MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1adbec6750be50faf1e5f8cddf9d0555afbe1a21289013cac49931004ffb8547. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1adbec6750be50faf1e5f8cddf9d0555afbe1a21289013cac49931004ffb8547
SHA3-384 hash: 8d8023da2bc1430fc5bd9b8fc7d098bc1bd981d15171fd8235c0826610a0549af24b3e1b5ea40c62e1eb2f63606e60f8
SHA1 hash: 12e919f0c28f95fee382509b21d5fddd0af08132
MD5 hash: 1dfc25b41bddbb8f77db2e932d521aae
humanhash: autumn-diet-football-bravo
File name:1dfc25b41bddbb8f77db2e932d521aae.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:7'177'216 bytes
First seen:2023-11-26 09:19:57 UTC
Last seen:2023-11-26 11:29:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eba6ea3eb54d77d517181e99ff8c9533 (3 x RemcosRAT, 1 x RaccoonStealer)
ssdeep 196608:8qv2hFs8ZSVVwkUGc/1/PxDGbfH/78407bm:zMeuSV6kUGqTGbfAv/m
TLSH T17A7602A0FB5BD472D1425430A0B6AB688AA5BE13A7E6855F33603F3CBE353C2355C356
TrID 85.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 64e4e4da99b4a4d0 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
360
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460262/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.70467098.26914.22863.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Creating a process with a hidden window
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm control explorer greyware hook keylogger lolbin packed remote setupapi shell32 whirlpool
Link:
https://www.filescan.io/uploads/65630dcdfb92213b19d6251f/reports/439e4289-2e9a-4ff8-addf-b53247f7ccd6/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1adbec6750be50faf1e5f8cddf9d0555afbe1a21289013cac49931004ffb8547
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/71bff890-ff54-445c-9dd8-549b70347c85
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1347910
Signature
Antivirus detection for URL or domain
Creates files with lurking names (e.g. Crack.exe)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1347910 Sample: 4frfTIC61S.exe Startdate: 26/11/2023 Architecture: WINDOWS Score: 100 48 www.cs.cmu.edu 2->48 50 SCS-WEB-LB.ANDREW.cmu.edu 2->50 62 Multi AV Scanner detection for domain / URL 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for URL or domain 2->66 68 3 other signatures 2->68 9 webview2.exe 1 2->9         started        12 4frfTIC61S.exe 20 2->12         started        signatures3 process4 dnsIp5 70 Maps a DLL or memory area into another process 9->70 16 cmd.exe 9->16         started        20 WorldCreatorKeygen.exe 1 9->20         started        54 SCS-WEB-LB.ANDREW.cmu.edu 128.2.42.95, 443, 49714, 49715 CMU-ROUTERUS United States 12->54 44 C:\Users\user\AppData\...\webview2loader.dll, PE32+ 12->44 dropped 46 C:\Users\user\AppData\...\webview2.exe, PE32+ 12->46 dropped 22 webview2.exe 3 12->22         started        file6 signatures7 process8 file9 40 C:\Users\user\...\Wordpadmake_Em_v4.exe, PE32 16->40 dropped 56 Writes to foreign memory regions 16->56 58 Maps a DLL or memory area into another process 16->58 24 Wordpadmake_Em_v4.exe 13 16->24         started        28 conhost.exe 16->28         started        30 conhost.exe 20->30         started        42 C:\Users\user\...\WorldCreatorKeygen.exe, PE32+ 22->42 dropped 60 Creates files with lurking names (e.g. Crack.exe) 22->60 32 cmd.exe 1 22->32         started        34 WorldCreatorKeygen.exe 1 22->34         started        signatures10 process11 dnsIp12 52 37.49.230.54, 80 ESTROWEBNL Estonia 24->52 72 Detected unpacking (changes PE section rights) 24->72 74 Detected unpacking (overwrites its own PE header) 24->74 76 Found evasive API chain (may stop execution after checking mutex) 24->76 78 Tries to delay execution (extensive OutputDebugStringW loop) 24->78 36 conhost.exe 32->36         started        38 conhost.exe 34->38         started        signatures13 process14
Score:
31%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/1adbec6750be50faf1e5f8cddf9d0555afbe1a21289013cac49931004ffb8547
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1adbec6750be50faf1e5f8cddf9d0555afbe1a21289013cac49931004ffb8547/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-11-18 05:40:20 UTC
File Type:
PE (Exe)
Extracted files:
887
AV detection:
22 of 37 (59.46%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dln6yz2qxzipv4pf7dg57hifkwx34grbfcibhsweteyqat73qvdq._file
Verdict:
malicious
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon stealer
Link:
https://tria.ge/reports/231126-latvgagd3x/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Raccoon
Raccoon Stealer payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
1adbec6750be50faf1e5f8cddf9d0555afbe1a21289013cac49931004ffb8547
MD5 hash:
1dfc25b41bddbb8f77db2e932d521aae
SHA1 hash:
12e919f0c28f95fee382509b21d5fddd0af08132
Link:
https://www.unpac.me/results/0f0a920a-b35d-49cc-97cb-bdd588e9890d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/460262/

Comments