MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05e5832347b448b270340cadd453202bbe5790d840e7b44243b8c4fc954a6013. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	05e5832347b448b270340cadd453202bbe5790d840e7b44243b8c4fc954a6013
SHA3-384 hash:	04f60830d9eb8dc8053c9456b7e9e5c2fabda636820a688d1b4ffdc92899210e761d4b4c0a51b52f6c5add915cf8aa34
SHA1 hash:	df9965ee4a22d7eee59ee85d68e49c92b16332ec
MD5 hash:	41fde5ac10c155100baf4d8190181fd1
humanhash:	floor-jersey-virginia-kansas
File name:	file
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	6'460'928 bytes
First seen:	2022-10-22 08:58:42 UTC
Last seen:	2022-10-22 17:38:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2f285ed6f05eae8b1321ad1b364e9c75 (19 x RecordBreaker, 2 x RaccoonStealer)
ssdeep	98304:wAKvwRU5PaUBu00TTn9FawRYcg/olI3d3+ybdyqXFE44o3qdyTQhPvN7aEFLIjzG:fKvqUhrsh7awVH23dbcqVZDsvBDIzG
Threatray	725 similar samples on MalwareBazaar
TLSH	T1D35623B30769800AE0E08D3D8A37BDD8B0F55B569B82EC7AA5FB5DC4542D9D1FA5B003
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon	a89094c8e8e0f0f0 (1 x RaccoonStealer)
Reporter	andretavare5
Tags:	exe RaccoonStealer

andretavare5

Sample downloaded from https://vk.com/doc32384019_646281253?hash=IQGknvCGG9gFq8bhkfKY6IogIokhlXQ1PNBNhtVkUyX&dl=GMZDGOBUGAYTS:1666427834:pdaO6J5iSq12ORBBHf6vQr43vZiOZctJ5SgKybsOvqz&api=1&no_preview=1#yet1k

Intelligence

File Origin

# of uploads :

# of downloads :

255

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

raccoon

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-10-22 08:59:11 UTC

Tags:

trojan raccoon recordbreaker loader stealer

Link:

https://app.any.run/tasks/359737cb-fba8-4a75-b139-f4bd7ed82856

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/322589/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.7395.5122.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Sending an HTTP POST request

Sending an HTTP GET request

Creating a file

Creating a file in the system32 subdirectories

Reading critical registry keys

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/44362/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

evasive greyware packed

Link:

https://www.filescan.io/uploads/6353b0d8b87ce1b32f79193c/reports/299b0f84-681a-42c8-8909-bd24b13e4b3e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/fbacb99c-9931-4eff-9d1a-7bff4c0894bf

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1095404

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/05e5832347b448b270340cadd453202bbe5790d840e7b44243b8c4fc954a6013/

Threat name:

Win32.Trojan.Privateloader

Status:

Suspicious

First seen:

2022-10-22 09:13:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=axsygi2hwrele4bubsw5iuzafo7fpegyidt3iqsdxdcpzfkkmajq._file

Verdict:

suspicious

Label(s):

raccoon

RaccoonStealer

27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20

RaccoonStealer

3c1b550a3afa8207c88ee4d267c096d4be36af794174345c5989a94351f62af4

RaccoonStealer

754d637166838352780c8e0e611a21f4886f98a82cca0c8a32bf1df3e3c35f1f

RaccoonStealer

7fa1b425c7bc7f04e84aae8b76cd1e6d1db56dab966ff273b5101816525f61c4

RaccoonStealer

8129a8a2a4c77198a9a65c393cfc37f8f6ab83842a9c9f430ab1186db9cd0771

RaccoonStealer

e3f6666bcc343098a21a2c52ee8a63d03c042b9dfd4cb1dfbf984c6d0e985da0

RaccoonStealer

+ 715 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/221022-kxqkwsbhf4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/90d2fbc7-c1a8-4b9a-817c-436487dd6bbc

Unpacked files

SH256 hash:

0bd8ba71e581af78471c740b2ed85e5ceedd224d47519d02da4248dc2652d88b

MD5 hash:

61f7eb0c649c4f56cb8e5f5d831e70c1

SHA1 hash:

5e7028aa4c01550b6a07ebe8ff82697416c4af63

Link:

https://www.unpac.me/results/29f4590f-bb40-43c6-8def-55f2623a4855/

SH256 hash:

05e5832347b448b270340cadd453202bbe5790d840e7b44243b8c4fc954a6013

MD5 hash:

41fde5ac10c155100baf4d8190181fd1

SHA1 hash:

df9965ee4a22d7eee59ee85d68e49c92b16332ec

Link:

https://www.unpac.me/results/29f4590f-bb40-43c6-8def-55f2623a4855/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/05e5832347b4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/05e5832347b448b270340cadd453202bbe5790d840e7b44243b8c4fc954a6013

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/322589/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample