MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29aa6e0f133e3987c66880baada023ddb1d31b29969d39797a1b944097d928b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29aa6e0f133e3987c66880baada023ddb1d31b29969d39797a1b944097d928b1
SHA3-384 hash: ae2e08ada44650fc25b46654d15657a00efeecfaf48d8fe7a8bfa55bf1d7a68a84ab2daf51fee2bf31d63597c9dc78f7
SHA1 hash: 2ac0d73eaf8db34d0f5650b65b8619901b78c915
MD5 hash: b5ea5f2650f82f53059635551ae31469
humanhash: kilo-island-bulldog-illinois
File name:SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:13'312 bytes
First seen:2021-03-28 02:04:45 UTC
Last seen:2021-03-28 02:42:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0f090e3992f2030ae4a0a69c609a1491 (1 x RaccoonStealer)
ssdeep 384:KkIm8aYq7XotegwrAjbO5fXchWZ7OsGk:yq7X7gwruO9Xchu7ORk
Threatray 524 similar samples on MalwareBazaar
TLSH 49523B43BF5048B2CBA441752077C9A6C5BFB5301F94A6C3EFA8E9050E712D0EA3A46F
Reporter SecuriteInfoCom
Tags:RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Themida_1_serial_keygen_by_Lz0.zip
Verdict:
Malicious activity
Analysis date:
2021-03-25 19:38:09 UTC
Tags:
trojan rat azorult evasion redline stealer vidar raccoon phishing adware opendir
Link:
https://app.any.run/tasks/421c846c-7647-4661-8651-3ca30e305d8c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127315/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45968072.21801.3666.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Sending an HTTP GET request
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0f79334-3570-450e-b589-541fd3a7c6be
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656035
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 376952 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 28/03/2021 Architecture: WINDOWS Score: 100 47 videomart.top 2->47 49 telete.in 2->49 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Antivirus detection for URL or domain 2->69 71 4 other signatures 2->71 9 SecuriteInfo.com.Trojan.GenericKD.45968072.21801.exe 16 2->9         started        signatures3 process4 dnsIp5 51 whatitis.site 193.38.55.33, 443, 49702, 49721 SERVERIUS-ASNL Russian Federation 9->51 35 C:\Users\user\Desktop\nigger.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\Local\...\mixinte[1], PE32 9->37 dropped 73 Contains functionality to inject code into remote processes 9->73 14 nigger.exe 25 9->14         started        19 SecuriteInfo.com.Trojan.GenericKD.45968072.21801.exe 9->19         started        21 conhost.exe 9->21         started        file6 signatures7 process8 dnsIp9 53 gclean.in 14->53 55 193.38.55.9, 49725, 80 SERVERIUS-ASNL Russian Federation 14->55 57 2 other IPs or domains 14->57 39 C:\Users\user\AppData\...\94946656373.exe, PE32 14->39 dropped 41 C:\Users\user\AppData\Local\...\file[1].exe, PE32 14->41 dropped 43 C:\Users\user\AppData\Local\...\file[1].exe, PE32 14->43 dropped 45 3 other files (1 malicious) 14->45 dropped 59 Detected unpacking (changes PE section rights) 14->59 61 Detected unpacking (overwrites its own PE header) 14->61 63 May check the online IP address of the machine 14->63 23 cmd.exe 14->23         started        25 WerFault.exe 9 14->25         started        27 WerFault.exe 9 14->27         started        31 6 other processes 14->31 29 WerFault.exe 19->29         started        file10 signatures11 process12 process13 33 conhost.exe 23->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29aa6e0f133e3987c66880baada023ddb1d31b29969d39797a1b944097d928b1/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-25 06:52:18 UTC
AV detection:
34 of 48 (70.83%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fgvg4dythy4yprtiqc5k3ibd3wy5ggzjs2ots6l2dokebf6zfcyq._file
Verdict:
malicious
Similar samples:
2c2d88dbff1f9196148cc3c7501d4c45b05ef51887651b3bcdbb111fcc7a2ba2
RaccoonStealer
2ce81e2dd2330f10eb414e56222cd1ba4c26591381f07e199b08f623b8c4b8f9
RaccoonStealer
388d18b98704bff34ac1cb0a6603e68ba300205ee2f14e4bf482f1012d933231
RaccoonStealer
596ab1ddff660a3cd00e14f5e43d5af6a0ad03a41d07a51344b8eb61a594d27f
RaccoonStealer
ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e144e000dd97c1abbc78
RaccoonStealer
b9fe450826cf7e036b06af03cee2288464efff6bc72c4ada9299c38128ee5f77
RaccoonStealer
bcc495c75df0a47f59a60fdfb870bf833f0d320aff3f1e316f1cd96b5e578c07
RaccoonStealer
dd7211d8c5d8b0e6290b9eb79787d64b73a91bde129ccc2d83525c4a8d24a531
RaccoonStealer
f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01
RaccoonStealer
fac9410d22c0e26ebfb6aa70649656a38685924cfb37638f95f35eb46b0cb71a
RaccoonStealer
+ 514 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210328-h8pwrzbygs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
29aa6e0f133e3987c66880baada023ddb1d31b29969d39797a1b944097d928b1
MD5 hash:
b5ea5f2650f82f53059635551ae31469
SHA1 hash:
2ac0d73eaf8db34d0f5650b65b8619901b78c915
Link:
https://www.unpac.me/results/be63c05e-a694-4d93-b27b-16ba0a0a3d22/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29aa6e0f133e3987c66880baada023ddb1d31b29969d39797a1b944097d928b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswor
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_DanaBot
Create hunting rule
Author:ditekSHen
Description:Detects DanaBot variants
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 29aa6e0f133e3987c66880baada023ddb1d31b29969d39797a1b944097d928b1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1095731/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127315/

Comments