MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe65170a6f6cd5ba0df997262bca40350b650067db206bc83bfaf80da94bba9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe65170a6f6cd5ba0df997262bca40350b650067db206bc83bfaf80da94bba9e
SHA3-384 hash: 2b7811053886e045a11b15a66c6e3d7f49f548a0f7f88f80538f0d0c3dfc5cf52557fa9cc402a3271439b2db1a01dc43
SHA1 hash: 789475ac6d5fda814f46a26246d0f931f41b6ba3
MD5 hash: f250cb14a5ab5ada5aa6d9d18a20b075
humanhash: vegan-speaker-fruit-west
File name:f250cb14a5ab5ada5aa6d9d18a20b075
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:502'896 bytes
First seen:2021-07-13 01:23:09 UTC
Last seen:2021-07-13 01:37:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:KUUszj2vcX2uTSb5PwebfW00YUI1yqTp5xG:lb2Hu+b5PlgWRFG
Threatray 1'447 similar samples on MalwareBazaar
TLSH T128B4F1AE724E1E1AE6AC0436D2C71BF16F74ADA4850BD707A28436DE0C75BE67E014C3
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f250cb14a5ab5ada5aa6d9d18a20b075
Verdict:
Malicious activity
Analysis date:
2021-07-13 01:25:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/796de693-cd5d-4159-8022-99666c20f78e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171199/
Detection(s):
SecuriteInfo.com.ArtemisF250CB14A5AB.17119.23087.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc78deeb-6ae8-41ec-bca3-0130f587c2a7
Result
Threat name:
SERVHELPER Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815216
Signature
.NET source code contains very large array initializations
Adds a new user with administrator rights
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Creates a Windows Service pointing to an executable in C:\Windows
Detected SERVHELPER
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Hurricane Panda Activity
Sigma detected: Suspicious Csc.exe Source File Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 447627 Sample: 4DEv34R36N Startdate: 13/07/2021 Architecture: WINDOWS Score: 100 86 soajfvhv235ua.xyz 2->86 88 raw.githubusercontent.com 2->88 90 clientconfig.passport.net 2->90 98 Multi AV Scanner detection for domain / URL 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 Yara detected AntiVM3 2->102 104 6 other signatures 2->104 14 4DEv34R36N.exe 3 2->14         started        17 rdpdr.sys 2->17         started        signatures3 process4 file5 84 C:\Users\user\AppData\...\4DEv34R36N.exe.log, ASCII 14->84 dropped 19 4DEv34R36N.exe 82 14->19         started        process6 dnsIp7 92 telete.in 195.201.225.248, 443, 49713 HETZNER-ASDE Germany 19->92 94 aantreo.us 198.54.116.224, 443, 49721, 49722 NAMECHEAP-NETUS United States 19->94 96 34.89.184.90, 49715, 80 GOOGLEUS United States 19->96 68 C:\Users\user\AppData\...\yUp13rS7vc.exe, PE32+ 19->68 dropped 70 C:\Users\user\AppData\...\vcruntime140.dll, PE32 19->70 dropped 72 C:\Users\user\AppData\...\ucrtbase.dll, PE32 19->72 dropped 74 57 other files (none is malicious) 19->74 dropped 106 Tries to steal Mail credentials (via file access) 19->106 108 Tries to harvest and steal browser information (history, passwords, etc) 19->108 24 yUp13rS7vc.exe 3 19->24         started        27 cmd.exe 1 19->27         started        file8 signatures9 process10 signatures11 118 Writes to foreign memory regions 24->118 120 Allocates memory in foreign processes 24->120 122 Modifies the context of a thread in another process (thread injection) 24->122 124 Injects a PE file into a foreign processes 24->124 29 vbc.exe 4 24->29         started        32 conhost.exe 27->32         started        34 timeout.exe 1 27->34         started        process12 signatures13 128 Bypasses PowerShell execution policy 29->128 36 powershell.exe 46 29->36         started        process14 file15 76 C:\Windows\Branding\mediasvc.png, PE32+ 36->76 dropped 78 C:\Windows\Branding\mediasrv.png, PE32+ 36->78 dropped 80 C:\Users\user\AppData\...\rcp5r21l.cmdline, UTF-8 36->80 dropped 110 Detected SERVHELPER 36->110 112 Uses cmd line tools excessively to alter registry or file data 36->112 114 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 36->114 116 2 other signatures 36->116 40 reg.exe 36->40         started        43 cmd.exe 36->43         started        45 csc.exe 36->45         started        48 8 other processes 36->48 signatures16 process17 file18 126 Creates a Windows Service pointing to an executable in C:\Windows 40->126 50 cmd.exe 43->50         started        82 C:\Users\user\AppData\Local\...\rcp5r21l.dll, PE32 45->82 dropped 52 cvtres.exe 45->52         started        54 cmd.exe 48->54         started        56 conhost.exe 48->56         started        58 conhost.exe 48->58         started        60 2 other processes 48->60 signatures19 process20 process21 62 net.exe 50->62         started        64 net.exe 54->64         started        process22 66 net1.exe 62->66         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe65170a6f6cd5ba0df997262bca40350b650067db206bc83bfaf80da94bba9e/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 22:34:42 UTC
AV detection:
4 of 46 (8.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zsroctpntk3udpzs4tcxssagufwkadh3mqgxsb37l4a3kklxkpa._file
Verdict:
malicious
Similar samples:
1555f744c779e3ce93f92b454ad2092e136622c39c21eca20125dd79cdf8fb94
RaccoonStealer
15e71d5e4b29bbf6f1e97bb6ff2cfdb199fb040746d57443163a5c8fecd745aa
RaccoonStealer
2142824c415eb4f05facc471942840e5065aa41b322f36dac198d30d00e8b6fc
RaccoonStealer
4d7bb45f219aaebc5c2745b60879b954a56b58a3f16c5e5c3252143c9b7a3a47
RaccoonStealer
7dc721c6b633d783562f73d629267da7a16a77b4dae9ab280250c116bdfec591
RaccoonStealer
b3f483f00e80c0777858e6795f9f13bce726ff8265ef3e8cd3602cf1711247a2
RaccoonStealer
d9ec3c5cf92b5b3aa1d59949cf1eafb9c695d35ce9872215ba8b189d40c66823
RaccoonStealer
eb02c967fb3feaf5504a78de8a7e0513c2c4e52ddf2243bfbcb10e83954baaad
RaccoonStealer
fe40b63a00a7d737baa87f493751a1b92ac782baaef2304b0ae65c5a1cbec58d
RaccoonStealer
+ 1'437 additional samples on MalwareBazaar
Result
Malware family:
servhelper
Create hunting rule
Score:
  10/10
Tags:
family:servhelper backdoor discovery exploit persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/210713-djfdq4pf32/
Behaviour
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry key
Modifies system certificate store
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies RDP port number used by Windows
Possible privilege escalation attempt
Sets DLL path for service in the registry
UPX packed file
Grants admin privileges
Core1 .NET packer
ServHelper
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Unpacked files
SH256 hash:
08791ccb14d1225015e081d6d3927ba071f750071468926f51ef14f5abe1ed33
MD5 hash:
854421010122eaeb2fac994bf7d0c545
SHA1 hash:
78e158ed48a839740202048607a961f69b287152
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/d16caf72-2fc0-4332-a2e2-abdc8884d513/
SH256 hash:
fe65170a6f6cd5ba0df997262bca40350b650067db206bc83bfaf80da94bba9e
MD5 hash:
f250cb14a5ab5ada5aa6d9d18a20b075
SHA1 hash:
789475ac6d5fda814f46a26246d0f931f41b6ba3
Link:
https://www.unpac.me/results/d16caf72-2fc0-4332-a2e2-abdc8884d513/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe65170a6f6cd5ba0df997262bca40350b650067db206bc83bfaf80da94bba9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe fe65170a6f6cd5ba0df997262bca40350b650067db206bc83bfaf80da94bba9e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171199/
  
URLhaus
https://urlhaus.abuse.ch/url/1427014/

Comments


Avatar
zbet commented on 2021-07-13 01:23:10 UTC

url : hxxp://136.144.41.201/USA/joker.exe