MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 633ec6bac41a0a36d8ed5cf50392742f1490f3dcbf4c6792efc3b70fbacc2004. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 633ec6bac41a0a36d8ed5cf50392742f1490f3dcbf4c6792efc3b70fbacc2004
SHA3-384 hash: 2b593722aaf2ee6e5dbba51e6ef4f74c266c5b8aca9375c29b41474a05cba5b0014380a9fc45e6ef6e62f94dd26e7c83
SHA1 hash: 77fd4862739fdda0016d67f71af28c4e7a5407a0
MD5 hash: ab72029b00e744545fe11d04918d12ba
humanhash: seventeen-green-pasta-single
File name:ab72029b00e744545fe11d04918d12ba
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:7'707'136 bytes
First seen:2023-01-29 20:21:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7c88a9f12777d4c1f156ccc8f276fa1 (3 x Arechclient2, 2 x RaccoonStealer, 2 x Amadey)
ssdeep 196608:dZkKDdWzNLqrZQRcFE7qQGshXJbs0+XHeOeKp:8WdoN2K97msvQ
Threatray 243 similar samples on MalwareBazaar
TLSH T15A76237212A5D18DC4EA8838C437EEF275FD1D16D581A83721C97EA73833793A91AD83
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8e8ccecfcfcf8eb2 (1 x AllcomeClipper, 1 x RaccoonStealer, 1 x LaplasClipper)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab72029b00e744545fe11d04918d12ba
Verdict:
Malicious activity
Analysis date:
2023-01-29 20:22:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7c3d818c-e699-4c88-a4e9-ae9710d2dcd8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358022/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.38977.23542.16657.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63863/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed redline virus
Link:
https://www.filescan.io/uploads/63d6d56c1c9cbf7d62543eb4/reports/b35274b8-c9b7-40de-9c7a-4b5ea2449b5b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ed1ecb90-3c79-45ba-84a9-5e2aecb48900
Result
Threat name:
Laplas Clipper
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1161165
Signature
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Yara detected Laplas Clipper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/633ec6bac41a0a36d8ed5cf50392742f1490f3dcbf4c6792efc3b70fbacc2004/
Threat name:
Win32.Hacktool.Krasnoglaz
Create hunting rule
Status:
Malicious
First seen:
2023-01-29 20:23:21 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
12 of 26 (46.15%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mm7mnowedifdnwhnlt2qhetuf4kjb464x5ggpexpyo3q7owmeaca._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
20ac0c20a2ef71864092cdbcdb32bb637cf76abd2ebfc5b351a6c188b9dfd05d
RaccoonStealer
2a8e2ab611c7ea1a7c4e7b6fd50cef0a812ae4921a66d25106a039c90582ce29
RaccoonStealer
58b415a4211b4ab0714cb45cfc92cc793c3f6ad8b1413c5f8320cfc77b5d2868
RaccoonStealer
712c853955c56e27e3e4538978fa89018cdc5e5f56944ea0da2fc1a672adc73c
RaccoonStealer
b62f5066357d2dfc94dec4d902f68f6e9e98a19a9aea6fb70d2811de384fd7a1
RaccoonStealer
ca4028b174f018a8401ebefb72d595dad12c12a9ee7209d2fc8993c0c25f3c4d
RaccoonStealer
dc401554533938f33c0c6cf36246e4fc21dc687d2d3f2925bfa9f7d62a2c5fbe
RaccoonStealer
ec50003de83269b82d86c2a2e4e44e6df77cc3aa7d3b967124b44cb47279c262
RaccoonStealer
+ 233 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230129-y5jn7sca24/
Behaviour
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
d193715ae354d3d78c669c1426350b1ed91da5bb0027cdb26195d42394d0d4bc
MD5 hash:
7403e86a80b2024dda1ad728c89a6c9e
SHA1 hash:
937efca4d3e4c20cd4a8c63c4ad94dc09db0d2a0
Link:
https://www.unpac.me/results/4c89ddb7-57ec-4057-bf94-425e34fdb3ed/
SH256 hash:
633ec6bac41a0a36d8ed5cf50392742f1490f3dcbf4c6792efc3b70fbacc2004
MD5 hash:
ab72029b00e744545fe11d04918d12ba
SHA1 hash:
77fd4862739fdda0016d67f71af28c4e7a5407a0
Link:
https://www.unpac.me/results/4c89ddb7-57ec-4057-bf94-425e34fdb3ed/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/633ec6bac41a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/633ec6bac41a0a36d8ed5cf50392742f1490f3dcbf4c6792efc3b70fbacc2004

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 633ec6bac41a0a36d8ed5cf50392742f1490f3dcbf4c6792efc3b70fbacc2004

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2521944/
Cape
Cape
https://www.capesandbox.com/analysis/358022/

Comments


Avatar
zbet commented on 2023-01-29 20:21:41 UTC

url : hxxp://5.75.199.27/wnqeiwbpae.exe