MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 533ae8a3da85287304c89e2758f9bd5e54c586b2c13a152e34033d1884eb7d16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 7


Intelligence 7 IOCs 3 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 533ae8a3da85287304c89e2758f9bd5e54c586b2c13a152e34033d1884eb7d16
SHA3-384 hash: 2309c689642d8218564cc5f014936c6940a234a4e5323c4af444af1fba7ee432a781cfb8cc51914d080cb0df15412bcd
SHA1 hash: 03a45d2592c235c6d9cd7f835d36f12d992687bd
MD5 hash: a21e5912c536d5fde51b5269bcfb356b
humanhash: chicken-earth-ink-black
File name:SecuriteInfo.com.Mal.GandCrypt-B.21007.4615
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:351'744 bytes
First seen:2021-05-26 23:38:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b0ea5360984cd75edf9d1528f542b372 (5 x RaccoonStealer, 3 x Stop, 1 x CryptBot)
ssdeep 6144:on24vR8LyUxvU/iNcJqbl8ykAw+ebT+UQQQ4FhVQSJ8r:on24vR8/xsqeAbl8LxtT+J47B
Threatray 225 similar samples on MalwareBazaar
TLSH 8274AE2167D1C035F0B722B449B693B8A53ABEE1673491CF62C43BEE5A706E59C30793
Reporter SecuriteInfoCom
Tags:RaccoonStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://212.237.61.115/ https://threatfox.abuse.ch/ioc/65646/
http://geopgb32.top/index.php https://threatfox.abuse.ch/ioc/65657/
http://morzax03.top/index.php https://threatfox.abuse.ch/ioc/65658/

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Mal.GandCrypt-B.21007.4615
Verdict:
Malicious activity
Analysis date:
2021-05-26 23:46:51 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/8846967d-5e8a-4063-b748-ceb0d77214cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162605/
Detection(s):
SecuriteInfo.com.Mal.GandCrypt-B.21007.4615.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
DNS request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/792975
Signature
Country aware sample found (crashes after keyboard check)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/533ae8a3da85287304c89e2758f9bd5e54c586b2c13a152e34033d1884eb7d16/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 20:56:41 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
28 of 47 (59.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=km5ori62quuhgbgitytvr6n5lzkmlbvsye5bklruam6rrbhlpula._file
Verdict:
suspicious
Similar samples:
43eb032fa36ff0b40420df7d5fa121910ec02ba7ba03581a5a7188939ddc24ee
RaccoonStealer
5397b6d592556e4d65cd442190cfbcba5b3d253b0fbfcc0a16f1c6f2b48a58c4
RaccoonStealer
80f4e35d825fcd2816deb95b0a2694203238b769cbf6267dcca8d10d6e1394c4
RaccoonStealer
9459c29cbd2a32118375f6476421a3df233c80c289a163793d560f8b7c693848
RaccoonStealer
9c8057521a53904ce86837434f6ca9075fea66d1c31914db6a6b49f68649191f
RaccoonStealer
a17bb3e305532ac8e6dd2785ae50cf5f18a3de6a9ea2a4b75ea841b66ba94509
RaccoonStealer
a5e79ae2f930e6ae8ba7057f14c5b96a7962c0720ddd040a655e59c8dae4b959
RaccoonStealer
c5abf55b0591c96c64316cef1b7c5124f3b7ab3d05bc75ab80ae17c53d01dc72
RaccoonStealer
dab1943418275fa0a684702d291fa2fd693bebc19b99f7af9ad8dc3dd0a47cb5
RaccoonStealer
fb5d2b6d9ec1b9c07e64f6b9eb148099f0b43d58dc867102c02b16a9a9152022
RaccoonStealer
+ 215 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210526-t7nlld11ve/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/533ae8a3da85287304c89e2758f9bd5e54c586b2c13a152e34033d1884eb7d16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 533ae8a3da85287304c89e2758f9bd5e54c586b2c13a152e34033d1884eb7d16

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1288301/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/162605/

Comments