MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 145539dcc07505d1a41913332a55d78398f93c35d7332346e6a58c2006a79714. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	145539dcc07505d1a41913332a55d78398f93c35d7332346e6a58c2006a79714
SHA3-384 hash:	0df25ea524865fcef7e3d1b26de74a99fb940501bc2db72614f29e50a94dad7f3fcc2f740a877323e05189af69188486
SHA1 hash:	8f4e7653ba71af974226415ed512f44a6168abcc
MD5 hash:	bb663ffdda23f4277af1d261ac43a88e
humanhash:	sierra-queen-utah-sodium
File name:	SecuriteInfo.com.Trojan.GenericKD.45695593.9197.12080
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	536'576 bytes
First seen:	2021-02-23 16:02:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a6e2c959b82a7e7f36f0071d2cdb1c19 (1 x RaccoonStealer)
ssdeep	12288:QQn7dXPlGbOW3se6+Aq9XnHgVRGwwoYtrKXf1gxF7Alq:QQ7HGbP3s63DV/tUgxelq
Threatray	374 similar samples on MalwareBazaar
TLSH	0BB4E110A7A0C034F4B733F4856993B8A5397AA1A77494CF63E15AEA5734AF0EC31367
Reporter	SecuriteInfoCom
Tags:	RaccoonStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/118709/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.45695593.9197.12080.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Launching the default Windows debugger (dwwin.exe)

Sending a TCP request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.evad.spyw

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/615644

Signature

Contains functionality to steal Internet Explorer form passwords

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/145539dcc07505d1a41913332a55d78398f93c35d7332346e6a58c2006a79714/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-02-08 00:38:16 UTC

AV detection:

37 of 48 (77.08%)

Threat level:

5/5

Verdict:

malicious

RaccoonStealer

3d3112ce7c1a80e0378b15c7084b1b49a9805a5e47a85a97acdd7841d0a9b40b

RaccoonStealer

4fd202b93cc2d13fbf7ca7de657a4c1e2f979a027bc49600604720ff5588f5a0

RaccoonStealer

5183727d0d1efeb8c406d0f94b128baca13431fed7fc8921173e5dfafdc26e21

RaccoonStealer

757c6ccb2021bb12cb15fafcd4d748ef2d347ed4cb51076162563cbfe1ea01e0

RaccoonStealer

86858e54ef062ffaf88f1fe285196d220d9fa32337f575d8eaa056995e292303

RaccoonStealer

90c5e2705fad463d320dc095b073115c7bf5bd1542b98deb87008ec83c925b20

RaccoonStealer

b557b4af472ef5827704d4e22fcfc80751f4de5024a09b6d72c62827af963f9c

RaccoonStealer

dbbc522719582c66077a06ac1b94fedeed360335d5762dbc78a5744d4309ce93

RaccoonStealer

e2b766a5e694e0fd5756ef168bbd5b436f1baba2e8b74c356dbd6f0e63184bdd

RaccoonStealer

+ 364 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:b1c350130efc71d29ac93f48f2a4542493dad086 stealer

Link:

https://tria.ge/reports/210223-1tj9dgqpr2/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Raccoon

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

02529ecc4bacb890d95ebbdd71b4e2ba36e7c5ce96c66e3c86d92a53a3e7304e

MD5 hash:

cfac57676e4e525c38e351b03394211b

SHA1 hash:

68d94a423ec67eeeacf949becb685ed93ad430b6

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/2969edaf-c30e-4d06-946a-b840e36a4307/

SH256 hash:

145539dcc07505d1a41913332a55d78398f93c35d7332346e6a58c2006a79714

MD5 hash:

bb663ffdda23f4277af1d261ac43a88e

SHA1 hash:

8f4e7653ba71af974226415ed512f44a6168abcc

Link:

https://www.unpac.me/results/2969edaf-c30e-4d06-946a-b840e36a4307/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/145539dcc07505d1a41913332a55d78398f93c35d7332346e6a58c2006a79714

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	@ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon/Racealer infostealer

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator