MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 159ec0b1b8fca14c3b5e20dd42d3ef37fb77cf2818e008e7694aa003a5702010. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 159ec0b1b8fca14c3b5e20dd42d3ef37fb77cf2818e008e7694aa003a5702010
SHA3-384 hash: f7d6b41537e8af501f80296b06905adf386f12faf90f007c60d63035f89b582a70214a4ea39fd881b02248f6c49e4d39
SHA1 hash: ca33ab8943ae25fee116aed6e9b154e0e52035f7
MD5 hash: 8e16f708713d59a7764c78dc59b9b12a
humanhash: georgia-speaker-london-ink
File name:file
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:244'224 bytes
First seen:2023-09-20 13:15:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9420ade60b1def8d80cadba5c09306a (4 x Smoke Loader, 2 x Stealc, 2 x RedLineStealer)
ssdeep 3072:bffu0FebfDTUilVw9WXgtjXGNgC9vGKo4Ek6miS5vfXTzj:D3eTUwO9WXobGNgAGn4EzwfXT
Threatray 64 similar samples on MalwareBazaar
TLSH T1A134D01235A5C072E5A7D5354865C7B46E7FBC3369258A8B3B802BBEAE313D39A14307
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 04101a3230808000 (1 x RaccoonStealer)
Reporter andretavare5
Tags:exe RaccoonStealer


Avatar
andretavare5
Sample downloaded from http://94.142.138.221/file/name.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
US US
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-20 13:16:28 UTC
Tags:
stealer raccoon recordbreaker loader
Link:
https://app.any.run/tasks/33cd1704-8a1c-42c5-b95e-24774a365da8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450034/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/650af09249c6a4ce497cc5bf/reports/3724886e-9699-42ad-9779-aa0a4014506b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/159ec0b1b8fca14c3b5e20dd42d3ef37fb77cf2818e008e7694aa003a5702010
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f549e83-6e39-40e1-8d64-4a8456e8b0dd
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311562
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/159ec0b1b8fca14c3b5e20dd42d3ef37fb77cf2818e008e7694aa003a5702010/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 13:16:05 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cwpmbmny7squyo26edoufu7pg75xptziddqarz3jjkqahjlqeaia._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
00d9091fb924eb9f0c28426aa95eaeb9b398fe50395b27a105bcf7f77039d842
RaccoonStealer
10bb18137595b53ad52c3a032152d586bf818f00a1ae5cbf73bb857557a0a9b9
RaccoonStealer
4bdfd777b579da177959f5854c16f8201e1501e0cf9394f4cfef13cd999fb9d9
RaccoonStealer
5985c61ccf1e28e1421c0d18db0c744f3990afe987e559a1c45c7faae0e2db9f
RaccoonStealer
69d090774ce99b248f9e76d50312cfcbc7cc8c333f390a0fdffc95f62d7a9631
RaccoonStealer
6bac9dbaedb4ac21b79bef837aaea4193df7c4def1faa0697fa67d1de3613330
RaccoonStealer
8d5f481be0bb03f0e59effda0fc86a0c9a7da2fb8964f2b4d00530f24231fc7c
RaccoonStealer
9b14723319d814a4f65cfd2be879357aff8d36c2f0d06f0ae078f2e6fe0b0aa4
RaccoonStealer
b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1
RaccoonStealer
f89a1fc11a995b035aca4d23f8a391079e5d8f889b5a99866d07fdc755a65d77
RaccoonStealer
+ 54 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon stealer
Link:
https://tria.ge/reports/230920-qhsdtsad88/
Behaviour
Program crash
Raccoon
Raccoon Stealer payload
Unpacked files
SH256 hash:
6e1e63045d5b794d450aaa86763ab893b18c0282838a78980e1ef1e029d35742
MD5 hash:
b26d66e7808fb7684a747f665f184397
SHA1 hash:
4a2a6c79bc80a42d14838eb60f8ef6c1ef8560b3
Link:
https://www.unpac.me/results/7cc0e1c9-de5c-4e11-b0c4-6ec58eefd162/
SH256 hash:
159ec0b1b8fca14c3b5e20dd42d3ef37fb77cf2818e008e7694aa003a5702010
MD5 hash:
8e16f708713d59a7764c78dc59b9b12a
SHA1 hash:
ca33ab8943ae25fee116aed6e9b154e0e52035f7
Link:
https://www.unpac.me/results/7cc0e1c9-de5c-4e11-b0c4-6ec58eefd162/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/159ec0b1b8fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/159ec0b1b8fca14c3b5e20dd42d3ef37fb77cf2818e008e7694aa003a5702010

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/450034/

Comments