MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53c5d36676ffee894793d3d850769635289feb25fe16aeff2bfcf3d8aa510c8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 12 File information Comments

SHA256 hash:	53c5d36676ffee894793d3d850769635289feb25fe16aeff2bfcf3d8aa510c8b
SHA3-384 hash:	0c43c5d9cc060cca5b81d667c4f65f94107b43f103fea15e5ae4ed038c4d26dd2544d9bd6b0f6835e8a4df6e3f102fa9
SHA1 hash:	bcdc6e2ff3a3cb82d35fb27951b7c074c40a1a4a
MD5 hash:	acd13e8cfe7d33744ccfdc054eef1308
humanhash:	sodium-harry-saturn-magnesium
File name:	file
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	2'808'576 bytes
First seen:	2023-08-23 22:04:23 UTC
Last seen:	2023-08-24 17:29:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	49152:d7nB5rKkCJTqd4RLsmGHTtdvVzPBLqAXJrHekH91:4TqGFxw/xH5HHb
Threatray	32 similar samples on MalwareBazaar
TLSH	T131D53B3037EA510CD5B567301C3AAAC626BBBE7A7F18C61D3569060C9E735138B21FB6
TrID	61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.1% (.SCR) Windows screen saver (13097/50/3) 8.9% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	fca4acece8888484 (1 x RaccoonStealer)
Reporter	andretavare5
Tags:	exe RaccoonStealer

andretavare5

Sample downloaded from https://vk.com/doc44017378_668323082?hash=FXZQ4nWwXFOgARtdDa1xDzoYSW1X7IkBMq5ZdqoAYnX&dl=5TbqlKDXPTFpa5cfg92vsz74wVaYGY3c4qksLoaWkHo&api=1&no_preview=1#kisrise

Intelligence

File Origin

# of uploads :

# of downloads :

329

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-08-23 22:05:04 UTC

Tags:

risepro stealer evasion

Link:

https://app.any.run/tasks/5591e051-7ec3-472a-956e-9b2cf647a5cc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/444353/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.27151.26399.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Launching a process

Creating a file

DNS request

Sending an HTTP GET request

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated overlay packed

Link:

https://www.filescan.io/uploads/64e682909489ac1ead3e60ec/reports/86feccf5-d583-4076-9627-80e8605f1b51/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/53c5d36676ffee894793d3d850769635289feb25fe16aeff2bfcf3d8aa510c8b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fc060b6b-4a3a-4388-8a6f-a3e91f7ade1d

Result

Threat name:

PrivateLoader

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1296216

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Yara detected AntiVM3

Yara detected PrivateLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/53c5d36676ffee894793d3d850769635289feb25fe16aeff2bfcf3d8aa510c8b/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-08-23 22:05:06 UTC

AV detection:

9 of 23 (39.13%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kpc5gztw77xisr4t2pmfa5uwguuj72zf7ylk57zl7tz5rksrbsfq._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

7307b42a1e25b3a6e376bbf246916e0b71e27c2c09fdeed14fa7a3c7b677868b

RaccoonStealer

80f8be7669ca52aec4c9f42385328b94069d6bbee35ce6352aa46216452f0d75

RaccoonStealer

b9458e5ccb3e716b7970988b9d2fdd2ecd3c77f57be0bae9e6ec9948f427ece8

RaccoonStealer

de37e38d15933b163d7b104af7ac4392af4a5663f500f5567efc40c8c01e9968

RaccoonStealer

f327c2b5ab1d98f0382a35cd78f694d487c74a7290f1ff7be53f42e23021e599

RaccoonStealer

f767afef9083aed521760649129fae272dfe30f66c9922ca4529533bb81d0612

RaccoonStealer

fc9fa1695c11f2c3a8019b64b414137c47d1b2f57b8593f44eda1237e4b3293b

RaccoonStealer

+ 22 additional samples on MalwareBazaar

Result

Malware family:

privateloader

Score:

10/10

Tags:

family:privateloader loader

Link:

https://tria.ge/reports/230823-1zgzjafh54/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Downloads MZ/PE file

PrivateLoader

Malware Config

C2 Extraction:

194.169.175.123

Unpacked files

SH256 hash:

7307b42a1e25b3a6e376bbf246916e0b71e27c2c09fdeed14fa7a3c7b677868b

MD5 hash:

611af5f1dbaa7a54dad2be40198d8367

SHA1 hash:

7d3b5ee5dcd56676c1ac39c63493e863e6e52d9b

Detections:

RiseProXorStr

win_privateloader_w0

Link:

https://www.unpac.me/results/c84eec18-8ff6-4649-9dfd-c86c76b23a58/

Parent samples :

6eb58443e4186740619e7fb0e391a47517ce63ba4db0bd1fb4ce007c543db2be
7307b42a1e25b3a6e376bbf246916e0b71e27c2c09fdeed14fa7a3c7b677868b
142aee3c05b5023b306aa9983c67e7168df45509882940470d5fa5d9b0a95eb9
77b840bcbcda735a7e2b67f915fdfeb87ebc5324bff776ee7393a65d1a6ddf76
53c5d36676ffee894793d3d850769635289feb25fe16aeff2bfcf3d8aa510c8b

SH256 hash:

628400e284b1d4ca69febe4e1ba051b7d7e10c8f78b829a66f678b4d568f5748

MD5 hash:

37c8aacab9f3fbb732239df98f0a71cd

SHA1 hash:

70fbabd6566f43d4c8990cfc961f6c7dfafd57db

Link:

https://www.unpac.me/results/c84eec18-8ff6-4649-9dfd-c86c76b23a58/

SH256 hash:

65e47578274d16be1be0f50767bad0af16930df43556dd23d7ad5e4adc2bcbe3

MD5 hash:

848b847cd19805d19235b5acb8ef2bef

SHA1 hash:

38100751a4ae45a143232cbacf9bb441b31fb211

Link:

https://www.unpac.me/results/c84eec18-8ff6-4649-9dfd-c86c76b23a58/

SH256 hash:

53c5d36676ffee894793d3d850769635289feb25fe16aeff2bfcf3d8aa510c8b

MD5 hash:

acd13e8cfe7d33744ccfdc054eef1308

SHA1 hash:

bcdc6e2ff3a3cb82d35fb27951b7c074c40a1a4a

Link:

https://www.unpac.me/results/c84eec18-8ff6-4649-9dfd-c86c76b23a58/

Malware family:

PrivateLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/53c5d36676ff/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/53c5d36676ffee894793d3d850769635289feb25fe16aeff2bfcf3d8aa510c8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	privateloader Create hunting rule
Author:	andretavare5
Description:	PrivateLoader pay-per-install malware

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_privateloader Create hunting rule
Author:	andretavare5
Reference:	https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

Rule name:	win_privateloader_w0 Create hunting rule
Author:	andretavare5
Reference:	https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/444353/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample