MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 023fb24e4591fcbbff6096a61e7cbfb79bc1bade9236dd0db6ede7ab1e00bf9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 023fb24e4591fcbbff6096a61e7cbfb79bc1bade9236dd0db6ede7ab1e00bf9f
SHA3-384 hash: 865444169d419b480f0305f54ab298cb82ad87895aec57e8ccc14a6ae0c9e2444273233902c93ce4acf50747c2cbf720
SHA1 hash: 786ad838dfbea097f192727d90bc899073ae3260
MD5 hash: 5cddc68460463a32782f94c595dea500
humanhash: gee-sierra-florida-cold
File name:ac.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:406'016 bytes
First seen:2020-10-10 04:16:35 UTC
Last seen:2020-10-10 04:35:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:PFCMQSKRhznUR1GUKY0WXbt7M5K/FbTx:NCYKRhbBUaKbtY5K/f
Threatray 176 similar samples on MalwareBazaar
TLSH AA84C006CAEB4933FF1036F6B82C5D58CF34846DAA27F76E050698AC1E5E3D94C6351A
Reporter TrappmanRhett
Tags:RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Creating a window
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487367
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/023fb24e4591fcbbff6096a61e7cbfb79bc1bade9236dd0db6ede7ab1e00bf9f/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 21:55:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ai73etsfsh6lx73as2tb47f7w6n4dow6si3n2dnw5xt2whqax6pq._file
Verdict:
malicious
Similar samples:
033dd7d02172855d2e61e1dcfae24bdeb9136310503e06bf7079ef78db9422ae
RaccoonStealer
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
RaccoonStealer
4d8668325ade88f0c153c36d4c01c38900fa11408b24bbe6c65429215e36f007
RaccoonStealer
61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
RaccoonStealer
8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
RaccoonStealer
ce4c9d123144cb01aaa09ecfc34a21b6808c8d891fdd777e3bc8736fc3d877ca
RaccoonStealer
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
RaccoonStealer
da045fcbd63520920626c45655b87da65e0e6cdc26f7bc20dfbfb6f667be9dbf
RaccoonStealer
ed9d96725b88ce0a3caee6d98c11369fb84a1d7eca3847db66abe63c49955f73
RaccoonStealer
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
RaccoonStealer
+ 166 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201010-bxlhq7f792/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
023fb24e4591fcbbff6096a61e7cbfb79bc1bade9236dd0db6ede7ab1e00bf9f
MD5 hash:
5cddc68460463a32782f94c595dea500
SHA1 hash:
786ad838dfbea097f192727d90bc899073ae3260
Link:
https://www.unpac.me/results/aae4a0e8-9ca2-49dc-b0ac-5fd4647a3aa6/
SH256 hash:
935e5ba701fe0232c124141fbfdbaa5137d8884ff888e41f7f145e8b742f0b2e
MD5 hash:
01214d0a3b40f96d70a6c2e8d4c21637
SHA1 hash:
ed0d6063652e334b3391aaa6ba97ef83e5eca0a0
Detections:
win_raccoon_a0
Create hunting rule
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/aae4a0e8-9ca2-49dc-b0ac-5fd4647a3aa6/
Parent samples :
023fb24e4591fcbbff6096a61e7cbfb79bc1bade9236dd0db6ede7ab1e00bf9f
60152e8f49b376387ea78e05be97894b52c0dc862a9906248b12a441e840ee2d
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/aae4a0e8-9ca2-49dc-b0ac-5fd4647a3aa6/
SH256 hash:
0756e68d60411ed330b29ebf4f5c9bafd838652c3fe24f320113943196f8f41f
MD5 hash:
52da27b64f24a094a04a37d449a69478
SHA1 hash:
9c092eb47b1c41df46a84bf453e62bee99871217
Link:
https://www.unpac.me/results/aae4a0e8-9ca2-49dc-b0ac-5fd4647a3aa6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/023fb24e4591fcbbff6096a61e7cbfb79bc1bade9236dd0db6ede7ab1e00bf9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69673/

Comments