MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40f4f7b3233351e4885a1758cd4eb0981dc5361aa7a354a981ed3ed6363f53ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40f4f7b3233351e4885a1758cd4eb0981dc5361aa7a354a981ed3ed6363f53ae
SHA3-384 hash: d5b84535dad0c3006d4fe9832005415c413125af488d13152f8d1f6fcd6218815498398073aa95644841ade5f23ec8b2
SHA1 hash: 271776d22bb408f5ac2c1c375f116f0cfe5315cf
MD5 hash: a92ecf7fef1451c1ebd6f7886a9e22d5
humanhash: golf-early-august-kentucky
File name:a92ecf7fef1451c1ebd6f7886a9e22d5
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'265'152 bytes
First seen:2021-09-22 01:15:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f0265512a1363fc11fe0c410b950baf (5 x RaccoonStealer)
ssdeep 24576:GnrOChfE476dtiw8t+cZHlcBIfej4gRgq16CeRrLs1/cLG4pNdWgWu33Mqz2:GrOC9EEOixtjSBWeMgt6CeRk1/cLG4p3
Threatray 5'491 similar samples on MalwareBazaar
TLSH T14645223AC64A8462E84A117ABC5BCC752AB4BC35C6F24C79F5D4F97FA2B5342006D21F
File icon (PE):PE icon
dhash icon b2e0b496a6cadaf2 (1 x RaccoonStealer, 1 x ArkeiStealer, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190019/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37611569.5991.4084.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c1f32e8c-bc2d-409f-bab5-b92b19ea63d5
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855278
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Infostealer behavior detected
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/40f4f7b3233351e4885a1758cd4eb0981dc5361aa7a354a981ed3ed6363f53ae/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 16:59:48 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
13d8d9a03df3f510c71149a3c9ccaa4570172e45b34463d16e85a008a57469bf
RaccoonStealer
25c212b01aed427cbe5c5e0f06e5edd0188f881551347aa20804b3da88da2af2
RaccoonStealer
266f8215ba1b531f93fb7567c34088e49ad4de63d9c2726e11caaa6158be9d9a
RaccoonStealer
486658750c2204bf7924086f67e9228d7d604deae84dfc5caaa66ea7d2222179
RaccoonStealer
71f5bb7d9ace05cfb89e95843499c1c19ca1d6c8b1cd66561d24ceb9ffa94862
RaccoonStealer
9ce97b2a248555831866151f6c4d9c682dc792f6df3e3e8f8142bdc717f34876
RaccoonStealer
9fead774eb54337f20cae9d8f06550bb01235d54ae379db4278f22ac67dd3413
RaccoonStealer
a1c142249017dbf317c9d86e57779f2e98387c84e927a24ed48dc84d191c6097
RaccoonStealer
cb2aff101fb0bdb70d2a113910feee36d63fb65fd9bcee5016b2338d318df67e
RaccoonStealer
cf2520dcf0df45be39612ab801dd1bb9923c83b21fc781be782e89e3a48e27a5
RaccoonStealer
+ 5'481 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210922-bms4ladefn/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
355da7eb1665a551d9b5372442506115ce77f4d70265203cba15d7ce14ed93d5
MD5 hash:
4ba7a47ddf471b5cce6b6d78f6f8c8f0
SHA1 hash:
b30cc1e64a7553460b532923d4abc69135a6aca9
Link:
https://www.unpac.me/results/3f2bb7e9-f072-4133-b99d-5ec7d82691c2/
SH256 hash:
40f4f7b3233351e4885a1758cd4eb0981dc5361aa7a354a981ed3ed6363f53ae
MD5 hash:
a92ecf7fef1451c1ebd6f7886a9e22d5
SHA1 hash:
271776d22bb408f5ac2c1c375f116f0cfe5315cf
Link:
https://www.unpac.me/results/3f2bb7e9-f072-4133-b99d-5ec7d82691c2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40f4f7b3233351e4885a1758cd4eb0981dc5361aa7a354a981ed3ed6363f53ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 40f4f7b3233351e4885a1758cd4eb0981dc5361aa7a354a981ed3ed6363f53ae

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1638912/
Cape
Cape
https://www.capesandbox.com/analysis/190019/

Comments


Avatar
zbet commented on 2021-09-22 01:15:38 UTC

url : hxxp://45.133.1.182/WW/file6.exe