 Malicious sample detected (through community Yara rule) 2->182 186 10 other signatures 2->186 13 L87N50MbDG.exe 21 21 2->13         started        18 cHjr4b00ug2hJwLWcQ2u4iBa.exe 2->18         started        signatures3 184 May check the online IP address of the machine 136->184 process4 dnsIp5 162 gurums.info 13->162 164 203.159.80.228, 49737, 49775, 49800 LOVESERVERSGB Netherlands 13->164 170 7 other IPs or domains 13->170 120 C:\Users\...\vvg79IQxt3LhqF4woGPoYuex.exe, PE32 13->120 dropped 122 C:\Users\...\cHjr4b00ug2hJwLWcQ2u4iBa.exe, PE32 13->122 dropped 124 C:\Users\...\c5oCB1PgMs5IXtvsb0Rh2t9M.exe, PE32 13->124 dropped 132 9 other malicious files 13->132 dropped 208 Drops PE files to the document folder of the user 13->208 210 May check the online IP address of the machine 13->210 212 Creates HTML files with .exe extension (expired dropper behavior) 13->212 20 FBZnYvWbCJ7JVGAbyXJfApJP.exe 25 13->20         started        25 BIPTVJIm19ebRwGWTQ89YOdy.exe 80 13->25         started        27 vvg79IQxt3LhqF4woGPoYuex.exe 13->27         started        35 2 other processes 13->35 166 104.21.12.27, 443, 49771, 49805 CLOUDFLARENETUS United States 18->166 168 162.159.135.233, 443, 49777, 49778 CLOUDFLARENETUS United States 18->168 126 C:\Users\...\tJJv9l9mHYekGvI7kySNdXfS.exe, PE32 18->126 dropped 128 C:\Users\...\rQIMmuwxxfiLkGgQkqQyRMyl.exe, PE32 18->128 dropped 130 C:\Users\...\r3MkaNY8voQ5QhO7zjR6fevX.exe, PE32 18->130 dropped 134 7 other malicious files 18->134 dropped 214 Creates multiple autostart registry keys 18->214 29 E3SRUt1f1kSYMwx4XDFsWRFw.exe 18->29         started        31 RCmwHrBebgRelOy5MNgtCxxx.exe 18->31         started        33 5gDtllTN1fnngiXzJNb2hpDi.exe 18->33         started        37 2 other processes 18->37 file6 signatures7 process8 dnsIp9 142 gclean.in 193.233.78.102, 443, 49752, 49754 MGNHOST-ASRU Russian Federation 20->142 144 bindfy11.top 34.65.214.4, 49763, 49765, 49766 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->144 150 2 other IPs or domains 20->150 96 C:\Users\user\AppData\...\63442917704.exe, PE32 20->96 dropped 98 C:\Users\user\AppData\...\53806608643.exe, PE32 20->98 dropped 100 C:\Users\user\AppData\Local\...\file[1].exe, PE32 20->100 dropped 108 3 other files (none is malicious) 20->108 dropped 188 Detected unpacking (changes PE section rights) 20->188 190 Detected unpacking (overwrites its own PE header) 20->190 192 May check the online IP address of the machine 20->192 39 cmd.exe 20->39         started        41 cmd.exe 20->41         started        43 cmd.exe 20->43         started        146 telete.in 195.201.225.248, 443, 49753, 49789 HETZNER-ASDE Germany 25->146 152 2 other IPs or domains 25->152 45 cmd.exe 25->45         started        47 vvg79IQxt3LhqF4woGPoYuex.exe 27->47         started        148 tastytofutempura.top 29->148 102 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 29->102 dropped 104 C:\Users\user\AppData\...\vcruntime140.dll, PE32 29->104 dropped 106 C:\Users\user\AppData\...\ucrtbase.dll, PE32 29->106 dropped 110 56 other files (none is malicious) 29->110 dropped 194 Tries to steal Mail credentials (via file access) 29->194 196 Tries to harvest and steal browser information (history, passwords, etc) 29->196 198 Sample uses process hollowing technique 33->198 200 Injects a PE file into a foreign processes 33->200 154 4 other IPs or domains 35->154 50 mshta.exe 35->50         started        file10 signatures11 process12 dnsIp13 52 63442917704.exe 39->52         started        57 conhost.exe 39->57         started        59 53806608643.exe 41->59         started        61 conhost.exe 41->61         started        63 conhost.exe 43->63         started        65 taskkill.exe 43->65         started        67 conhost.exe 45->67         started        69 timeout.exe 45->69         started        172 54.243.164.148, 49759, 80 AMAZON-AESUS United States 47->172 174 nagano-19599.herokussl.com 47->174 176 3 other IPs or domains 47->176 71 cmd.exe 50->71         started        process14 dnsIp15 156 binsds10.top 52->156 158 moruma07.top 8.209.67.151 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 52->158 160 cinvkg72.top 52->160 112 C:\Users\user\AppData\Local\Temp\Biber.exe, PE32 52->112 dropped 114 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 52->114 dropped 202 Detected unpacking (changes PE section rights) 52->202 204 Detected unpacking (overwrites its own PE header) 52->204 206 Tries to harvest and steal browser information (history, passwords, etc) 52->206 116 C:\Users\user\AppData\Local\...\PnN9X7~.exe, PE32 71->116 dropped 73 PnN9X7~.exe 71->73         started        76 conhost.exe 71->76         started        78 taskkill.exe 71->78         started        file16 signatures17 process18 file19 118 C:\Users\user\AppData\Local\Temp\9ETO.DC, PE32 73->118 dropped 80 mshta.exe 73->80         started        82 mshta.exe 73->82         started        84 regsvr32.exe 73->84         started        86 regsvr32.exe 73->86         started        process20 process21 88 cmd.exe 80->88         started        90 cmd.exe 82->90         started        process22 92 conhost.exe 88->92         started        94 conhost.exe 90->94         started       
Gathering data
Threat name:
ByteCode-MSIL.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-04-02 02:13:37 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6uinq7dkble4lwmv5qwypditb63ngrbamo3ajpqu6znpngxj6wxq._file
Verdict:
malicious
Similar samples:
2c2d88dbff1f9196148cc3c7501d4c45b05ef51887651b3bcdbb111fcc7a2ba2
RaccoonStealer
58813f984233cfb9eef1c9abefa7f58e96989dd9d6ebd903d40dc2cf3d56c5e8
RaccoonStealer
596ab1ddff660a3cd00e14f5e43d5af6a0ad03a41d07a51344b8eb61a594d27f
RaccoonStealer
6c6ab740e7d1e69bb05349e3b27b1a52a4e0bad10ef8b019147c9d87755f95cb
RaccoonStealer
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
RaccoonStealer
924dd7da4bccf24de55307c9754c1e8e44f4706bdaebf80e8f9c60ebdb330635
RaccoonStealer
9ba06643629d95201f9064dfeefcf6fb17a490d5b8fd86b59f3638311a356dd4
RaccoonStealer
e15820902d036f76c33cd6e8b2efdf4aed6e43a434680320aa7aba1ffca2ec17
RaccoonStealer
e80db3924627a7961f6bbb34a4d6849546d544620ea77f12b1b3dd8ed024ef4d
RaccoonStealer
fac9410d22c0e26ebfb6aa70649656a38685924cfb37638f95f35eb46b0cb71a
RaccoonStealer
+ 883 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:16992cd33145ccbb6feeacb4e84400a56448fa14 botnet:3d7990f080e9dcb56104447e3789dec4380efc8b discovery persistence spyware stealer
Link:
https://tria.ge/reports/210404-7way1kgcn2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Raccoon
Unpacked files
SH256 hash:
f510d87c6a0ac9c5d995ec2d878d130fb6d3442063b604be14f65af69ae9f5af
MD5 hash:
176a67399e1fd4d5fc92643e70fdee7f
SHA1 hash:
22cebdccb9ff2a3947c4a7238193c73d9abdf054
Link:
https://www.unpac.me/results/4d0d3783-fe35-479c-aadf-b6cf26b0c706/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f510d87c6a0ac9c5d995ec2d878d130fb6d3442063b604be14f65af69ae9f5af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a paste
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132112/

Comments