MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59dd63bc09da452ae3781f5570d0dfe344ff76df70419d89659ff73d7e691002. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59dd63bc09da452ae3781f5570d0dfe344ff76df70419d89659ff73d7e691002
SHA3-384 hash: 1a7c6c82cf19aa8b4807d1a05dbd1448a35a3d888cacc1432f4449697a28b55504371d99d58f2cfb50adb741cb5bd76d
SHA1 hash: 3bf3ed28bdd2ceb9916d365df8d63dfa105a33f3
MD5 hash: 5edcc4f8fb881b391e4eb258b6422fdb
humanhash: uniform-fourteen-earth-double
File name:5edcc4f8fb881b391e4eb258b6422fdb
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:140'424 bytes
First seen:2021-06-28 13:42:05 UTC
Last seen:2021-06-30 07:04:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 881c5e1fe3abca37c874949babc63f6b (1 x RaccoonStealer)
ssdeep 768:Qu57/LVS/RyceoMt0VaaJPCjmCsFb/881m9zdynSfAPOczcC3k9CqOjAulOPgTpV:Z1VS/RDwtGJOoSIPfzcBCqOjj1pkQxjX
Threatray 3'395 similar samples on MalwareBazaar
TLSH BAD38DA2E9DA6501F1054731C464864F6E10BF552933CA0B33067ECF9EB92C39AE5BF6
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5edcc4f8fb881b391e4eb258b6422fdb
Verdict:
Suspicious activity
Analysis date:
2021-06-28 13:46:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/078603f4-1b40-49a8-b1bd-130b2b3145bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168589/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.5473.6604.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3947908b-3c88-4b81-bcb0-86a2d8e906cd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/808842
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Potential malicious icon found
Potentially malicious time measurement code found
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/59dd63bc09da452ae3781f5570d0dfe344ff76df70419d89659ff73d7e691002/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2021-06-28 10:32:23 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lhowhpaj3jcsvy3yd5kxbug74ncp65w7obaz3clft73t27tjcaba._file
Verdict:
malicious
Similar samples:
0b02739c5fd7a7fa53410bc2287c42cf66a3a6d51ecc9570e76e4f0f8129f2d7
RaccoonStealer
3ec3b418b0e06128ef80ff02866d30c8071ba54066411760b6f71cab0f4c24f9
RaccoonStealer
5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0
RaccoonStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RaccoonStealer
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
RaccoonStealer
8b1c960881fc789460b5b274abd43baddb1c92e1a942d3a1080a4adb1f545e50
RaccoonStealer
a8fb61732f9696d24e02dda47d2f12abe0d8968e130f05d2381bb7b5a93f3ec0
RaccoonStealer
a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154
RaccoonStealer
d1621aa8dd1273a4b6e4f3e6b83188044af80c6ffe9aba2e7e191f159ce9b1eb
RaccoonStealer
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
RaccoonStealer
+ 3'385 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:raccoon discovery downloader spyware stealer
Link:
https://tria.ge/reports/210628-z1dlhmg3ss/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Guloader,Cloudeye
Raccoon
Malware Config
C2 Extraction:
https://drive.google.com/uc?export=download&id=1V8t6cBYUxfu3nP2JKKKyCtxGO5SylImh
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/23685f42-dd5d-4ad6-b129-206ce47e1a98/
SH256 hash:
59dd63bc09da452ae3781f5570d0dfe344ff76df70419d89659ff73d7e691002
MD5 hash:
5edcc4f8fb881b391e4eb258b6422fdb
SHA1 hash:
3bf3ed28bdd2ceb9916d365df8d63dfa105a33f3
Link:
https://www.unpac.me/results/23685f42-dd5d-4ad6-b129-206ce47e1a98/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/59dd63bc09da452ae3781f5570d0dfe344ff76df70419d89659ff73d7e691002

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 59dd63bc09da452ae3781f5570d0dfe344ff76df70419d89659ff73d7e691002

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1365028/
Cape
Cape
https://www.capesandbox.com/analysis/168589/
  
URLhaus
https://urlhaus.abuse.ch/url/1389694/
  
URLhaus
https://urlhaus.abuse.ch/url/1392424/
  
URLhaus
https://urlhaus.abuse.ch/url/1394133/

Comments