MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39d3df8f4a3bacaf1456712177c36f4fd76acf69a174c74927c15442bc80a398. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39d3df8f4a3bacaf1456712177c36f4fd76acf69a174c74927c15442bc80a398
SHA3-384 hash: 441909cb827e7f94d4ed764dba081c3f35ccd149030e983aef1d5febc23e543c03962ae64bb9a61b5196d4b26fb75224
SHA1 hash: bd9b5b090c3c3c86be2c4e7fbe587918c2be4ef8
MD5 hash: 4475d543fd30e39295790f0f766dfcd7
humanhash: six-massachusetts-equal-winter
File name:4475d543fd30e39295790f0f766dfcd7.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:6'444'544 bytes
First seen:2022-11-15 13:23:40 UTC
Last seen:2022-11-15 14:50:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f7505b4601b1ffe0bfd3596cbecb05d7 (1 x RaccoonStealer)
ssdeep 98304:fO/zQnFA/Cv9sATR/yl9zqE4C5J+daIhtoO9Ekm6tGEvZb:f8Q62CATR/yl9+ErefXB636I8
Threatray 189 similar samples on MalwareBazaar
TLSH T1695623F6E1251189D3E0CC394933BDA171F51EEB898DAC7826EDB5C236316E5D203B4A
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f09284d0d0b48af0 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4475d543fd30e39295790f0f766dfcd7.exe
Verdict:
Suspicious activity
Analysis date:
2022-11-15 13:27:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f6b839c1-fdb0-44b2-8702-8fb0d4f54afe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334320/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63646764.30340.20907.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/637392f98d07bb59f81afe79/reports/3c22e892-502a-4efd-9ce0-2be3e9bddfe2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/904c1485-e664-4bde-9e00-00bef13fe27f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1113809
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 746505 Sample: 8xwKWp76m1.exe Startdate: 15/11/2022 Architecture: WINDOWS Score: 64 28 Multi AV Scanner detection for submitted file 2->28 30 Machine Learning detection for sample 2->30 7 8xwKWp76m1.exe 13 2->7         started        10 IntelGAS-Ver6.0.4.5.exe 1 2->10         started        process3 signatures4 32 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->32 34 Uses schtasks.exe or at.exe to add and modify task schedules 7->34 36 Tries to detect virtualization through RDTSC time measurements 7->36 12 icacls.exe 1 7->12         started        14 icacls.exe 1 7->14         started        16 schtasks.exe 1 7->16         started        18 icacls.exe 1 7->18         started        process5 process6 20 conhost.exe 12->20         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39d3df8f4a3bacaf1456712177c36f4fd76acf69a174c74927c15442bc80a398/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2022-11-14 23:23:58 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
21 of 26 (80.77%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hhj57d2khowk6fcwoeqxpq3pj7lwvt3juf2mosjhyfkefpeauoma._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1e5c7dcfbe4a1e9da06229b4512229c463b0268832b9cb6cdb35a1153963be37
RaccoonStealer
43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c
RaccoonStealer
4e73230986aab0ad40dbd475ca56fe0f207ff5d935f766a46cd4675e6bc27229
RaccoonStealer
83303bd8432e42ddbc86aa5f2fba7b07ded48ef47ec39d42f62b410081b14090
RaccoonStealer
d04f8915ee7e77951a370e770826926ba1667eab0c3a976152d29c0a6585e439
RaccoonStealer
d72645347b3fa6134cc416b6b9d73eec9d4ef2af4dbf26c6b91da795144c394c
RaccoonStealer
fd3f9ee2a7b4e35be97140818562dc4470f90705cbd959e87c07ed983692e33d
RaccoonStealer
+ 179 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/221115-qndgvseb33/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Program crash
Modifies file permissions
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6f924afc-942b-4258-aba5-6f1566373b94
Unpacked files
SH256 hash:
afcd644151aaadf4be0e1e307c40639a2163297545891ba73a775923b93eb6d5
MD5 hash:
0316dfe12d557eb0e4d3ba568f871cbc
SHA1 hash:
46dfed0c1ab2a7b1a51a4d76ac1330972b3b252f
Link:
https://www.unpac.me/results/87cf0580-bed5-4861-b51f-9d71ea33822f/
SH256 hash:
39d3df8f4a3bacaf1456712177c36f4fd76acf69a174c74927c15442bc80a398
MD5 hash:
4475d543fd30e39295790f0f766dfcd7
SHA1 hash:
bd9b5b090c3c3c86be2c4e7fbe587918c2be4ef8
Link:
https://www.unpac.me/results/87cf0580-bed5-4861-b51f-9d71ea33822f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39d3df8f4a3bacaf1456712177c36f4fd76acf69a174c74927c15442bc80a398

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 39d3df8f4a3bacaf1456712177c36f4fd76acf69a174c74927c15442bc80a398

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2381532/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/334320/

Comments