MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ffddfa0d703b8dbfcbdfeda5c1645cc796863710dbd1383fc1062046429d317. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ffddfa0d703b8dbfcbdfeda5c1645cc796863710dbd1383fc1062046429d317
SHA3-384 hash: d8202d15276ff5f99ec0580a4aaecd262cf28e0d1210bed5515969d05a7958bc485ced5c7d0583b7e5e7a1b91891d34b
SHA1 hash: 8d6143d549d10057bc28d1031952cceb2e2b1a0f
MD5 hash: 1d754e8f4b5fbfadd5cfa1b3509a6f08
humanhash: edward-oranges-cat-alaska
File name:1d754e8f4b5fbfadd5cfa1b3509a6f08.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'060'488 bytes
First seen:2021-07-16 08:15:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f968a6fe37037e5bf3559e0df7a74ef0 (1 x RaccoonStealer)
ssdeep 49152:Tnwg/ZD7NrWiEtYj9soqtZp0whU/iMKfYnNcADoaji65epDzWU:s8nNrWiaS9som7hU/i3AneAfb5epXP
Threatray 3'670 similar samples on MalwareBazaar
TLSH T1389533FAD58425A4C5EF0E7926F238E8CDF4DC1A1C58ED77E85C914CDAD8E0538C219A
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1d754e8f4b5fbfadd5cfa1b3509a6f08.exe
Verdict:
Malicious activity
Analysis date:
2021-07-16 08:16:04 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/2bc37ae9-a3ff-4a14-a46f-46afe8296134

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172134/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46631841.23844.644.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f8589a8-330c-4d3d-8a42-6ee83b850845
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817341
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ffddfa0d703b8dbfcbdfeda5c1645cc796863710dbd1383fc1062046429d317/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 21:29:23 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0b02739c5fd7a7fa53410bc2287c42cf66a3a6d51ecc9570e76e4f0f8129f2d7
RaccoonStealer
3ec3b418b0e06128ef80ff02866d30c8071ba54066411760b6f71cab0f4c24f9
RaccoonStealer
60f649f6d971c44b959f6fef2bf1d08c3dbe00edeac7a889e81adc761ba5ddba
RaccoonStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RaccoonStealer
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
RaccoonStealer
8b1c960881fc789460b5b274abd43baddb1c92e1a942d3a1080a4adb1f545e50
RaccoonStealer
a8fb61732f9696d24e02dda47d2f12abe0d8968e130f05d2381bb7b5a93f3ec0
RaccoonStealer
a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154
RaccoonStealer
d1621aa8dd1273a4b6e4f3e6b83188044af80c6ffe9aba2e7e191f159ce9b1eb
RaccoonStealer
+ 3'660 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/210716-4s3b91nz42/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
39fb53d24d52d3cf254f4ef6ab8d2d0b8c84fd28c763d5a7c4e6bd1be5b905fb
MD5 hash:
8ade731750642a71fa90bad23606a43b
SHA1 hash:
725664faa0f769b5bf06853bdb159a7f831ec796
Link:
https://www.unpac.me/results/695938bf-bae4-4e08-a920-e3853fb4863a/
SH256 hash:
0ffddfa0d703b8dbfcbdfeda5c1645cc796863710dbd1383fc1062046429d317
MD5 hash:
1d754e8f4b5fbfadd5cfa1b3509a6f08
SHA1 hash:
8d6143d549d10057bc28d1031952cceb2e2b1a0f
Link:
https://www.unpac.me/results/695938bf-bae4-4e08-a920-e3853fb4863a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.04
Link:
https://yomi.yoroi.company/submissions/0ffddfa0d703b8dbfcbdfeda5c1645cc796863710dbd1383fc1062046429d317

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 0ffddfa0d703b8dbfcbdfeda5c1645cc796863710dbd1383fc1062046429d317

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1454358/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172134/

Comments