MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7432ea3b561da4e75f3e81b511b0a2b4d9f9d63e293fd1babd22b20c1b27db3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	7432ea3b561da4e75f3e81b511b0a2b4d9f9d63e293fd1babd22b20c1b27db3c
SHA3-384 hash:	d941d757362421ea1a712f9daec61bdb6fae73a77b10d1a45298dd113ed8989e6df5982ffb7cc42a3f489c9d3a851b17
SHA1 hash:	21d8a1283f2fa97ad985eb73d3b46c9ef976a442
MD5 hash:	0d2f4c9a134013ef8f7f70c5cebb8203
humanhash:	november-twelve-quebec-wyoming
File name:	COO_TPE0269320_image2020-12-31-055841.scr
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	1'100'800 bytes
First seen:	2021-01-06 07:40:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	24576:cQZVr/CIJWz3MkYe7CJAbnix520CKmIA/ga:cO/ixv2JPxk0CKDX
Threatray	403 similar samples on MalwareBazaar
TLSH	8635CF1367F59644F0BB5B389AB0443097F6BC5B962EC17D28E4704D09F1A80A9BA3F7
Reporter	abuse_ch
Tags:	RaccoonStealer scr

abuse_ch

Malspam distributing RaccoonStealer:

HELO: mail.emailhouse.host
Sending IP: 5.189.220.130
From: Bernini Chang <admin@emailhouse.host>
Subject: DSV Air & Sea Co., Ltd. (TW1) - Taipei - Original 3 - (for Shipper) - HAWB No: TPE0269320
Attachment: Original 3 - for Shipper - HAWB No_ TPE0269320.zip (contains "COO_TPE0269320_image2020-12-31-055841.scr")

Intelligence

File Origin

# of uploads :

# of downloads :

174

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

COO_TPE0269320_image2020-12-31-055841.scr

Verdict:

Malicious activity

Analysis date:

2021-01-06 07:41:20 UTC

Tags:

trojan stealer raccoon

Link:

https://app.any.run/tasks/a6e0703d-21da-4751-a593-1a3d675ee1a6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/110691/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/574882

Signature

.NET source code contains potential unpacker

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/7432ea3b561da4e75f3e81b511b0a2b4d9f9d63e293fd1babd22b20c1b27db3c/

Threat name:

ByteCode-MSIL.Backdoor.Crysan

Status:

Malicious

First seen:

2021-01-06 07:41:04 UTC

AV detection:

13 of 44 (29.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=oqzouo2wdwsooxz6qg2rdmfcwtm7tvr6fe75dov5ekzaygzh3m6a._file

Verdict:

malicious

RaccoonStealer

3cc66db6e76b9b4e3713fcf69438cd1ec43253165f3fe1e05593580da9737d3b

RaccoonStealer

4d8668325ade88f0c153c36d4c01c38900fa11408b24bbe6c65429215e36f007

RaccoonStealer

649982bca8732a94d5f1e9cc3d87045e3aff04687080036bed0ba298e7957e87

RaccoonStealer

96e8a552286bdc774b6aa631a854546e8124aada68ab2b9ee0effbacbea9face

RaccoonStealer

b7b5a82b1c9b3c2ffeedcc57b2bef35f61c7e93ec2d5ae784f667e4d8d534009

RaccoonStealer

c3c2a6747a34c92023bef1d5abc604f697408e60ee64d1155af7a8c62727e894

RaccoonStealer

c686c7b2fff2ad2853c1d450d44fcf96ff3df67f34205b6b4e0352153893c924

RaccoonStealer

ce4c9d123144cb01aaa09ecfc34a21b6808c8d891fdd777e3bc8736fc3d877ca

RaccoonStealer

da045fcbd63520920626c45655b87da65e0e6cdc26f7bc20dfbfb6f667be9dbf

RaccoonStealer

+ 393 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon discovery spyware stealer

Link:

https://tria.ge/reports/210106-xkn7r4qehs/

Behaviour

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks installed software on the system

JavaScript code in executable

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Raccoon

Unpacked files

SH256 hash:

7432ea3b561da4e75f3e81b511b0a2b4d9f9d63e293fd1babd22b20c1b27db3c

MD5 hash:

0d2f4c9a134013ef8f7f70c5cebb8203

SHA1 hash:

21d8a1283f2fa97ad985eb73d3b46c9ef976a442

Link:

https://www.unpac.me/results/0fc7b15a-8d4e-41b6-80af-c0d49640d3bf/

SH256 hash:

0759e55dae527464c28d1b84eb6ad517dc9faf34a5ad10d55f652cb410a28f21

MD5 hash:

0ec82c5999a9391b7628d336f567b104

SHA1 hash:

0bd5978b480d87c0227a4bc7d12a761ae870d1aa

Link:

https://www.unpac.me/results/0fc7b15a-8d4e-41b6-80af-c0d49640d3bf/

SH256 hash:

c82aa70f318b92adb11f0d22d50c677f694bfe4e2450068e8c760f1c13ef855b

MD5 hash:

a0b7a1fcc7bc3ca1cc9cf42d41f31634

SHA1 hash:

37f485cf1f12644467a2316ebb4fddc4efa7e3b2

Link:

https://www.unpac.me/results/0fc7b15a-8d4e-41b6-80af-c0d49640d3bf/

SH256 hash:

ac84a92933c4ffea021986f95d5f48e284f787c048db4c42f6a15ba33599604a

MD5 hash:

8a77dd7359e8d2b4da0c06d375aa5260

SHA1 hash:

bd30fb16d56dfa0738cd9c6750c501e32834904f

Link:

https://www.unpac.me/results/0fc7b15a-8d4e-41b6-80af-c0d49640d3bf/

SH256 hash:

d91340fc3ee107abeb39fdaa6e6e3283145a9fcec8cfc3b86069d946b4cc6afa

MD5 hash:

1dea5dcca707fdb09d32cd50db38bad7

SHA1 hash:

c958e71a57e13a867f8429e33738f4568c5aad3c

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/0fc7b15a-8d4e-41b6-80af-c0d49640d3bf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7432ea3b561da4e75f3e81b511b0a2b4d9f9d63e293fd1babd22b20c1b27db3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	@ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon/Racealer infostealer

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator