MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d31c3b33070c5755724734a11b0a5b2e50838d5b4b78b275730d25f73c0b68c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d31c3b33070c5755724734a11b0a5b2e50838d5b4b78b275730d25f73c0b68c
SHA3-384 hash: ed22592d55df7bb67dc340b302d7ad9bdbf9c56e31290c28d58a9a5e923560fb905c4d751b24d7bc66fe267b1f2a7468
SHA1 hash: 59473f97ce42436c905eca5695da90020d3be2d7
MD5 hash: 1f4820f4dd23a7ea81fbdd096b3f5b59
humanhash: vermont-yankee-pip-india
File name:1f4820f4dd23a7ea81fbdd096b3f5b59.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'122'112 bytes
First seen:2023-01-04 12:48:34 UTC
Last seen:2023-01-04 14:31:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 64e1066f3445adea52054d49fbbd46fe (1 x RaccoonStealer)
ssdeep 98304:oDswblD8ifUIRCS6g2B8LYy2qydNZM0a09job:Zwf9z6gL19yLZM0a09
Threatray 367 similar samples on MalwareBazaar
TLSH T15A16233752692259C4E8DC3EC537BE8471F9032B0642B8B475FBBDC324725EAE613992
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1f4820f4dd23a7ea81fbdd096b3f5b59.exe
Verdict:
Malicious activity
Analysis date:
2023-01-04 12:51:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/72259a76-12de-437c-b425-3d8b84991140

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349408/
Detection(s):
SecuriteInfo.com.Trojan.Heur.GM.0800520080.26117.6456.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Launching a process
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/63b575c3dde391056ac1069c/reports/8daa7c23-34dd-4da3-97a3-07bf4fed47d1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/603861d0-0597-4564-ad48-1563c58bf074
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1145071
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 777863 Sample: x6HulcBTBD.exe Startdate: 04/01/2023 Architecture: WINDOWS Score: 80 39 Multi AV Scanner detection for submitted file 2->39 41 Machine Learning detection for sample 2->41 43 PE file contains section with special chars 2->43 7 WindowsPaint-Ver2.4.7.9.exe 2->7         started        10 x6HulcBTBD.exe 4 2->10         started        13 WindowsPaint-Ver2.4.7.9.exe 2->13         started        15 5 other processes 2->15 process3 file4 45 Antivirus detection for dropped file 7->45 47 Writes to foreign memory regions 7->47 49 Allocates memory in foreign processes 7->49 51 Injects a PE file into a foreign processes 7->51 17 vbc.exe 7->17         started        35 C:\...\WindowsPaint-Ver2.4.7.9.exe, PE32 10->35 dropped 37 WindowsPaint-Ver2....exe:Zone.Identifier, ASCII 10->37 dropped 53 Uses schtasks.exe or at.exe to add and modify task schedules 10->53 19 icacls.exe 1 10->19         started        21 icacls.exe 1 10->21         started        23 schtasks.exe 1 10->23         started        25 icacls.exe 1 10->25         started        signatures5 process6 process7 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d31c3b33070c5755724734a11b0a5b2e50838d5b4b78b275730d25f73c0b68c/
Threat name:
Win32.Trojan.Tasker
Create hunting rule
Status:
Malicious
First seen:
2023-01-03 21:34:24 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=luy4hmzqodcxkvzeonfbdmffwlsqqogvws3ywj2xgdjf646aw2ga._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1e5c7dcfbe4a1e9da06229b4512229c463b0268832b9cb6cdb35a1153963be37
RaccoonStealer
37923fb04b4ee3103e82cb67c78febda94b8ce7c93ef35d90bb8ff371600342b
RaccoonStealer
382cc180516898230a242e80456ef81647d83a9d2edb82ecbc809daa65219147
RaccoonStealer
4d70a2e9f63fea018db99bef6cecbf094255c52f6e2bd9d1d7458e637efb9172
RaccoonStealer
56d901c98e235d2c02936b0553839e7fec6bec501097f87996a47da1f0ae501c
RaccoonStealer
e134f20c16c2d118f95738897fc6c8f3be4ec46563ad7e1c243c3d7595a0ea68
RaccoonStealer
f022991ffa81316654d102a92989ed05e2ba1a7cdff6bf828f830dbeae375627
RaccoonStealer
+ 357 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/230104-p2cl2sah7z/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Modifies file permissions
Uses the VBS compiler for execution
Executes dropped EXE
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3b256487-2c12-461e-9883-b2c3908e40fc
Unpacked files
SH256 hash:
7ba68c2a8e8fafc261515b2bd544a9f10c43e4ba20114391e6a0d81cb1635d01
MD5 hash:
da3560e72399c3ecadf86a36ee677e92
SHA1 hash:
a06582a5260179ccec376aa13f19c885bc4f927a
Link:
https://www.unpac.me/results/4de2b91e-a79c-4d83-bb6a-c36424342c57/
SH256 hash:
5d31c3b33070c5755724734a11b0a5b2e50838d5b4b78b275730d25f73c0b68c
MD5 hash:
1f4820f4dd23a7ea81fbdd096b3f5b59
SHA1 hash:
59473f97ce42436c905eca5695da90020d3be2d7
Link:
https://www.unpac.me/results/4de2b91e-a79c-4d83-bb6a-c36424342c57/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5d31c3b33070/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d31c3b33070c5755724734a11b0a5b2e50838d5b4b78b275730d25f73c0b68c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 5d31c3b33070c5755724734a11b0a5b2e50838d5b4b78b275730d25f73c0b68c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2469977/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/349408/

Comments