MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7fca90f6099f7abb75bd82e09dd715ce16f313a2f9b413efe1a7da35624fcce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7fca90f6099f7abb75bd82e09dd715ce16f313a2f9b413efe1a7da35624fcce
SHA3-384 hash: a76677f69fb67660e3550710c5f3b0a3cce64e095d671a45d47848443795a185fa2adf9e37cdbf08d24886640d747014
SHA1 hash: 5c3eacd5a386e48bb54e1083b3712299df64aaa0
MD5 hash: c6f0be259998c09885625c26063c9b3b
humanhash: arizona-twenty-foxtrot-lion
File name:C6F0BE259998C09885625C26063C9B3B.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:285'184 bytes
First seen:2021-09-07 06:26:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1bd9ec7a4dcb0a443d99b482d9f2b78b (9 x RaccoonStealer, 2 x RedLineStealer, 1 x CoinMiner)
ssdeep 6144:HizLwYGGC496XDImbLpFbDI98V5v5uJgFVg8FY6xA:HizMYGGxYXDIwpFQ98Vn/4
Threatray 324 similar samples on MalwareBazaar
TLSH T16B54D0113760B57EE597623847B5DB670B2A6EB16A60C3833607274A1F322C07F26FD6
dhash icon 93f0ec96f6dcd8a3 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.142.215.237/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.237/ https://threatfox.abuse.ch/ioc/216755/

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C6F0BE259998C09885625C26063C9B3B.exe
Verdict:
Malicious activity
Analysis date:
2021-09-07 07:04:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/adadab1d-b7bf-4075-9a71-a17555222e43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185909/
Detection(s):
Win.Packed.Generic-9889668-0
Create hunting rule

Win.Dropper.Fragtor-9889898-0
Create hunting rule

Win.Dropper.Fragtor-9889962-0
Create hunting rule

Win.Packed.Raccoon-9889505-1
Create hunting rule

Win.Packed.Raccoon-9889576-1
Create hunting rule

Win.Packed.Filerepmalware-9890038-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Connection attempt
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/accdd075-6096-4144-86e7-f1998eb69d35
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/846323
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 478750 Sample: 4rnjlRe7UG.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 68 19 Antivirus detection for URL or domain 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Machine Learning detection for sample 2->23 7 4rnjlRe7UG.exe 2 2->7         started        process3 dnsIp4 17 cleaner-partners.biz 5.230.68.37, 49703, 80 ASGHOSTNETDE Germany 7->17 25 Detected unpacking (changes PE section rights) 7->25 11 cmd.exe 1 7->11         started        signatures5 process6 process7 13 taskkill.exe 1 11->13         started        15 conhost.exe 11->15         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7fca90f6099f7abb75bd82e09dd715ce16f313a2f9b413efe1a7da35624fcce/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-05 00:44:46 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=676ksd3ath32xn233axatxlrltqw6mj2f6nucpx6dj62gvre7tha._file
Verdict:
malicious
Similar samples:
0fc23c2e005cdfed1a0380dd7a06dda83b882f8d392c7f157b783822d21d78a1
RaccoonStealer
46833cb6d7164e28570005bd33ca5a46e3d1f3666677d1a1ef541b70f98b5d14
RaccoonStealer
8eea00bd7d1db820c7a1b5622119b76944215e5803c2e8b772b9548e9ee91c66
RaccoonStealer
90218287a2349091c5221723b26ee73e101b51f5ef99dbaa23d8c19f83c58f91
RaccoonStealer
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
RaccoonStealer
9bb77fb3b462b7b52694f0326b83b4f0f47969240e296129cd23da3b2fe98fb0
RaccoonStealer
a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8
RaccoonStealer
b5f88e34db4bb65da8c21982590b67922fe32e62e7cfaae9fbe417a4262aa143
RaccoonStealer
b9f79bcb4c0ea9e939b35813e807fda308b7038f1dea613e7d8bbd7fe127ac84
RaccoonStealer
e95fd4b1c20d7547466b404f5a9f00940e40e3c8421c3838b619adfa6bbcb4cb
RaccoonStealer
+ 314 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210907-g68w2sfcfm/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Deletes itself
Unpacked files
SH256 hash:
de5abf623e5d3066ad49cbf41b3ff96b0b1d0aa523717c3de9c66bfc5b7c5350
MD5 hash:
ab10f62b2842390ec03bc72e02a0479b
SHA1 hash:
5472187d61fb043a3df0fdab6f4ed64eec174529
Link:
https://www.unpac.me/results/58fd2992-3d7b-4803-bb25-4281145c6e64/
SH256 hash:
f7fca90f6099f7abb75bd82e09dd715ce16f313a2f9b413efe1a7da35624fcce
MD5 hash:
c6f0be259998c09885625c26063c9b3b
SHA1 hash:
5c3eacd5a386e48bb54e1083b3712299df64aaa0
Link:
https://www.unpac.me/results/58fd2992-3d7b-4803-bb25-4281145c6e64/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7fca90f6099f7abb75bd82e09dd715ce16f313a2f9b413efe1a7da35624fcce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185909/

Comments