MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fd202b93cc2d13fbf7ca7de657a4c1e2f979a027bc49600604720ff5588f5a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fd202b93cc2d13fbf7ca7de657a4c1e2f979a027bc49600604720ff5588f5a0
SHA3-384 hash: 9b749bc159c0839d47930d195aa6a934c1a3e043bb4a9d636529ad4c42278b22948d6a27d4fcc3d948f86cb592e7f569
SHA1 hash: d3c63b6d2f389c25071ab7bfee6370ae3e11f7d8
MD5 hash: 5b60d41bd93869e36d90775be1ae7830
humanhash: early-winter-arkansas-kentucky
File name:SecuriteInfo.com.BackDoor.Siggen2.247.25159.15326
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'460'672 bytes
First seen:2021-02-23 16:01:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98a54ff6d6472f8f0fdc4ec82a18ef8c (1 x RaccoonStealer)
ssdeep 49152:WMzjnCoR424OTzb09asQ85DOqRpxIT7BV7cH:1jn9R4Ezb09asQ85DOqfxITj
Threatray 226 similar samples on MalwareBazaar
TLSH 11B5B01A3C85C032C2672531CC6DA9EDE5BDBE512F2099C76384BE3D5EB12D16A3523E
Reporter SecuriteInfoCom
Tags:RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118706/
Detection(s):
SecuriteInfo.com.BackDoor.Siggen2.247.25159.15326.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching cmd.exe command interpreter
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Forced system process termination
Unauthorized injection to a system process
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/615681
Signature
Allocates memory in foreign processes
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to steal Internet Explorer form passwords
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4fd202b93cc2d13fbf7ca7de657a4c1e2f979a027bc49600604720ff5588f5a0/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 12:58:44 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
00723545fff6ce259e729f8f1f9c7129e0d667502f94ef137bbbd9642ced4cc0
RaccoonStealer
01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
RaccoonStealer
44283ee3be33ad2077f6c8c18b1699f3d694cb936336523b299646f1a39ea8fc
RaccoonStealer
5915848dc0c0e2e649fdc29ed1d3270ec15b78493e9ca9debf5e85a090e533b6
RaccoonStealer
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
RaccoonStealer
b8392aaf409d89fe323576fdf09bf3320094962da9812918d23bb47b3d8d53f8
RaccoonStealer
cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017
RaccoonStealer
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
RaccoonStealer
e68f17cfe87742103150ca9abd6cc16581caa6e0e0243d03fae2c89c2609c974
RaccoonStealer
f0898da54ae0f11c2769f71e20969563bc58e74bb1594869108b8242a9c2419b
RaccoonStealer
+ 216 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:6bbb1ff45f4a7a29bea0350b103adad3e7f6df63 stealer
Link:
https://tria.ge/reports/210223-37knvjytjj/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Blocklisted process makes network request
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
b36554728d7c55b875f7cfc63263cb5f4cc9468772640469bc3f11b44934138e
MD5 hash:
bc807905f27aab946f6fadb30ea4a138
SHA1 hash:
cd68c1d0096b945899a9075050067931f353439f
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/2a5c3ae1-1a2f-48dc-b39d-b0ecd07a01f4/
SH256 hash:
4fd202b93cc2d13fbf7ca7de657a4c1e2f979a027bc49600604720ff5588f5a0
MD5 hash:
5b60d41bd93869e36d90775be1ae7830
SHA1 hash:
d3c63b6d2f389c25071ab7bfee6370ae3e11f7d8
Link:
https://www.unpac.me/results/2a5c3ae1-1a2f-48dc-b39d-b0ecd07a01f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fd202b93cc2d13fbf7ca7de657a4c1e2f979a027bc49600604720ff5588f5a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 4fd202b93cc2d13fbf7ca7de657a4c1e2f979a027bc49600604720ff5588f5a0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1025521/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/118706/

Comments