MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0325502958cf6111b78350207292984e34a990e4f64214a18a7b231c4c796fbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0325502958cf6111b78350207292984e34a990e4f64214a18a7b231c4c796fbd
SHA3-384 hash: 5ddc7a1b72fc3b0076559d9c19e5c9521ebe4e9662baa72486a6ff8e42a67e40950773023b0a380fbc35201ef62d6414
SHA1 hash: fcdaa10709bcc7ac1cc794490a90524c0e0c7562
MD5 hash: ffacb8059961868c94b781779fb5f1b8
humanhash: red-king-uranus-cold
File name:Full_Setup.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:14'992'896 bytes
First seen:2023-04-16 00:14:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1b3911321150a9662fa1b0f22689c572 (4 x RecordBreaker, 3 x RaccoonStealer)
ssdeep 393216:ylEkoGeNeVVgE4zDhmEpUfUqfzs+9aWxzRJq3p4:Vk7eYQapzsFWFRJq3S
TLSH T172E6335715890554ECE9883684377CA673F65F2387A2EC3865E2BAE03B37570B3039A7
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c8e8beeececece4e (1 x RaccoonStealer)
Reporter Chainskilabs
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
Full_Setup.exe
Verdict:
Malicious activity
Analysis date:
2023-04-16 00:15:54 UTC
Tags:
loader stealer raccoon recordbreaker trojan
Link:
https://app.any.run/tasks/0880bbd1-f0ac-435a-bdfa-40ef7580f069

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Lazy.295491.27533.7552.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connecting to a non-recommended domain
Sending an HTTP POST request
Sending a custom TCP request
Creating a file
Reading critical registry keys
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Stealing user critical data
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/79804/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/643b3e088cbb8f4be303e3ae/reports/ac4136c2-bbd1-40f2-aee5-bbb3650323bd/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/0325502958cf6111b78350207292984e34a990e4f64214a18a7b231c4c796fbd
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0398281-3603-49a1-8c01-86e1c0f888a9
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1214448
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 847376 Sample: Full_Setup.exe Startdate: 16/04/2023 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Found malware configuration 2->43 45 Antivirus detection for URL or domain 2->45 47 8 other signatures 2->47 8 Full_Setup.exe 30 2->8         started        process3 dnsIp4 35 37.220.87.68, 49690, 80 ARTEM-CATV-ASRU Russian Federation 8->35 37 77.73.134.35 FIBEROPTIXDE Kazakhstan 8->37 39 37.220.87.61, 49698, 80 ARTEM-CATV-ASRU Russian Federation 8->39 27 C:\Users\user\AppData\Roaming\tYgY8XRw.exe, PE32+ 8->27 dropped 29 C:\Users\user\AppData\Roaming\Im2uyaF8.exe, PE32+ 8->29 dropped 31 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 8->31 dropped 33 6 other files (4 malicious) 8->33 dropped 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->49 51 Tries to harvest and steal browser information (history, passwords, etc) 8->51 53 Tries to evade analysis by execution special instruction (VM detection) 8->53 55 3 other signatures 8->55 13 Im2uyaF8.exe 8->13         started        16 tYgY8XRw.exe 2 8->16         started        file5 signatures6 process7 file8 57 Antivirus detection for dropped file 13->57 59 Multi AV Scanner detection for dropped file 13->59 61 Tries to harvest and steal browser information (history, passwords, etc) 13->61 19 cmd.exe 1 13->19         started        25 C:\...\USOSharedDesktop-version7.4.6.8.exe, PE32+ 16->25 dropped 63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->63 signatures9 process10 process11 21 conhost.exe 19->21         started        23 choice.exe 1 19->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0325502958cf6111b78350207292984e34a990e4f64214a18a7b231c4c796fbd/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-04-15 18:40:11 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=amsvakkyz5qrdn4dkaqhfeuyjy2ktehe6zbbjimkpmrrytdzn66q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:d5a6b03a88d8e818bc38e716387661a9 discovery persistence spyware stealer
Link:
https://tria.ge/reports/230416-ajw6eahh3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Malware Config
C2 Extraction:
http://37.220.87.68
http://83.217.11.10
Unpacked files
SH256 hash:
0325502958cf6111b78350207292984e34a990e4f64214a18a7b231c4c796fbd
MD5 hash:
ffacb8059961868c94b781779fb5f1b8
SHA1 hash:
fcdaa10709bcc7ac1cc794490a90524c0e0c7562
Link:
https://www.unpac.me/results/d001ccd7-22df-49fb-9b9f-14dfcece5d46/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0325502958cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0325502958cf6111b78350207292984e34a990e4f64214a18a7b231c4c796fbd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 0325502958cf6111b78350207292984e34a990e4f64214a18a7b231c4c796fbd

(this sample)

  
Delivery method
Distributed via web download

Comments