MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd0b13334b1cd15dd3e73f91d4840e370504b1d14a750e9b657ac9869ceada02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd0b13334b1cd15dd3e73f91d4840e370504b1d14a750e9b657ac9869ceada02
SHA3-384 hash: f0a3aa28a113921236813eedb4109d1d8ed4005de58809775ab24af411034a250aa908d6d27a10a9ad9028ae0615858b
SHA1 hash: 6ae35b312f49e1aad8aa60c8d47e35594172cde7
MD5 hash: ce9e7cb976e93b18ba3d4bcf348a10c6
humanhash: august-whiskey-snake-zebra
File name:ce9e7cb976e93b18ba3d4bcf348a10c6
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'668'464 bytes
First seen:2021-11-19 12:32:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 15aeac4aa1d11f9ad3fc4c4ac7bb9468 (58 x RedLineStealer, 5 x RaccoonStealer, 3 x CoinMiner)
ssdeep 49152:5iey6ztkV2NXXT8ih8Dt+0OnTtY3jNaf+M1:e6hkV4nT8ih8Z9+T2R
Threatray 2'031 similar samples on MalwareBazaar
TLSH T160753320B2B075DDD3AC923CA915A982E397762B6E44FB03F01FD15EB9464CAFB9014D
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ce9e7cb976e93b18ba3d4bcf348a10c6
Verdict:
Malicious activity
Analysis date:
2021-11-19 12:47:27 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/7b08ebc5-b09e-4566-8872-93520a420b8a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Trojan.Generic-9908842-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
DNS request
Searching for the window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm overlay packed racealer wacatac
Link:
https://www.filescan.io/uploads/6197998043e8f62b669a5da6/reports/461be674-8a3c-4357-8786-f95b77982da7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c65254ce-7d91-48a0-9f67-e4f738ccf691
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892629
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 525102 Sample: BlbG9T21ZW Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 8 BlbG9T21ZW.exe 2->8         started        process3 signatures4 50 Query firmware table information (likely to detect VMs) 8->50 52 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 8->52 54 Writes to foreign memory regions 8->54 56 3 other signatures 8->56 11 AppLaunch.exe 83 8->11         started        16 WerFault.exe 23 9 8->16         started        process5 dnsIp6 34 91.219.236.27, 49765, 80 SERVERASTRA-ASHU Hungary 11->34 36 91.219.237.226, 49766, 80 SERVERASTRA-ASHU Hungary 11->36 38 host-file-host0.com 11->38 24 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 11->24 dropped 26 C:\Users\user\AppData\LocalLow\...\nss3.dll, PE32 11->26 dropped 28 C:\Users\user\AppData\...\mozglue.dll, PE32 11->28 dropped 32 56 other files (none is malicious) 11->32 dropped 58 Tries to steal Mail credentials (via file / registry access) 11->58 60 Tries to harvest and steal browser information (history, passwords, etc) 11->60 62 DLL side loading technique detected 11->62 18 cmd.exe 1 11->18         started        40 192.168.2.1 unknown unknown 16->40 30 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->30 dropped file7 signatures8 process9 process10 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd0b13334b1cd15dd3e73f91d4840e370504b1d14a750e9b657ac9869ceada02/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-18 23:59:05 UTC
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ufrgm2ldtiv3u7hh6i5jbaog4cqjmorjj2q5g3fpleynhhk3iba._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
2beac8c979465806b1c3f9e2208ef7956b201b97368dce8293bc948f78c96e96
RaccoonStealer
4c08d306d3272e38e7e592e6dd2f269ab79d9e375dbf2bc5911cadd10fb5755e
RaccoonStealer
4cf588b87b8697aecc8c5c0cc516b3de86b15ea5185191949e54282d6bde34b9
RaccoonStealer
6077f0663a7475cff6c26539fca712b3300c21d81a9439b3f76900457532c401
RaccoonStealer
7b127d520696b1e8ea633c47770a05b3c06e5215911a91241ecebe297b9ef395
RaccoonStealer
8814614df44496c1fedda481b646d666a99b3ddd34353e04cb5a0f374ad93e25
RaccoonStealer
8ec06531b8d67c49241fcf844168448b6a7c428a32d41f00d3714e19e1b18f3c
RaccoonStealer
c0187c53d096fcf18afd91727cda5ed43f290a33b948d9d11afc0f65e2cc4b23
RaccoonStealer
c359e05e269baa3aa125ac01c91c7e577f06feaede154cf5407f6c6c96f41531
RaccoonStealer
+ 2'021 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:fe1f102f3334068962b64125bcb00816dba46087 evasion stealer trojan
Link:
https://tria.ge/reports/211119-pq7caadcg5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
0c3706c8e1404697bf00b123812c55cd374a4e230bc010d432a45b3a49c91370
MD5 hash:
bd88289ce9722f7f732f173c43e2076b
SHA1 hash:
882ecfdff47bc5ba3057164484895641a5ae9816
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/5bf08c90-ccf6-46bc-a45f-f36aa039d1b0/
SH256 hash:
fd0b13334b1cd15dd3e73f91d4840e370504b1d14a750e9b657ac9869ceada02
MD5 hash:
ce9e7cb976e93b18ba3d4bcf348a10c6
SHA1 hash:
6ae35b312f49e1aad8aa60c8d47e35594172cde7
Link:
https://www.unpac.me/results/5bf08c90-ccf6-46bc-a45f-f36aa039d1b0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fd0b13334b1c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd0b13334b1cd15dd3e73f91d4840e370504b1d14a750e9b657ac9869ceada02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_62e745e92165213c971f5c490aea12a5
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe fd0b13334b1cd15dd3e73f91d4840e370504b1d14a750e9b657ac9869ceada02

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1800924/
Cape
Cape
https://www.capesandbox.com/analysis/207601/

Comments


Avatar
zbet commented on 2021-11-19 12:32:53 UTC

url : hxxp://host-file-host9.com/files/4657_1637270127_3367.exe