MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fd66c1d011fe7b8658211ad8990d9b06d23722a50c407675112ffb879043fa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 3


Intelligence 3 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fd66c1d011fe7b8658211ad8990d9b06d23722a50c407675112ffb879043fa5
SHA3-384 hash: 51510387e8116e59d475b03f1a9f5cd251952370bc0345917232f9ae5d12b96a22c1c366197dceb24726a055640a7869
SHA1 hash: 4fde51c6aea93bac49f4503810185b01c06b16bb
MD5 hash: b86256cfa450cd835728346734adf73a
humanhash: michigan-comet-twelve-twenty
File name:b86256cfa450cd835728346734adf73a.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:131'072 bytes
First seen:2020-05-24 15:32:16 UTC
Last seen:2020-05-24 17:06:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f1476251d0f2f92115682e341a9d97c6 (1 x RaccoonStealer)
ssdeep 1536:NPW6APkV08JBguiRow8exHLke5Lwt55p20DKmZ2xFBnP:dW6Ouwge2H20eFJP
Threatray 303 similar samples on MalwareBazaar
TLSH 20D3A703F6E20C76D9755EB02476AD046E7ABD050C024F1B7548BBA938F739AA1F931E
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Mal.FareitVB-AB.14979.32125.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-05-24 15:35:22 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
15145ed8e5ae3cf2acf9ad25bbcb3f782c4d8ba9674185d06baa66ae6d17f25a
RaccoonStealer
19e99ad36e248449944d9979c433f0277eac9e2b0911259e5c39d33bd194f399
RaccoonStealer
1a3223bf578249a17b6d1f8ee0ed8a5fd49690621f3ea63d0380db03f2c31e50
RaccoonStealer
45b253db751c69bdc1d532167e482ef03f426d4dd06a513d342faf61e976f269
RaccoonStealer
5524ff68db56a342888695eaef74d2c73cbd6b612e49a6204a6cf4eef35072f8
RaccoonStealer
57c4cc3ddd55171f1d7fabb27f67dbecd9ef59a7e752956b4cf3efa946d0d351
RaccoonStealer
9eb3b45e80a9c2a6961a24c2955cf11fb51fac3416cb1eaa8e5f26164c00d39f
RaccoonStealer
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
RaccoonStealer
bda7bbc040614aea40e36657bd8f2b28145fa7572e2810455288ad21c95fae14
RaccoonStealer
ce86a2218eff30dae2862d460329e65b67d6828acc82ad220ec584f419c30599
RaccoonStealer
+ 293 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-htlwgnf6k6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:MAL_unspecified_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects unspecified malware sample
Reference:Internal Research
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:netwire
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect netwire in memory
Reference:internal research
Rule name:Suspicious_BAT_Strings
Create hunting rule
Author:Florian Roth
Description:Detects a string also used in Netwire RAT auxilliary
Reference:https://pastebin.com/8qaiyPxs
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_netwire_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 6fd66c1d011fe7b8658211ad8990d9b06d23722a50c407675112ffb879043fa5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/367173/
  
Delivery method
Distributed via web download

Comments