MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e986a3709eb8095ab6a97efedd8202152322e844ef5b26b2b00ad46c0dc2f35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e986a3709eb8095ab6a97efedd8202152322e844ef5b26b2b00ad46c0dc2f35
SHA3-384 hash: 674be52ce381c0a89545d2a2ee642593153e9c8298ff2930c943b89b0d1d2235d978bebc3da4f1147428673fa0e65a98
SHA1 hash: cde92ef37d90b337dc2276bdfcbde5f51bad25a6
MD5 hash: 8058efab9c03ec337373fa77bbe02303
humanhash: burger-mississippi-oscar-single
File name:file
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'455'936 bytes
First seen:2023-09-21 23:00:20 UTC
Last seen:2023-09-27 15:15:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 57f3d551342deec49af7ca2bc9a7cb91 (1 x RaccoonStealer)
ssdeep 98304:y6gtLXBgOkTvu5ZvlQgHhoxLuqMIHJtIl5BQ9Psxca19WaJofrB+d3puG:BCLxgTsZvPoLCIHJC5K3OGt+VR
Threatray 33 similar samples on MalwareBazaar
TLSH T13426237352660106E4F6CC3B8937BDE031F6176B6A42BC7959CA6DC727B64E0E203A53
TrID 39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter andretavare5
Tags:exe RaccoonStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc52355237_665985118?hash=1njQe96cIPcayctzIps9PyXJA22v4Rq2P1S0vRK3iZc&dl=N6cews3XIwN5q4XQQrBfAzASUuClEzzKi9DUuwf0yYT&api=1&no_preview=1#kisrise

Intelligence

File Origin
# of uploads :
23
# of downloads :
325
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-22 09:24:58 UTC
Tags:
risepro stealer evasion raccoonclipper
Link:
https://app.any.run/tasks/a5d37bc7-6c28-43e4-98f5-9ed0377032a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/450511/
Detection(s):
SecuriteInfo.com.BScope.TrojanPSW.Coins.12223.16334.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending a TCP request to an infection source
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypto greyware lolbin packed packed setupapi shell32 vmprotect
Link:
https://www.filescan.io/uploads/650ccb2f32ffdb7a7a0f29e8/reports/05b2d569-4de5-4935-9e80-8452bf211307/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2e986a3709eb8095ab6a97efedd8202152322e844ef5b26b2b00ad46c0dc2f35
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e166eed1-c288-40fd-ba71-9e6287cd84a3
Result
Threat name:
Clipboard Hijacker, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1312675
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1312675 Sample: file.exe Startdate: 22/09/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 6 other signatures 2->53 8 file.exe 49 2->8         started        13 oobeldr.exe 2->13         started        process3 dnsIp4 33 194.169.175.123, 49705, 50500 CLOUDCOMPUTINGDE Germany 8->33 35 ipinfo.io 34.117.59.81, 443, 49707 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->35 37 cdn.discordapp.com 162.159.134.233, 443, 49708, 49709 CLOUDFLARENETUS United States 8->37 27 C:\Users\user\...\AhUl6uITR26lTaxxx6T3.exe, MS-DOS 8->27 dropped 29 C:\Users\user\AppData\Local\...\KLIPE[1].exe, MS-DOS 8->29 dropped 55 May check the online IP address of the machine 8->55 57 Tries to steal Mail credentials (via file / registry access) 8->57 59 Found stalling execution ending in API Sleep call 8->59 61 Tries to harvest and steal browser information (history, passwords, etc) 8->61 15 AhUl6uITR26lTaxxx6T3.exe 1 8->15         started        63 Antivirus detection for dropped file 13->63 65 Multi AV Scanner detection for dropped file 13->65 67 Detected unpacking (changes PE section rights) 13->67 19 schtasks.exe 1 13->19         started        file5 signatures6 process7 file8 31 C:\Users\user\AppData\Roaming\...\oobeldr.exe, MS-DOS 15->31 dropped 39 Antivirus detection for dropped file 15->39 41 Multi AV Scanner detection for dropped file 15->41 43 Detected unpacking (changes PE section rights) 15->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 15->45 21 schtasks.exe 1 15->21         started        23 conhost.exe 19->23         started        signatures9 process10 process11 25 conhost.exe 21->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e986a3709eb8095ab6a97efedd8202152322e844ef5b26b2b00ad46c0dc2f35/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-21 23:01:07 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
14 of 23 (60.87%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2mgunyj5oajlk3ks7x63wbaefjdeluej323e2zlacwunqg4f42q._file
Verdict:
suspicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1ee283d02c2cee9d287138428403031afcd663f670439f95e5f37f1db55d5723
RaccoonStealer
523563334517ca2addf839752117f30fb0f741ca996e2a1dea48ef719ef2c4ff
RaccoonStealer
53c5d36676ffee894793d3d850769635289feb25fe16aeff2bfcf3d8aa510c8b
RaccoonStealer
7307b42a1e25b3a6e376bbf246916e0b71e27c2c09fdeed14fa7a3c7b677868b
RaccoonStealer
80f8be7669ca52aec4c9f42385328b94069d6bbee35ce6352aa46216452f0d75
RaccoonStealer
96e49850a66d17e4952c6753db1f3da67f8c49c23a2297891954df55b144d1a8
RaccoonStealer
e2cd080304d92494e731ad88d60f1ba38670ba4a751cd8df1e09d6702345999b
RaccoonStealer
f767afef9083aed521760649129fae272dfe30f66c9922ca4529533bb81d0612
RaccoonStealer
fc9fa1695c11f2c3a8019b64b414137c47d1b2f57b8593f44eda1237e4b3293b
RaccoonStealer
+ 23 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader collection discovery loader spyware stealer vmprotect
Link:
https://tria.ge/reports/230921-2zh29sba3s/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VMProtect packed file
Downloads MZ/PE file
PrivateLoader
Unpacked files
SH256 hash:
2e986a3709eb8095ab6a97efedd8202152322e844ef5b26b2b00ad46c0dc2f35
MD5 hash:
8058efab9c03ec337373fa77bbe02303
SHA1 hash:
cde92ef37d90b337dc2276bdfcbde5f51bad25a6
Link:
https://www.unpac.me/results/79dac2d2-919e-4d7d-8f0c-8652c0d56bf5/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2e986a3709eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e986a3709eb8095ab6a97efedd8202152322e844ef5b26b2b00ad46c0dc2f35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/450511/

Comments