MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a3dcbe001c250ee2741d14d5fe2eaec34de0392c476c79206e350ceb3211c9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a3dcbe001c250ee2741d14d5fe2eaec34de0392c476c79206e350ceb3211c9d
SHA3-384 hash: 975b950a10d8cd09b715fe9f48991b48229b8dbaec89871eed4625e46421daf34ddfe9c6c0c3a39481e9ab259d9e94a5
SHA1 hash: 8b1064c0b703c18fed99258fe208692c438e3d56
MD5 hash: 24f43a2513184cc3ed860813c7312a22
humanhash: failed-failed-nineteen-item
File name:Installer.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'421'872 bytes
First seen:2020-10-08 07:37:50 UTC
Last seen:2020-10-08 11:41:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (54 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 98304:YX435ugyZvng/ZRJwPPJNh2Uk8PjtqVBbnmDTTN8oAXGxsAYsm:mWmZoxjwJNh2UkspQBbmhbiHAO
Threatray 229 similar samples on MalwareBazaar
TLSH 37261227B298A53ED4AA3B354573A04058FBB76DF417BE1636F4C48CCF261C11E3AA25
Reporter JAMESWT_WT
Tags:Grina LLC Raccoon RaccoonStealer Racealer signed

Code Signing Certificate

Organisation:AAA Certificate Services
Issuer:AAA Certificate Services
Algorithm:sha1WithRSAEncryption
Valid from:Jan 1 00:00:00 2004 GMT
Valid to:Dec 31 23:59:59 2028 GMT
Serial number: 01
Intelligence: 370 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
1'646
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file
Moving a recently created file
Sending a UDP request
Deleting a recently created file
Creating a process with a hidden window
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Launching a process
Replacing files
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/485095
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294999 Sample: Installer.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 96 60 Antivirus detection for dropped file 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 4 other signatures 2->66 9 Installer.exe 2 2->9         started        process3 file4 50 C:\Users\user\AppData\Local\...\Installer.tmp, PE32 9->50 dropped 12 Installer.tmp 8 21 9->12         started        process5 file6 52 C:\Program Files (x86)\is-3ILE4.tmp, PE32 12->52 dropped 54 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->54 dropped 56 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 12->56 dropped 58 2 other files (none is malicious) 12->58 dropped 15 wscript.exe 1 12->15         started        17 build.exe 12->17         started        process7 process8 19 cmd.exe 1 15->19         started        22 cmd.exe 2 15->22         started        24 cmd.exe 1 15->24         started        26 WerFault.exe 23 9 17->26         started        signatures9 68 Uses cmd line tools excessively to alter registry or file data 19->68 28 reg.exe 1 1 19->28         started        31 reg.exe 19->31         started        33 conhost.exe 19->33         started        42 9 other processes 19->42 35 7z.exe 22->35         started        38 7z.exe 2 22->38         started        40 conhost.exe 22->40         started        44 11 other processes 22->44 46 2 other processes 24->46 process10 file11 70 Disables Windows Defender (deletes autostart) 28->70 72 Disable Windows Defender real time protection (registry) 31->72 48 C:\ProgramData\RiGoRG\extracted\11111.exe, PE32 35->48 dropped signatures12
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2a3dcbe001c250ee2741d14d5fe2eaec34de0392c476c79206e350ceb3211c9d/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 23:27:05 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fi64xyabyjio4j2b2fgv7yxk5q2n4a4syr3mpeqg4nim5mzbdsoq._file
Verdict:
unknown
Similar samples:
4a60edca3a6f3900a39b164d5894137e4e466bae90a5287ccd9eebb4482b2686
RaccoonStealer
6a25765e7d969b6c324cc461b08d947d49204191d97f620b4a74ba0f6dc744ca
RaccoonStealer
73f6286bd85316cb72796f461e1ad724b8434837f1a10a4a625862c3a7e3c173
RaccoonStealer
93129fbf583ce2e637e0a21c490a549e1597902179636ebc13a7c937b5707782
RaccoonStealer
a1863d5f70d6f6f41b86c9608d9995b3ba1f19616681851d5c2a2e254d14c9a4
RaccoonStealer
b0055c111a78ee76cb6946a1e9a22f96b1b0533537865d055f465b03ac1aa7df
RaccoonStealer
c1830ba81a707357031fc8e5cd7cf3a6083c30f33669fe29590cc639140d6780
RaccoonStealer
ca86c76c753d3c8812228b08c1459bdee50a40b0aa36460906e452f80258c1b7
RaccoonStealer
d29dc3449c2f57e59efd78dd51214ae7bbf71da44834f4cec458758de17513b7
RaccoonStealer
f8f5e97b40ead4c316e0dc6adc5490aafdf806ec5c203931e9d699be3b95a88a
RaccoonStealer
+ 219 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan persistence spyware discovery
Link:
https://tria.ge/reports/201008-rsb1s56jta/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies registry class
Program crash
Drops file in Program Files directory
Modifies service
Suspicious use of SetThreadContext
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Executes dropped EXE
ServiceHost packer
Modifies Windows Defender Real-time Protection settings
Modifies security service
Unpacked files
SH256 hash:
2a3dcbe001c250ee2741d14d5fe2eaec34de0392c476c79206e350ceb3211c9d
MD5 hash:
24f43a2513184cc3ed860813c7312a22
SHA1 hash:
8b1064c0b703c18fed99258fe208692c438e3d56
Link:
https://www.unpac.me/results/4ac0ce4e-98f7-483d-bf52-ea1b6c503f95/
SH256 hash:
506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811
MD5 hash:
8e2d270339dcd0a68fbb2f02a65d45dd
SHA1 hash:
bfcdb1f71692020858f96960e432e94a4e70c4a4
Link:
https://www.unpac.me/results/4ac0ce4e-98f7-483d-bf52-ea1b6c503f95/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/4ac0ce4e-98f7-483d-bf52-ea1b6c503f95/
SH256 hash:
d47a0bd1596f268b772dab179f1fc0f1404d0f7d99d90fa7e9c7609ebf6095b1
MD5 hash:
8daaf3af3de80bfd8fddd859b474f72d
SHA1 hash:
0f96c07574099afcdf37d672c080cc6524553a00
Link:
https://www.unpac.me/results/4ac0ce4e-98f7-483d-bf52-ea1b6c503f95/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a3dcbe001c250ee2741d14d5fe2eaec34de0392c476c79206e350ceb3211c9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_raccoon_a0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 2a3dcbe001c250ee2741d14d5fe2eaec34de0392c476c79206e350ceb3211c9d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/69136/
  
URLhaus
https://urlhaus.abuse.ch/url/669066/
  
Delivery method
Distributed via web download

Comments