MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 198f3aad48452b6a95ed0cc229e5858cb87ba61538949e5f606ea89a9d37eb03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 198f3aad48452b6a95ed0cc229e5858cb87ba61538949e5f606ea89a9d37eb03
SHA3-384 hash: bee31941630d17cb7f94f5b89c1173868f1bdba54d4be588565e764c2a90b5f45ad02372508d0af1dec17bf4ff70748a
SHA1 hash: 46004dc0767808c596ff62dd3d5195cbd78c2c1f
MD5 hash: 24252511b77ac69db83219cbdb96c17b
humanhash: fourteen-kitten-butter-low
File name:DevicePairingWizard.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:7'279'104 bytes
First seen:2022-10-20 12:14:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 895e5e6e037e9108574fb94ed614d804 (19 x RaccoonStealer, 1 x GuLoader)
ssdeep 98304:ukU34X1o5wzyb6eNPinsxDqRMxO5aOakgvii4VpVICai4y29rFbh5J:uM0wcin/E/Oakgvi/VpVI3iZ2NNh
Threatray 1'111 similar samples on MalwareBazaar
TLSH T18B762293A714000AEE9A8E3D853BBEB030F16EA78B61687C16C6BFC5133379575A3553
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0d040607070f008 (1 x RaccoonStealer)
Reporter ankit_anubhav
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DevicePairingWizard.exe
Verdict:
Malicious activity
Analysis date:
2022-10-20 12:17:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f794d7b0-fa9f-452f-b5ff-4a03e85054b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321979/
Detection(s):
SecuriteInfo.com.Variant.Lazy.254147.10658.17466.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
DNS request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43962/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/63513bc8898b0652a4b91dca/reports/4797eefa-1712-4bd1-a8b1-ed00708b6193/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1c2b209f-6724-4dc8-8883-195d73ffbef3
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1094125
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/198f3aad48452b6a95ed0cc229e5858cb87ba61538949e5f606ea89a9d37eb03/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-10-20 12:23:38 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
24 of 41 (58.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dghtvlkiiuvwvfpnbtbctzmfrs4hxjqvhckj4x3an2ujvhjx5mbq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
411c449f978ff2425a9ee85a26157a0ba45a4895f6c1401a7c4d9a9c42c6a73b
RaccoonStealer
53379b36716f384e530dae9ec883c459d0c12f0260116614a0482ded7d9b5ba9
RaccoonStealer
7e8969374479fedde873a2de183ed311d69eb2567847b173b0f79135b3dd5fb2
RaccoonStealer
81ae7aea498cdd4d50470b3dcd54088d7bce5bf5f6019b08d9d558acd190cb4d
RaccoonStealer
8f22fed63b011354380ce229b053b3b9167d66d37506acd6288886cf526edefe
RaccoonStealer
b2fca983a96d73154e9807ed55a953ac1afe1d1ea56357c51c0bd62b67b75c2e
RaccoonStealer
b97aabb7096844d6df6ab9ff06ddc892fd368002543ae0aa36e9a673d0b2236a
RaccoonStealer
c75da9cd07beb3d9961e4357768c1ffa9d457b0529387e940fd1082da583bfac
RaccoonStealer
da1e5e0feb94d0e3f1794bc4b049f7dba8b31f70d2df51770fc175ad0200e5bf
RaccoonStealer
+ 1'101 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221020-pewreadagl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7dc885c5-486c-40b0-8dde-a19bfc09f2b3
Unpacked files
SH256 hash:
8acdbdf7b046f8ae59df299edb133e30551fdde0161d68b46f58d382c6203214
MD5 hash:
af55f5be0a3ed40fcb8356d2b4a478fa
SHA1 hash:
472bb299e074b09d8dee827ded316f073eafb97d
Detections:
ClipboardCryptoHijacker
Create hunting rule
Link:
https://www.unpac.me/results/6b1f4a62-d9be-4d43-88bd-33160c164cab/
SH256 hash:
198f3aad48452b6a95ed0cc229e5858cb87ba61538949e5f606ea89a9d37eb03
MD5 hash:
24252511b77ac69db83219cbdb96c17b
SHA1 hash:
46004dc0767808c596ff62dd3d5195cbd78c2c1f
Link:
https://www.unpac.me/results/6b1f4a62-d9be-4d43-88bd-33160c164cab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/198f3aad48452b6a95ed0cc229e5858cb87ba61538949e5f606ea89a9d37eb03

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/321979/

Comments