MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58f31e1dff0920a075bd80dfd7ce28fa71c749f1358fab458559b15be3e1a9fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58f31e1dff0920a075bd80dfd7ce28fa71c749f1358fab458559b15be3e1a9fc
SHA3-384 hash: b643d1870d7e21da9ab6d44f4be095064a6f4d18661ecff3f142e0ee05d0ffda3eb313ff793dafefcc721e3c9437584b
SHA1 hash: 2f21495ad5d0ff0e20e8ee0ce8d3f8605821b492
MD5 hash: c8753945c41821a7e3d9f5da2091cfb9
humanhash: thirteen-helium-harry-idaho
File name:c8753945c41821a7e3d9f5da2091cfb9
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'123'840 bytes
First seen:2021-11-11 22:39:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 335487b50c180fdca285bc221817b6ec (3 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 24576:4D39vwHvYu7HKmbp+3dHxrmKfjTC8dUGeZgMi:RvYaqop26qxUGCW
Threatray 1'601 similar samples on MalwareBazaar
TLSH T1DB35335A9A019CC6E33122BCC44BF5282835FEBC49F4929665CF70BF72717618C266BD
File icon (PE):PE icon
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205138/
Detection(s):
PUA.Win.Packer.AsprotectSke-3
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/618d9bc6a00afa9663a47090/reports/a04d0731-826d-4175-a3d3-0299cf2c38a7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/29d5fd04-ec87-4b6c-a026-55310a4aed67
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/887816
Signature
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520289 Sample: 2FPzDbCXHe Startdate: 11/11/2021 Architecture: WINDOWS Score: 96 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected Raccoon Stealer 2->49 51 4 other signatures 2->51 7 2FPzDbCXHe.exe 82 2->7         started        process3 dnsIp4 35 91.219.236.143, 49715, 80 SERVERASTRA-ASHU Hungary 7->35 37 91.219.236.162, 80 SERVERASTRA-ASHU Hungary 7->37 39 2 other IPs or domains 7->39 27 C:\Users\user\AppData\...\rRc8nEPLnj.exe, PE32+ 7->27 dropped 29 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 7->29 dropped 31 C:\Users\user\AppData\...\vcruntime140.dll, PE32 7->31 dropped 33 57 other files (none is malicious) 7->33 dropped 53 Tries to steal Mail credentials (via file / registry access) 7->53 55 Self deletion via cmd delete 7->55 57 Tries to harvest and steal browser information (history, passwords, etc) 7->57 12 rRc8nEPLnj.exe 14 3 7->12         started        16 WerFault.exe 20 9 7->16         started        19 cmd.exe 1 7->19         started        file5 signatures6 process7 dnsIp8 41 www.google.com 172.217.168.68, 49781, 80 GOOGLEUS United States 12->41 43 192.168.2.1 unknown unknown 12->43 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->59 25 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->25 dropped 21 conhost.exe 19->21         started        23 timeout.exe 1 19->23         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58f31e1dff0920a075bd80dfd7ce28fa71c749f1358fab458559b15be3e1a9fc/
Threat name:
Win32.Trojan.StellarStealer
Create hunting rule
Status:
Malicious
First seen:
2021-11-11 22:40:07 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ldzr4hp7beqka5n5qdp5ptri7jy4osprgwh2wrmflgyvxy7bvh6a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
16361779af23f2bf8e9061bbf7ab4b702bbec1ceafec1eb4e97dc23a7373ac31
RaccoonStealer
28f5fb04e33ee8f3257b1a2c6f4ade3f281b0d474eea4bdde2abe622a1b11994
RaccoonStealer
3e820217037e312b739d6514547da6a7afd3d9e3b92dc90e6c30c35808fb5214
RaccoonStealer
57127e39e8381f5008ef721023300501ff39b9018907a46a34b7e40d317d8f85
RaccoonStealer
ce231785f06d7c6b33b20dded67b62f759ec23b23bee89b01fcb00953f7028c9
RaccoonStealer
de074784466375ef8258b4dbea4dd579fd9edf0c0e0f2b97afa39d00659f6763
RaccoonStealer
e26fe6535f9ec57538d49515fdf98b1a925fa26dd28040a96a5bc1c94a691975
RaccoonStealer
fe3d7939166e8e6ae965d66d98f6ee5583e535b575ba194aef038c6c1ea15ae4
RaccoonStealer
+ 1'591 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:0d1f59921cb84fd725d6a53e7598c57a14c53916 stealer
Link:
https://tria.ge/reports/211111-2ljfwaccd6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
4e09ef75345dc7e8f69dd955b1e7842a7d87f173b21cbcc7137efabd2740e3cd
MD5 hash:
cb292af22459d97e80319db575195f15
SHA1 hash:
2c11065f657bc6afd6fe265ccbd5e611ca253ff8
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/72f519a9-4a31-439c-8cd8-b0e41f603cda/
SH256 hash:
056370a2b464a79e3c5d238d88e0bf8819789ddebca7f2c25c557a17254f7679
MD5 hash:
5cdbd71bde2b12a872663777300e5f25
SHA1 hash:
2eb41bff98d570762c80e1db566ac6a55b71ddf2
Link:
https://www.unpac.me/results/72f519a9-4a31-439c-8cd8-b0e41f603cda/
SH256 hash:
58f31e1dff0920a075bd80dfd7ce28fa71c749f1358fab458559b15be3e1a9fc
MD5 hash:
c8753945c41821a7e3d9f5da2091cfb9
SHA1 hash:
2f21495ad5d0ff0e20e8ee0ce8d3f8605821b492
Link:
https://www.unpac.me/results/72f519a9-4a31-439c-8cd8-b0e41f603cda/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/58f31e1dff09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58f31e1dff0920a075bd80dfd7ce28fa71c749f1358fab458559b15be3e1a9fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 58f31e1dff0920a075bd80dfd7ce28fa71c749f1358fab458559b15be3e1a9fc

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205138/
  
URLhaus
https://urlhaus.abuse.ch/url/1777968/

Comments


Avatar
zbet commented on 2021-11-11 22:39:57 UTC

url : hxxp://154.16.148.41/myblog/posts/237.exe