MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49c3cd2478d1dcf8ce1d1f49b31049bac657b957183d397ba670f522dd9e21a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49c3cd2478d1dcf8ce1d1f49b31049bac657b957183d397ba670f522dd9e21a7
SHA3-384 hash: ac3633fcd26c12c44afc2d3827b75c6e23aab8b0952d828646f44461871f55168601108c17659d2b481a20e9668d69ea
SHA1 hash: 365229e1069a93fd3eeb81b8ac6ef8fde36653ab
MD5 hash: 46412e25323f2e83b7a08fddf793906b
humanhash: video-stream-blue-shade
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.61912.12941.27681
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'036'888 bytes
First seen:2021-03-11 14:47:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:hEZbKzTXB78yH9D6jD2HKtfDmowl5fNBYQW8bHguR:h3XVhH9D4CqlDedYQ4Y
Threatray 451 similar samples on MalwareBazaar
TLSH 5F95E015A67BFF0AC7D1EF317047841C0B10E5A7B26BB7472E2C626669322FB89513D2
Reporter SecuriteInfoCom
Tags:RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PWS.Siggen2.61912.12941.27681
Verdict:
Malicious activity
Analysis date:
2021-03-11 15:02:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bdd203ee-4e3c-46ae-8ad5-51985e7d2e35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123824/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61912.12941.27681.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/636954
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49c3cd2478d1dcf8ce1d1f49b31049bac657b957183d397ba670f522dd9e21a7/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 22:05:42 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
16e587a78c6af7a68db2eee80ac40ccec784aeb261cfa7bab04c54608dc96324
RaccoonStealer
2a304174fa127b71c62cd03a9091f5404ed6df692231b7e34194b9be959cf654
RaccoonStealer
3d3112ce7c1a80e0378b15c7084b1b49a9805a5e47a85a97acdd7841d0a9b40b
RaccoonStealer
41777ed7d655a1cb0fe45a38f46964172a7328b5620ecc4bfb83964988505b27
RaccoonStealer
84c9d8e33e9bbff6837052a08a5d6f61d3a5815898a24b0739413ed1feb56976
RaccoonStealer
a660e2d2a31c33b4af1bfeeb29170da58b25c427485e76a238d1af4a0ffe3568
RaccoonStealer
d2c1530870532abdf2123652c9f97dc9de79dc8aabbb8cfd185b1011d6cdbb01
RaccoonStealer
d56d396970dc35f8b7638fd4c38d831eabd2c4997f1df7e27bc6fdbfedf21c93
RaccoonStealer
d7b185cdc7b58c419814ecbf667db1307587b1949e8f107fd80e16af446196d4
RaccoonStealer
dbbc522719582c66077a06ac1b94fedeed360335d5762dbc78a5744d4309ce93
RaccoonStealer
+ 441 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:99fdcb30af520f176f0e14e858c8bb23c13330d9 stealer
Link:
https://tria.ge/reports/210311-ksxengc8lj/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
49c3cd2478d1dcf8ce1d1f49b31049bac657b957183d397ba670f522dd9e21a7
MD5 hash:
46412e25323f2e83b7a08fddf793906b
SHA1 hash:
365229e1069a93fd3eeb81b8ac6ef8fde36653ab
Link:
https://www.unpac.me/results/167632c6-299c-4fb0-b3bb-00ac085b292c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49c3cd2478d1dcf8ce1d1f49b31049bac657b957183d397ba670f522dd9e21a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 49c3cd2478d1dcf8ce1d1f49b31049bac657b957183d397ba670f522dd9e21a7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1061412/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/123824/

Comments