MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03626471a65baf211f2110cd91e52b9e44524780e042a473cd09d864d9af20a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments 1

SHA256 hash:	03626471a65baf211f2110cd91e52b9e44524780e042a473cd09d864d9af20a0
SHA3-384 hash:	c474a87cf6c1a129dde913b66b0dc5631d328dd482576b70080aff30c77d9b2adcf2963c095ebc3bb2ec489d4400947e
SHA1 hash:	7cb27f482491993b5d544c09ff938e5364be689c
MD5 hash:	1ed03b7997f679879d89beb238cd039b
humanhash:	april-carpet-one-missouri
File name:	1ed03b7997f679879d89beb238cd039b
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	532'808 bytes
First seen:	2022-07-14 06:49:08 UTC
Last seen:	2022-07-14 09:39:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep	1536:BI47GyTGCwiSnmQUt0LB1Sh7s/s3yvsqEiyf5GPVJsrYh52EhUdjyiG:BvGyYiSDnt1A79Cvs5NfuJesbha2/
Threatray	28 similar samples on MalwareBazaar
TLSH	T1D6B4E0C173549097C857A9744E57839EAB28FC92BE20758B2370F76F0B3AAD36D29305
TrID	43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 27.6% (.EXE) Win64 Executable (generic) (10523/12/4) 13.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) OS/2 Executable (generic) (2029/13) 5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	70ecd4d4ccd4c8d4 (1 x RaccoonStealer)
Reporter	zbetcheckin
Tags:	exe RaccoonStealer

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/288631/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.39990419.3132.22838.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Creating a window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Unauthorized injection to a recently created process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

advpack.dll overlay packed rundll32.exe setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/62cfbcee062776137b1aaa57/reports/242ac469-6c71-4ea8-84c2-e3a5b32df13b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1031642

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/03626471a65baf211f2110cd91e52b9e44524780e042a473cd09d864d9af20a0/

Threat name:

ByteCode-MSIL.Downloader.PsDownload

Status:

Malicious

First seen:

2022-07-13 23:01:58 UTC

AV detection:

11 of 26 (42.31%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=anrgi4ngloxschzbcdgzdzjltzcfer4a4bbki46nbhmgjwnpecqa._file

Verdict:

malicious

RaccoonStealer

39f1a98ab29664ef492b052c44f6ea76148d75baaf55b7b037cc0575eb8b25d4

RaccoonStealer

40daa898f98206806ad3ff78f63409d509922e0c482684cf4f180faac8cac273

RaccoonStealer

595a5d21b386ba8e30b567cbe575b24ed104ee589037a48aa2d277452ba0b6a6

RaccoonStealer

6887d3d4d5baa135418c2305915c56b448960d03c427f6c63c430465ddaa6547

RaccoonStealer

79352910f5e31ab1c843a5a7230d1f278dda20f721ad03243dd44f8d7806c2ed

RaccoonStealer

960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63

RaccoonStealer

c6d4500d19092b123a80369430e15d353a49b628e28f8f6ecab46809e8ac8938

RaccoonStealer

e8e4a4c7c5c593136058722cabe2d42631feffde95d923f5fd7020b0c7286f22

RaccoonStealer

+ 18 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/220714-hlznbaahgm/

Behaviour

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Unpacked files

SH256 hash:

03626471a65baf211f2110cd91e52b9e44524780e042a473cd09d864d9af20a0

MD5 hash:

1ed03b7997f679879d89beb238cd039b

SHA1 hash:

7cb27f482491993b5d544c09ff938e5364be689c

Link:

https://www.unpac.me/results/0b3f118a-e123-426f-86e6-58d4a04bde7f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/03626471a65b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/03626471a65baf211f2110cd91e52b9e44524780e042a473cd09d864d9af20a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/