MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36cfc93885d821899c8cc38879ee915553ff45e68ce8aa8653a6f52495639992. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36cfc93885d821899c8cc38879ee915553ff45e68ce8aa8653a6f52495639992
SHA3-384 hash: d38ecae7d1e66cc8a1e4b135c8c4efbbdbd9508969c10f5876219cb50bd2dae54cd07a1998187f7da73253c478102280
SHA1 hash: 2ec727f11ab2a1a0621280307f1233b4bd6ec189
MD5 hash: 50c1ff703ea6847bd0af8ad548f5ee47
humanhash: yellow-arizona-five-tango
File name:50c1ff703ea6847bd0af8ad548f5ee47
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'124'432 bytes
First seen:2021-12-02 21:15:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 94e51115549f8704225c4f040e12efc5 (2 x RaccoonStealer)
ssdeep 49152:82O7aPQHLWWiI30jBhd3eBqeL+J3FKTpFJW+YKaZLrtmT38pU:8/iI30jBhdu0sSUpF+ha
Threatray 7'904 similar samples on MalwareBazaar
TLSH T1D8A5333339E45888CA39B934399897F825A37C63D92299CC718D30616F367E2F89DF51
File icon (PE):PE icon
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter zbetcheckin
Tags:exe RaccoonStealer signed

Code Signing Certificate

Organisation:Artline Overlord ASMV ASMVv21
Issuer:Artline Overlord ASMV ASMVv21
Algorithm:sha1WithRSAEncryption
Valid from:2021-11-30T14:09:43Z
Valid to:2031-12-01T14:09:43Z
Serial number: 1ec36f18588383aa4042893280620d08
Thumbprint Algorithm:SHA256
Thumbprint: e007660f1724021561073cf59dc384c9f0905f24578abaa39039612ec57ad49a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
50c1ff703ea6847bd0af8ad548f5ee47
Verdict:
Malicious activity
Analysis date:
2021-12-02 21:18:36 UTC
Tags:
trojan stealer raccoon evasion
Link:
https://app.any.run/tasks/9fe1d5d6-4606-405b-8837-8051d4c82238

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210876/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.282.31407.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/596/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61a9379586bf67e71220a5dd/reports/abe571ac-d1db-48af-ac15-d7a38a98f837/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ryuk
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95882b54-6972-4103-aefe-d9f79095ad39
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900508
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36cfc93885d821899c8cc38879ee915553ff45e68ce8aa8653a6f52495639992/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 18:29:36 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
033247a6ba1cd0543f27857fb6743e16fdd2990cea1df3dce93e4031c8046d1a
RaccoonStealer
266f8215ba1b531f93fb7567c34088e49ad4de63d9c2726e11caaa6158be9d9a
RaccoonStealer
40f4f7b3233351e4885a1758cd4eb0981dc5361aa7a354a981ed3ed6363f53ae
RaccoonStealer
79e74116d9b6641a89f62b78d9b51450612c33cb346d1c86521ce5a8313d24c6
RaccoonStealer
9684510f52cb986f32e2c3c9f9590b8dafb9786ca42d35586d353a7733b77fba
RaccoonStealer
cb2aff101fb0bdb70d2a113910feee36d63fb65fd9bcee5016b2338d318df67e
RaccoonStealer
cf2520dcf0df45be39612ab801dd1bb9923c83b21fc781be782e89e3a48e27a5
RaccoonStealer
e271f1c40db30b3cf52dfa09617a34632db3edac155c03dfbfcb9c2f05c1c1cd
RaccoonStealer
fd55ec8688feafba956d5b448eeefb45e19865995e5a6e5bdf89a60796f4c0cd
RaccoonStealer
+ 7'894 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:fe1f102f3334068962b64125bcb00816dba46087 evasion stealer trojan
Link:
https://tria.ge/reports/211202-z4f3csfag8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Unpacked files
SH256 hash:
d87b8b75b84272331a1eb14c2a0937ec5ec011e4facf51782758c05328ee54ce
MD5 hash:
6ded9a8beaafc595e068e0aae777962e
SHA1 hash:
88bbb55eed265091bf5144bd8af6301484788c27
Link:
https://www.unpac.me/results/51ec2626-1f3e-4c66-a7ec-beca035a68d6/
SH256 hash:
36cfc93885d821899c8cc38879ee915553ff45e68ce8aa8653a6f52495639992
MD5 hash:
50c1ff703ea6847bd0af8ad548f5ee47
SHA1 hash:
2ec727f11ab2a1a0621280307f1233b4bd6ec189
Link:
https://www.unpac.me/results/51ec2626-1f3e-4c66-a7ec-beca035a68d6/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/36cfc93885d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/36cfc93885d821899c8cc38879ee915553ff45e68ce8aa8653a6f52495639992

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 36cfc93885d821899c8cc38879ee915553ff45e68ce8aa8653a6f52495639992

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1845687/
Cape
Cape
https://www.capesandbox.com/analysis/210876/

Comments


Avatar
zbet commented on 2021-12-02 21:15:17 UTC

url : hxxp://host-file-host-3.com/files/8908_1638363665_2068.exe