MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03dfaeacfbc330e89f56bc08ca54f2b8071fb7b27043e342b020a1c0e78601b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	03dfaeacfbc330e89f56bc08ca54f2b8071fb7b27043e342b020a1c0e78601b9
SHA3-384 hash:	fb32d580c7ec6450cd9594e6f5794d32846237990b4dc7d76a3d7d1bd64906a4d865638fa0ff0d7fb9ff9d19a74084d0
SHA1 hash:	57fd8a565293e8722f87deeb18ca380ae6a378e9
MD5 hash:	9dec88d2be0c9f471ba9c1b4dd299463
humanhash:	emma-oven-mobile-cola
File name:	9dec88d2be0c9f471ba9c1b4dd299463.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	888'832 bytes
First seen:	2020-12-01 09:00:09 UTC
Last seen:	2020-12-01 11:06:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	24576:cgXW++EvsAhWZkRQGiHUdgbsiU7lYLYtjBef9TfLIcEK:R/pchGwsiU7FtFef9gc/
TLSH	2015129A735071CFC857D5B2DF985C85AB60297B430EC24798271A78BE2EA9BDF040F1
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

AZORult C2:
http://brice.ac.ug/index.php

ArkeiStealer C2:
http://darkangel.ac.ug/

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/106189/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42698.3348.22522.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching the default Windows debugger (dwwin.exe)

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/551971

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (changes PE section rights)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/03dfaeacfbc330e89f56bc08ca54f2b8071fb7b27043e342b020a1c0e78601b9/

Threat name:

ByteCode-MSIL.Backdoor.NanoBot

Status:

Malicious

First seen:

2020-11-30 02:15:00 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=app25lh3ymyorh2wxqemuvhsxadr7n5sobb6gqvqecq4bz4gag4q._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/201201-9mck8b14jj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

0647edbfa455a7bd80c50a3836ef86b2bd286e2993424fc41f0a632add251fc6

MD5 hash:

bce71a12ed2855945040fb2a348cabe8

SHA1 hash:

149ab58377efa833a5a409e1c547eb5eaba9d0ff

Detections:

win_raccoon_a0

win_raccoon_auto

Link:

https://www.unpac.me/results/20da3b7e-03ff-4862-884a-0b29e9ee58be/

Parent samples :

03dfaeacfbc330e89f56bc08ca54f2b8071fb7b27043e342b020a1c0e78601b9
2dae80e04d518be8a6e1659d53afd6aea2eecc35086db46b4dd0a701a4b6f812

SH256 hash:

ee788cf85f16ae46392fac2e90fa074c5c541800dcd3ea9e994ec41a3263a671

MD5 hash:

67858da0e2497e14b7232f0b23742375

SHA1 hash:

4fbefe15a6a4861c50c67f0d033fab28bdfef573

Link:

https://www.unpac.me/results/20da3b7e-03ff-4862-884a-0b29e9ee58be/

SH256 hash:

cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e

MD5 hash:

8cd5d2014866f4ef60802ff1826998a6

SHA1 hash:

8ff75946905d0b117080cc5a07e6e0bbea4e9bbd

Link:

https://www.unpac.me/results/20da3b7e-03ff-4862-884a-0b29e9ee58be/

SH256 hash:

03dfaeacfbc330e89f56bc08ca54f2b8071fb7b27043e342b020a1c0e78601b9

MD5 hash:

9dec88d2be0c9f471ba9c1b4dd299463

SHA1 hash:

57fd8a565293e8722f87deeb18ca380ae6a378e9

Link:

https://www.unpac.me/results/20da3b7e-03ff-4862-884a-0b29e9ee58be/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/03dfaeacfbc330e89f56bc08ca54f2b8071fb7b27043e342b020a1c0e78601b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.