MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 757c6ccb2021bb12cb15fafcd4d748ef2d347ed4cb51076162563cbfe1ea01e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RaccoonStealer


Vendor detections: 11


Intelligence 11 File information Yara 5 Comments

SHA256 hash: 757c6ccb2021bb12cb15fafcd4d748ef2d347ed4cb51076162563cbfe1ea01e0
SHA3-384 hash: 4a40f0f193e8987002846d8e7e4a361068048011f44b2a69374fec348d7ba6a959886407663bed5197c78425c27a894e
SHA1 hash: e16be2044b73bfb717d92d13968eac473d64b8fc
MD5 hash: 060bd14ae501d8dae94cc73672ab195b
humanhash: apart-london-freddie-high
File name:SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224
Download: download sample
Signature RaccoonStealer
File size:555'520 bytes
First seen:2021-02-23 08:45:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 113ab027842a74f801bdc92a0f80850f
ssdeep 12288:v0R651v0Rkfohu9i0w1UP/e9GjvMe1i+BF4O:v0asRkA7lUu9mMe1Vf4O
Threatray 509 similar samples on MalwareBazaar
TLSH 2EC4CF00BBB1D134F5B3A6F4497D92E4752A79726B348DCF62D226DA1A347E09C71323
Reporter @SecuriteInfoCom
Tags:RaccoonStealer

Intelligence


File Origin
# of uploads :
1
# of downloads :
54
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Creating a window
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Searching for analyzing tools
Searching for the window
Launching a process
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Creating a service
Launching a service
Loading a system driver
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun for a service
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.StellarStealer
Status:
Malicious
First seen:
2021-02-23 05:12:09 UTC
AV detection:
22 of 48 (45.83%)
Threat level
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:raccoon family:xmrig botnet:aef61793e586ca15c24106ac17a2a83a30fb0a25 discovery evasion miner spyware stealer themida trojan
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
themida
Executes dropped EXE
Detected Stratum cryptominer command
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
xmrig
Unpacked files
SH256 hash:
d642d61433f8d665fdb9889b137dfd143d3052199e8bcc425562fefcd70b6a4a
MD5 hash:
907b551131fc3813c610d7b969730b40
SHA1 hash:
89a07c204aa716e6b02459b59f970ff5192888c3
Detections:
win_raccoon_auto
SH256 hash:
757c6ccb2021bb12cb15fafcd4d748ef2d347ed4cb51076162563cbfe1ea01e0
MD5 hash:
060bd14ae501d8dae94cc73672ab195b
SHA1 hash:
e16be2044b73bfb717d92d13968eac473d64b8fc
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:Email_stealer_bin_mem
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 757c6ccb2021bb12cb15fafcd4d748ef2d347ed4cb51076162563cbfe1ea01e0

(this sample)

  
Delivery method
Distributed via web download

Comments