MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13aa65d9723d2053dde5c53169586f0d2f4bb7d7365fac1018966c84900db17a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13aa65d9723d2053dde5c53169586f0d2f4bb7d7365fac1018966c84900db17a
SHA3-384 hash: e437ef71c86a169c022fb4b35d525e53d22eb0b2c4bd68bc94d6f77cd988d987fcc6b93bfe7323e9d7273576ab1bc57c
SHA1 hash: a4f2e8c337e297a9d667ca63a64cacf1ebc3c0dd
MD5 hash: ef57a9fdd73e6712cb9999dd854c9de1
humanhash: echo-november-speaker-december
File name:ef57a9fdd73e6712cb9999dd854c9de1
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'709'152 bytes
First seen:2022-01-02 03:44:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 935c21d57cc2b6c986bd6210b8058915 (1 x RaccoonStealer)
ssdeep 49152:gszqI1lQxeQJn9hFGGPFgX6AGu/Ucxfs0m6r:gszqyQkU9zFgXr/7xfrm6r
Threatray 408 similar samples on MalwareBazaar
TLSH T1D68522F72AAE01F1F6F43BB1AE461DBA7B65E4FD60C0960944EC0676C66734398F4284
File icon (PE):PE icon
dhash icon 1827270e1ea727d8 (1 x RaccoonStealer)
Reporter zbetcheckin
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ef57a9fdd73e6712cb9999dd854c9de1
Verdict:
Malicious activity
Analysis date:
2022-01-02 03:48:27 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/46c41619-f9a0-4812-beaa-337229800bb0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217058/
Detection(s):
Win.Malware.Generic-9918574-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
Sending an HTTP GET request
DNS request
Sending an HTTP POST request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61d11fc38991ba72b3a51e87/reports/4f73e6be-2881-46d5-a7e0-cc8c65870ffb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ca8e3b8-3770-44b1-97d1-169ed859890b
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914576
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13aa65d9723d2053dde5c53169586f0d2f4bb7d7365fac1018966c84900db17a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-30 05:48:00 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
23 of 43 (53.49%)
Threat level:
  5/5
Verdict:
suspicious
Label(s):
ryuk
Create hunting rule
Similar samples:
059afad6c9d4183c5b32b89465732dc6ea7bf7192c0ed7e9f1dabfe65a17da2e
RaccoonStealer
28f5fa7118d4f1866643d781c3fee5cb4507f3d268c263ef40551d527da2c330
RaccoonStealer
6a9a058d16d72684d3acf16c16ca5454a9de9b1204b91eece3669de2fcd06187
RaccoonStealer
9debd5d7a5f7cf87a37d1f1432878baa0ac7cf6ecca5b4bfdcfa1163f07a6953
RaccoonStealer
a7dfdd77617ff0d9ab80e43a147683d595b231369ddf9c18d2c4bf68d5133d3a
RaccoonStealer
b94115f5638021ccf653c3de4c947632560d95d967d64b7b84860e813a8f692a
RaccoonStealer
bff3d8677d0c866b3fa47a2176ba05c9ae03cc215794896f2ef922a1aa037097
RaccoonStealer
c0aef5e5917abe6276cc6ee7225cc9f47115d1f95e1a5ec861fb0f42a8d4af18
RaccoonStealer
e371f0c9caa5fcc9a9698f9de2a40d815e22db19b37454781450633249b84dc4
RaccoonStealer
f5ad5f72cdd46c72b9272c1df0a4294a5bbf7ff8857b603147ab4478773124d3
RaccoonStealer
+ 398 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:c84ce20fb6d0a1c5b26baccef2cf9572aedf31ea evasion stealer trojan
Link:
https://tria.ge/reports/220102-ea4lcaabh6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
0628c57fa2acb1620f54d54b23c2792dcec9e2056b36e47c85887272150cf3d0
MD5 hash:
73684ce6767c791022a0e8dfb25b5ed4
SHA1 hash:
b40cd961dfd4c99cd3c52f816eee4d195e023047
Link:
https://www.unpac.me/results/9f8fa9fe-0a5c-4a6c-86f2-1bdecf1624ca/
SH256 hash:
13aa65d9723d2053dde5c53169586f0d2f4bb7d7365fac1018966c84900db17a
MD5 hash:
ef57a9fdd73e6712cb9999dd854c9de1
SHA1 hash:
a4f2e8c337e297a9d667ca63a64cacf1ebc3c0dd
Link:
https://www.unpac.me/results/9f8fa9fe-0a5c-4a6c-86f2-1bdecf1624ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.83
Link:
https://yomi.yoroi.company/submissions/13aa65d9723d2053dde5c53169586f0d2f4bb7d7365fac1018966c84900db17a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 13aa65d9723d2053dde5c53169586f0d2f4bb7d7365fac1018966c84900db17a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217058/
  
URLhaus
https://urlhaus.abuse.ch/url/1942738/

Comments


Avatar
zbet commented on 2022-01-02 03:44:20 UTC

url : hxxp://oscartordoya.com/neon.exe