MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04d6d3ec056f03179782070ab38d407197ff2e2fc5c943da11de18d0085b7f3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04d6d3ec056f03179782070ab38d407197ff2e2fc5c943da11de18d0085b7f3b
SHA3-384 hash: f8b380ed638af3c55ccafa57f1ac6e1a0f2ac92446d0b26511992cc1ea4c0664261abc1d5d13e425ca70fe63f7271f64
SHA1 hash: 64634c62c3eb74bbc5cdec26082dd612a304e45d
MD5 hash: 7603117e8e1611e887b8c6fccbdb9d4e
humanhash: moon-blossom-yankee-bacon
File name:SecuriteInfo.com.Heuristic.HEUR.AGEN.1304984.32215.8008
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:6'282'944 bytes
First seen:2023-12-11 19:32:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 379f1f8b44b71caf79408adefbc888c6 (1 x RaccoonStealer)
ssdeep 98304:wCUQbcTwemgpj6KqG6F6MNl4or9cOFOoKc3lZsuavzeh/QYU+LR87CiFj4:HtbCLpjfqx/j9dF3livQ/Y4R87dq
TLSH T1E156232356D50045E1F2893C862B3DE572F60E5A9E82AC7E55FEFDC62B335A4D203A43
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b29e8e86c8d8c8f4 (1 x RaccoonStealer)
Reporter SecuriteInfoCom
Tags:exe RaccoonStealer signed

Code Signing Certificate

Organisation:(C) 1998-2020 Logitech. All rights reserved.
Issuer:(C) 1998-2020 Logitech. All rights reserved.
Algorithm:sha1WithRSAEncryption
Valid from:2023-12-07T10:12:32Z
Valid to:2033-12-08T10:12:32Z
Serial number: 7512ce1765217a844e1b7a9084fbc3e3
Intelligence: 11 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: eb6713a9cfe98c8d67262e2177d9726553023a0ce738d22f9d14eac8d1019f51
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiClNnT3oiDAxUIkYkEHYf-BRU4ChAWegQIChAB&url=https%3A%2F%2Fgreencracks.com%2Fmalwarebytes-premium-crack%2F&usg=AOvVaw2XgtQD6s-ww1g-yk7EtG0H&opi=89978449
Verdict:
Malicious activity
Analysis date:
2023-12-12 01:35:46 UTC
Tags:
lumma stealer loader amadey botnet
Link:
https://app.any.run/tasks/a36570cf-1f41-4aab-8731-d8dee9a55d66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/466041/
Detection(s):
SecuriteInfo.com.Heuristic.HEUR.AGEN.1304984.32215.8008.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a file in the %temp% directory
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer lolbin masquerade overlay packed packed packed shell32 vmprotect
Link:
https://www.filescan.io/uploads/657763f547603edff334e12d/reports/68e1e437-4cc0-4bc0-9fc6-57de58ea02d7/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/04d6d3ec056f03179782070ab38d407197ff2e2fc5c943da11de18d0085b7f3b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5039949-2b11-4efd-a1a3-7b9835e363f7
Result
Threat name:
MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1359234
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected VMProtect packer
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/04d6d3ec056f03179782070ab38d407197ff2e2fc5c943da11de18d0085b7f3b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04d6d3ec056f03179782070ab38d407197ff2e2fc5c943da11de18d0085b7f3b/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2023-12-11 19:33:06 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
13 of 23 (56.52%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=atlnh3afn4brpf4ca4flhdkaogl76lrpyxeuhwqr3ymnacc3p45q._file
Verdict:
suspicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
vmprotect
Link:
https://tria.ge/reports/231211-x9hr2ahaa8/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
VMProtect packed file
Unpacked files
SH256 hash:
0ca943b6ee909f216c2e139438ef92b92a3ebf39725471b77f6f329f36f8778e
MD5 hash:
a1255ce0231b09b3a4bbad0fcb38bda9
SHA1 hash:
8107a04aeb85ab8828ef18c65cdb9d661f62e74b
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/e5fac9b6-66b9-405a-a524-3252bb266e42/
SH256 hash:
04d6d3ec056f03179782070ab38d407197ff2e2fc5c943da11de18d0085b7f3b
MD5 hash:
7603117e8e1611e887b8c6fccbdb9d4e
SHA1 hash:
64634c62c3eb74bbc5cdec26082dd612a304e45d
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/e5fac9b6-66b9-405a-a524-3252bb266e42/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04d6d3ec056f03179782070ab38d407197ff2e2fc5c943da11de18d0085b7f3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 04d6d3ec056f03179782070ab38d407197ff2e2fc5c943da11de18d0085b7f3b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2739592/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2737076/
  
URLhaus
https://urlhaus.abuse.ch/url/2733619/
  
URLhaus
https://urlhaus.abuse.ch/url/2735404/
Cape
Cape
https://www.capesandbox.com/analysis/466041/

Comments