MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a7fa40eae6a4fc366ef98fb9f8343d0d48713acb3f88e5699c5e18a161a1b86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a7fa40eae6a4fc366ef98fb9f8343d0d48713acb3f88e5699c5e18a161a1b86
SHA3-384 hash: 55044775239650e846757dc3d1132dab319c9ce9409aeedacf810779314d4550a0d7f614189e65476384c3e83572feae
SHA1 hash: 149e2c8e71aafa78e7d1b6a9327e434f9f1a907a
MD5 hash: e0d2d4d7587b16f96e6df502262ed7c8
humanhash: sweet-ink-magazine-oranges
File name:e0d2d4d7587b16f96e6df502262ed7c8.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:5'323'936 bytes
First seen:2022-12-29 19:38:00 UTC
Last seen:2023-01-06 06:24:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cc0d13e592b9ede7868f616c0fba8b8a (2 x RaccoonStealer)
ssdeep 98304:3LKGFIBfij+PkVwJ8Ug4/cQMYUNOFG6Q17NAhZKkOV1VzBu3cntwY+JJvvu0/RvY:bKfBfyhuJ834UQJUsFQ17mxOV1V9QsRp
Threatray 275 similar samples on MalwareBazaar
TLSH T15936236723553041C6DA89368C37BFA530F727BA4B82DCF8B99AEDC039165E4F212653
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer signed

Code Signing Certificate

Organisation:*.setup-un.com
Issuer:*.setup-un.com
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-29T10:56:32Z
Valid to:2023-12-29T11:16:32Z
Serial number: 125abff5924368ae4b31089291fe3935
Thumbprint Algorithm:SHA256
Thumbprint: d5c23c6db2f16678aea40427c763b2e18ff328b0ea9d139289165a53f6704b31
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e0d2d4d7587b16f96e6df502262ed7c8.exe
Verdict:
Malicious activity
Analysis date:
2022-12-29 19:42:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/28806b92-7d6d-48b8-8799-4536bfb1b251

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.8932.22481.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Detecting VM
Creating a file in the %AppData% directory
Launching a process
Deleting a recently created file
Reading critical registry keys
Searching for the window
Launching the default Windows debugger (dwwin.exe)
Forced system process termination
Query of malicious DNS domain
Stealing user critical data
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63adec9c2b1f5b0e511a3846/reports/ef1d5076-48ea-43a7-862b-2af7bd4198c6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f75d4da1-098b-4d9f-8312-475f008893fc
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1142877
Signature
Checks if the current machine is a virtual machine (disk enumeration)
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a7fa40eae6a4fc366ef98fb9f8343d0d48713acb3f88e5699c5e18a161a1b86/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-29 19:39:14 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
16 of 40 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jj72idvonjh4gzxptd5z7a2d2dkioe5mwp4i4vuzyxqyufq2doda._file
Verdict:
suspicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1e5c7dcfbe4a1e9da06229b4512229c463b0268832b9cb6cdb35a1153963be37
RaccoonStealer
37923fb04b4ee3103e82cb67c78febda94b8ce7c93ef35d90bb8ff371600342b
RaccoonStealer
37af8d63e8e5adb5a5f30b471fe4e29f686c7923507583a21f46d3b2eb554f09
RaccoonStealer
4ae45d7f88f9e7d9887692200d5e42ee05e4308cd1f3d2d27b33ee36b0acbafc
RaccoonStealer
fd3f9ee2a7b4e35be97140818562dc4470f90705cbd959e87c07ed983692e33d
RaccoonStealer
+ 265 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/221229-ycdx9aea43/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/15bf8bf2-bb21-4388-8116-f3cabd689990
Unpacked files
SH256 hash:
53daae8483004d3d4cb3e3096eb875b47163272a3488ecba32d45c75b70cf9c7
MD5 hash:
3afc6f422193f666b3b346ae862aeaca
SHA1 hash:
3c73fa681a522c875d5cd971e56f0aaf381a9c20
Link:
https://www.unpac.me/results/6a3cf523-580b-4466-91ea-2c2bd8774fe5/
SH256 hash:
77f3d6848a60482f7a2c77b3dcd95606d66d858a0c0224885148d39404ac1868
MD5 hash:
d402819c0fa9aebf02396ea9c528a3cc
SHA1 hash:
1808df6dcbb8e54893f907723b31f61c06d4a7b5
Link:
https://www.unpac.me/results/6a3cf523-580b-4466-91ea-2c2bd8774fe5/
SH256 hash:
4a7fa40eae6a4fc366ef98fb9f8343d0d48713acb3f88e5699c5e18a161a1b86
MD5 hash:
e0d2d4d7587b16f96e6df502262ed7c8
SHA1 hash:
149e2c8e71aafa78e7d1b6a9327e434f9f1a907a
Link:
https://www.unpac.me/results/6a3cf523-580b-4466-91ea-2c2bd8774fe5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4a7fa40eae6a4fc366ef98fb9f8343d0d48713acb3f88e5699c5e18a161a1b86

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 4a7fa40eae6a4fc366ef98fb9f8343d0d48713acb3f88e5699c5e18a161a1b86

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2483080/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2483083/

Comments