MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18bf017bdd74e8e8f5db5a4dd7ec3409021c7b0d2f125f05d728f3b740132015. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18bf017bdd74e8e8f5db5a4dd7ec3409021c7b0d2f125f05d728f3b740132015
SHA3-384 hash: affa279f86e31196fbd569dc89a29b2f3a0f979224b3de4c2719a4e9a644d8a557af7cbd41bc4b681bfffd7551dccaf1
SHA1 hash: 8f555441bd804ae08568e9f40ff63f455df52434
MD5 hash: a26c091f560286c77dc695818846a27e
humanhash: lactose-enemy-avocado-texas
File name:a26c091f560286c77dc695818846a27e
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'302'048 bytes
First seen:2021-11-04 13:27:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c78a0fcf42332cbdf64de6b70bfc435b (3 x RaccoonStealer)
ssdeep 98304:tVHcyjffTYM6jPFhCfKrGzAs29VXD56hsI+LmjPlo4SBd+1uz9QYR2:tVHZrfY1LVXMsjmjPaTPi+2
TLSH T1D5163342FF0E4128CD1518793A0BAE179D67FD6C78795FDA9201ABAF40F0A18BF81B51
File icon (PE):PE icon
dhash icon 23802b234571710d (1 x RaccoonStealer)
Reporter zbetcheckin
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a26c091f560286c77dc695818846a27e
Verdict:
No threats detected
Analysis date:
2021-11-04 13:40:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d2ae351e-3c68-475b-ad55-1ef809806db1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/202332/
Detection(s):
SecuriteInfo.com.Variant.Jaik.48604.9709.8430.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult overlay packed racealer
Link:
https://www.filescan.io/uploads/6183dfe50621d706aea97865/reports/e698842b-35e3-4fbb-bbb7-d27de19d9d00/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b788ed1b-909b-4cfa-91a0-65c22666ea06
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/883203
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/18bf017bdd74e8e8f5db5a4dd7ec3409021c7b0d2f125f05d728f3b740132015/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-11-03 16:16:27 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:710e0505eb4ae1651c46718bad62db116875c6f4 evasion stealer trojan
Link:
https://tria.ge/reports/211104-qqnqlsgfg3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
18bf017bdd74e8e8f5db5a4dd7ec3409021c7b0d2f125f05d728f3b740132015
MD5 hash:
a26c091f560286c77dc695818846a27e
SHA1 hash:
8f555441bd804ae08568e9f40ff63f455df52434
Link:
https://www.unpac.me/results/860c7be5-0937-4714-80b3-06bb8b151ec9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.24
Link:
https://yomi.yoroi.company/submissions/18bf017bdd74e8e8f5db5a4dd7ec3409021c7b0d2f125f05d728f3b740132015

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 18bf017bdd74e8e8f5db5a4dd7ec3409021c7b0d2f125f05d728f3b740132015

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1751431/
Cape
Cape
https://www.capesandbox.com/analysis/202332/

Comments


Avatar
zbet commented on 2021-11-04 13:27:40 UTC

url : hxxp://host-host-file6.com/files/9801_1635938030_9423.exe