MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 755e7db889cfe5608306365843431430c0ea85708612969be7522610fc5b308a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 755e7db889cfe5608306365843431430c0ea85708612969be7522610fc5b308a
SHA3-384 hash: 6aebea5bce136f1aaf1d9a44bc94dd9bd74079611964a3b1a229ef6fbff9067749b85ce7136e95838b99e38f14fc297e
SHA1 hash: 76457ad35133e12d3474e287f42fafc4305f75f1
MD5 hash: 43ce16a36f270e34b3cfdc8c8b7ac8b5
humanhash: crazy-south-fish-north
File name:43ce16a36f270e34b3cfdc8c8b7ac8b5
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'242'344 bytes
First seen:2021-12-01 09:22:00 UTC
Last seen:2021-12-01 10:57:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 94e51115549f8704225c4f040e12efc5 (2 x RaccoonStealer)
ssdeep 49152:l/2uSwsPSCADS+/uSl5QH9jxeiTdmkYtARPXnPYwsx8WX5:l/exe84JARPXtsRX5
Threatray 7'817 similar samples on MalwareBazaar
TLSH T180A5DEA3BD4FB846C894457B8E786DF9595BBD117A3901172C3E7B2AFD7E310060A80B
File icon (PE):PE icon
dhash icon 0042c0b0ccdae400 (1 x RaccoonStealer)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer signed

Code Signing Certificate

Organisation:MSI Pro 24X 10M 9S6-AEC213-212
Issuer:MSI Pro 24X 10M 9S6-AEC213-212
Algorithm:sha1WithRSAEncryption
Valid from:2021-11-29T14:16:49Z
Valid to:2031-11-30T14:16:49Z
Serial number: 3c95f23861123e8949b392bc2033d1e8
Thumbprint Algorithm:SHA256
Thumbprint: 2c103a4ea8a59591f96c647369ff64f38b1506e0614aaea7f92c9f2bdd77c9ff
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Click_here.zip
Verdict:
Malicious activity
Analysis date:
2021-12-01 09:09:55 UTC
Tags:
evasion trojan loader opendir
Link:
https://app.any.run/tasks/2f15c29b-38a3-40ef-b784-7600c3d5a955

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210233/
Detection(s):
SecuriteInfo.com.FileRepMalware.5118.6553.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/422/overview
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61a73ebe9954e0c6bf799f55/reports/867c48f4-5797-419b-9607-4eabd70ef983/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2fb913b-375c-42fc-b9ec-8d0273e18282
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/899272
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/755e7db889cfe5608306365843431430c0ea85708612969be7522610fc5b308a/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-12-01 05:48:19 UTC
File Type:
PE (Exe)
Extracted files:
193
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1f99084d5ea462b4d7bc7d47d3171b20e642dbb511a76bc9dbd22873d7bec667
RaccoonStealer
22ba4262d93379de524029dafc7528e431e56a22cb293af708c671d7db801c31
RaccoonStealer
2fb97449ff00263495f3d1bd7311532b4b43d5f2bcef700fe4d593dc3fa64d68
RaccoonStealer
493c4a7f6cdc0c6b3388b268aa38975c1bb52ea67f6415723a06a14213ee5d14
RaccoonStealer
879305570a2b3dbe710ddd09445db20a1159696a6c72a503135db8eaef5eecb7
RaccoonStealer
a16870457b27dc28fbe98cf395c127b7884366d9cd244583c226a36e76dee72d
RaccoonStealer
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
RaccoonStealer
df7841fad13bb90a108a0861c92c565ad754528e684600ad07011cd4e83f1a63
RaccoonStealer
+ 7'807 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:fe1f102f3334068962b64125bcb00816dba46087 evasion stealer trojan
Link:
https://tria.ge/reports/211201-lbxyhseca9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
76862d3ee6aa540c05183422c9ba98b65de9dbf62f8e0a0fda5fb0e010d9f2de
MD5 hash:
558e076a3d623135806ae9c3e8ea7e71
SHA1 hash:
24eabc3382b629d8f996fb11bf3bf4575ea69234
Link:
https://www.unpac.me/results/8f7e2a8f-6e7b-480a-8677-b2dc87227aae/
SH256 hash:
755e7db889cfe5608306365843431430c0ea85708612969be7522610fc5b308a
MD5 hash:
43ce16a36f270e34b3cfdc8c8b7ac8b5
SHA1 hash:
76457ad35133e12d3474e287f42fafc4305f75f1
Link:
https://www.unpac.me/results/8f7e2a8f-6e7b-480a-8677-b2dc87227aae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.22
Link:
https://yomi.yoroi.company/submissions/755e7db889cfe5608306365843431430c0ea85708612969be7522610fc5b308a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 755e7db889cfe5608306365843431430c0ea85708612969be7522610fc5b308a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1840627/
Cape
Cape
https://www.capesandbox.com/analysis/210233/

Comments


Avatar
zbet commented on 2021-12-01 09:22:01 UTC

url : hxxp://host-file-host-3.com/files/9659_1638332389_9569.exe