MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a4ea21866a9389bf5b036e67833d449b228e1600f9d596732c020ebf04b2f73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	5a4ea21866a9389bf5b036e67833d449b228e1600f9d596732c020ebf04b2f73
SHA3-384 hash:	5d0ec23d926d72c26de557dbb34db492a16c6c37773b435f9682b26e4df2c219d57f0ebe040ff56cb173e83a4794e7a0
SHA1 hash:	6462509ea2b039666a8ca0c8122dbd1ad0f60122
MD5 hash:	088eb3f50215d88895e7f2215607e5d0
humanhash:	seven-fifteen-quiet-thirteen
File name:	088eb3f50215d88895e7f2215607e5d0.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	7'336'923 bytes
First seen:	2022-01-18 17:39:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c5640c7a22008f949f9bc94a27623f95 (3 x RaccoonStealer, 3 x IrisStealer, 2 x CoinMiner)
ssdeep	196608:rB+hvICteEroXxqENE+sKsXXgvkU+AOWDMCsnNEl:+InEroXjsKkXgsJKDCNK
Threatray	3'567 similar samples on MalwareBazaar
TLSH	T15E76330063E808DEF8BFC638C5658621A0B274679759D4EF17AC835E9F971E36E73A04
Reporter	abuse_ch
Tags:	exe RaccoonStealer

Intelligence

File Origin

# of uploads :

# of downloads :

177

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

rae.exe

Verdict:

No threats detected

Analysis date:

2022-01-18 18:05:02 UTC

Tags:

installer

Link:

https://app.any.run/tasks/b20da59d-1285-456f-8f0b-c938bc35e4b4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

PyInstaller

Link:

https://www.capesandbox.com/analysis/220282/

Detection(s):

SecuriteInfo.com.PyInstaller.13124.17635.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Running batch commands

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Searching for the window

Unauthorized injection to a recently created process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/4594/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe expand.exe greyware overlay packed

Link:

https://www.filescan.io/uploads/61e6fb83d32385db63030c52/reports/f2aec196-5975-472c-8068-6d69ffe10c80/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/427a144d-5fcb-4b2f-9aaf-979ec9632a88

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/922703

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a4ea21866a9389bf5b036e67833d449b228e1600f9d596732c020ebf04b2f73/

Threat name:

Win64.Trojan.Phonzy

Status:

Malicious

First seen:

2022-01-18 15:21:13 UTC

File Type:

PE+ (Exe)

Extracted files:

648

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ljhkegdgve4jx5nqg3thqm6ujgzcrylab6ovszzsyaqox4clf5zq._file

Verdict:

malicious

RaccoonStealer

310fae0d844061aeea3d540052c5daadd3ea406b6fcc529b44c7997ac6a09cbb

RaccoonStealer

360f2daa601a407296f2a123346526c790bc1a03f974bad4379e0c534056182e

RaccoonStealer

36227451bca557ea1488a46b8642d1eebceeeaed14c34e96f216a56321bff60c

RaccoonStealer

c3cad582268b165711e2f2b1834891c7bcb5e57a7efb1e709e3df19d011ad656

RaccoonStealer

f6cb90f76c5ba8a4482c8405f744103f898b7d1920c569b74fb22dd9bea7d2a4

RaccoonStealer

ffc3d4c2d7568d3d632ba01f05fcb54bb8bc2b73afabc4741999957498011568

RaccoonStealer

+ 3'557 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon pyinstaller stealer suricata

Link:

https://tria.ge/reports/220118-v8x48acdcr/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

Raccoon

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

Unpacked files

SH256 hash:

5a4ea21866a9389bf5b036e67833d449b228e1600f9d596732c020ebf04b2f73

MD5 hash:

088eb3f50215d88895e7f2215607e5d0

SHA1 hash:

6462509ea2b039666a8ca0c8122dbd1ad0f60122

Link:

https://www.unpac.me/results/1bf281b9-9d11-4be8-b55b-5c02369c7d70/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5a4ea21866a9389bf5b036e67833d449b228e1600f9d596732c020ebf04b2f73

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Raccoon stealer payload

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	quakbot_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

exe 5a4ea21866a9389bf5b036e67833d449b228e1600f9d596732c020ebf04b2f73

(this sample)

Cape

https://www.capesandbox.com/analysis/220282/

URLhaus

https://urlhaus.abuse.ch/url/1987043/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample