MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53ea06f8e6db1b09239111275f338bd703fd15bd38a3b8956f1df19c1f5b9f9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	53ea06f8e6db1b09239111275f338bd703fd15bd38a3b8956f1df19c1f5b9f9f
SHA3-384 hash:	90b90388df07aec00e7d18d9ad51f08102970252e8e23c49f3989153507f061ca2abd5a55015b52bbc5a8b6e2120b131
SHA1 hash:	d0d7a93407e8b113defaaaf23552d99454713785
MD5 hash:	3215b2bd3aeaea84f4f696c7ba339541
humanhash:	item-purple-timing-hawaii
File name:	53ea06f8e6db1b09239111275f338bd703fd15bd38a3b8956f1df19c1f5b9f9f
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	32'458'728 bytes
First seen:	2023-06-02 12:19:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2ac8cfbdcd87ae0accb32ef84be42ad8 (1 x RaccoonStealer)
ssdeep	786432:PQPszZP8gQ1G4B6VXYiztLy7K7IEAP3pCpXTONg6J/:PQPMRQl6aatLy70AP3pCpIxJ
Threatray	1'331 similar samples on MalwareBazaar
TLSH	T1166712D3A1CA92F8D0874A34618123C720D1F4AA86FDE65D3BC65C037962EF6498DB77
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	f8f0cce0dcd8d8de (1 x LummaStealer, 1 x Stealc, 1 x RaccoonStealer)
Reporter	adrian__luca
Tags:	exe RaccoonStealer

Intelligence

File Origin

# of uploads :

# of downloads :

296

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

53ea06f8e6db1b09239111275f338bd703fd15bd38a3b8956f1df19c1f5b9f9f

Verdict:

No threats detected

Analysis date:

2023-06-02 12:21:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2e9ee893-3a9c-4efe-881b-6b762eb9070b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Sending an HTTP GET request

Creating a file

Running batch commands

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug crypto greyware lolbin overlay packed shell32.dll vidar

Link:

https://www.filescan.io/uploads/6479de76e794f9b5b39e3935/reports/bed3da71-bf3e-498a-a864-4818465c674b/overview

Verdict:

Malicious

Labled as:

Infostealer/Vidar

Link:

https://www.hybrid-analysis.com/sample/53ea06f8e6db1b09239111275f338bd703fd15bd38a3b8956f1df19c1f5b9f9f

Result

Verdict:

MALICIOUS

Result

Threat name:

BazaLoader

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1247562

Signature

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Query firmware table information (likely to detect VMs)

Yara detected BazaLoader

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-05-29 16:34:11 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kpvan6hg3mnqsi4rcetv6m4l24b72fn5hcr3rflpdxyzyh23t6pq._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

1d2b30b68962af3d19af75515aae44eeb39031432655824b18d1121a8a582aab

RaccoonStealer

25139b1e194865c93db98514375b74971e11a690d53b6030014830d019458313

RaccoonStealer

3427583e84dda3d92aab9f9b9050d7cfe9bcb43094acc08f02f0166f310702cc

RaccoonStealer

3d89f2818d1db862eb5542217e1d5571e5a75af60e8734265ef6b6bc884e191f

RaccoonStealer

3e8cd0eb4715ef2b9f3b9f676b90eb16b0842d289a34fdd41e46c106a845d983

RaccoonStealer

52a8ac9f9dcc37f94eb2e857205293f60bdc090470203643ca52710eb9baf322

RaccoonStealer

8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

RaccoonStealer

d80111cba6cb72d44025721523aaf389f6da96751582caa79cc4bb52287008aa

RaccoonStealer

f0aaf7ed92def94883ce317c950802e8779a7807b807d3efcc922116e8cad652

RaccoonStealer

+ 1'321 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware

Link:

https://tria.ge/reports/230602-phrxmabc62/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks computer location settings

Loads dropped DLL

Downloads MZ/PE file

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/53ea06f8e6db/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/53ea06f8e6db1b09239111275f338bd703fd15bd38a3b8956f1df19c1f5b9f9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample