MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a650b7af16721e46686633a253c967184414183a7d2be0cb64978e4d8880ba6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a650b7af16721e46686633a253c967184414183a7d2be0cb64978e4d8880ba6
SHA3-384 hash: 184aeba5d5d099e1a5464d4013d75c3b7eec863df3a40d2dcbf4a266551d007535f959de1b46d4848bcc17346d7d8a04
SHA1 hash: 51c75c5597c7775c6186f7cd9c8f94a79492cc32
MD5 hash: 831f2a5b64f7c7193b2d54777dcf3c14
humanhash: eleven-five-saturn-north
File name:file
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:5'355'688 bytes
First seen:2023-06-13 15:53:48 UTC
Last seen:2025-01-23 17:23:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3bd41fa16de9c87b6ad486fa28262c09 (1 x RaccoonStealer, 1 x Amadey)
ssdeep 98304:yB2DbYegUN3PAXm9MPFJhYH33fKgXh2L++7xNYIR5lO3YzDxHLU61QhL/:Aez3PAXOMPFDs3fKgo7BFRHQii
TLSH T1524623A35324015AD8D1CC368537FEE132F61F6B4B46BCBB95DA78C620336B5A352A13
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4505/5/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 50d091d0ccdacaec (1 x RaccoonStealer, 1 x Amadey, 1 x LummaStealer)
Reporter andretavare5
Tags:exe FruitMiX RaccoonStealer signed

Code Signing Certificate

Organisation:GIGABYTE B660M DS3H DDR4 (rev. 1.0)
Issuer:GIGABYTE B660M DS3H DDR4 (rev. 1.0)
Algorithm:sha1WithRSAEncryption
Valid from:2023-06-12T12:37:43Z
Valid to:2033-06-13T12:37:43Z
Serial number: 222b192352050b9b403e64372138f5d2
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 37542055dfa9e1fbae7511304c3c6ace9cfa8f6030ea75f68f9e3294e1dba18e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://163.123.143.4/download/Service32.exe

Intelligence

File Origin
# of uploads :
301
# of downloads :
374
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-13 15:56:49 UTC
Tags:
privateloader
Link:
https://app.any.run/tasks/1b1e42c2-0203-414e-a361-92ea43f73bd8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/398472/
Detection(s):
SecuriteInfo.com.FileRepMalware.13626.3303.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Sending an HTTP GET request
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Modifying a system file
Replacing files
Reading critical registry keys
Launching a service
Sending a UDP request
Forced system process termination
Creating a process with a hidden window
Creating a window
Changing a file
Blocking the Windows Defender launch
Query of malicious DNS domain
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90512/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6488911b08b287b7595b7bb8/reports/a537843e-eba7-422b-b84d-96648c01c857/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8b479a6e-d025-462f-a8b9-c647cbab58d8
Result
Threat name:
Amadey, Fabookie, RedLine
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253772
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 886791 Sample: file.exe Startdate: 13/06/2023 Architecture: WINDOWS Score: 100 228 Malicious sample detected (through community Yara rule) 2->228 230 Antivirus detection for URL or domain 2->230 232 Antivirus detection for dropped file 2->232 234 18 other signatures 2->234 10 file.exe 18 2->10         started        15 PowerControl_Svc.exe 16 2->15         started        17 PowerControl_Svc.exe 15 2->17         started        19 4 other processes 2->19 process3 dnsIp4 212 149.154.167.99 TELEGRAMRU United Kingdom 10->212 214 163.123.143.4 ILIGHT-NETUS Reserved 10->214 220 3 other IPs or domains 10->220 170 C:\Users\...\asTxuqD2x9tvXfJjhmJH842e.exe, PE32+ 10->170 dropped 172 C:\Users\user\AppData\...\WWW14_64[1].exe, PE32+ 10->172 dropped 174 C:\...\PowerControl_Svc.exe, PE32 10->174 dropped 176 C:\...\PowerControl_Svc.exe:Zone.Identifier, ASCII 10->176 dropped 258 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->258 260 Drops PE files to the document folder of the user 10->260 262 Uses schtasks.exe or at.exe to add and modify task schedules 10->262 264 Tries to detect virtualization through RDTSC time measurements 10->264 21 asTxuqD2x9tvXfJjhmJH842e.exe 11 51 10->21         started        26 schtasks.exe 1 10->26         started        28 schtasks.exe 1 10->28         started        178 C:\Users\...\1DyugJoY0hlzRuB7v_f3bqZW.exe, PE32+ 15->178 dropped 180 C:\Users\user\AppData\...\WWW14_64[2].exe, PE32+ 15->180 dropped 30 1DyugJoY0hlzRuB7v_f3bqZW.exe 15->30         started        32 schtasks.exe 15->32         started        34 schtasks.exe 15->34         started        182 C:\Users\...\gWq30XAMTrFgPjRixTHjO6YL.exe, PE32+ 17->182 dropped 184 C:\Users\user\AppData\...\WWW14_64[1].exe, PE32+ 17->184 dropped 36 gWq30XAMTrFgPjRixTHjO6YL.exe 47 17->36         started        38 schtasks.exe 17->38         started        40 schtasks.exe 17->40         started        216 51.104.136.2 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 19->216 218 51.124.78.146 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 19->218 266 Query firmware table information (likely to detect VMs) 19->266 file5 signatures6 process7 dnsIp8 198 85.217.144.228 WS171-ASRU Bulgaria 21->198 200 87.240.132.78 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 21->200 208 14 other IPs or domains 21->208 134 C:\Users\...\ysYEhDiDvB4ozu0HZu0DEUdx.exe, PE32 21->134 dropped 136 C:\Users\...\uueAhB_LKjpNc2kI86szNXTt.exe, PE32 21->136 dropped 146 22 other malicious files 21->146 dropped 246 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->246 248 Creates HTML files with .exe extension (expired dropper behavior) 21->248 250 Disables Windows Defender (deletes autostart) 21->250 252 Modifies Group Policy settings 21->252 42 pCVAuzLfwm9nXXZbrQUFZpAo.exe 21->42         started        45 XfRJ3MPSc8ELht2m9GJlqmfQ.exe 21->45         started        59 12 other processes 21->59 47 conhost.exe 26->47         started        49 conhost.exe 28->49         started        202 87.240.132.67 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 30->202 204 94.142.138.131 IHOR-ASRU Russian Federation 30->204 138 C:\Users\...\xeni7Sx6XxnCI1VLMvR50aU7.exe, PE32+ 30->138 dropped 140 C:\Users\...\v1SRIRZ_fcHqOUWTOwtBAbY7.exe, PE32 30->140 dropped 148 21 other malicious files 30->148 dropped 51 conhost.exe 32->51         started        53 conhost.exe 34->53         started        206 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 36->206 210 3 other IPs or domains 36->210 142 C:\Users\...\xLWngRHxzHUKbYQkfTaihA5W.exe, PE32+ 36->142 dropped 144 C:\Users\...\uokiSLwW_XoL2SH31RW0Xnbw.exe, PE32 36->144 dropped 150 21 other malicious files 36->150 dropped 254 Disable Windows Defender real time protection (registry) 36->254 256 Writes many files with high entropy 36->256 55 conhost.exe 38->55         started        57 conhost.exe 40->57         started        file9 signatures10 process11 dnsIp12 152 C:\Users\user\AppData\Local\Temp\ss41.exe, PE32+ 42->152 dropped 154 C:\Users\user\AppData\Local\...\newplayer.exe, PE32 42->154 dropped 156 C:\Users\user\AppData\Local\...\2a344302.exe, PE32 42->156 dropped 63 2a344302.exe 42->63         started        66 newplayer.exe 42->66         started        69 ss41.exe 42->69         started        158 C:\Users\user\AppData\Local\...\Install.exe, PE32 45->158 dropped 160 C:\Users\user\AppData\Local\...\config.txt, data 45->160 dropped 71 Install.exe 45->71         started        73 is-POJHP.tmp 51->73         started        75 powershell.exe 55->75         started        222 45.15.156.229 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 59->222 224 5.42.94.169 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 59->224 226 6 other IPs or domains 59->226 162 C:\Zemana.sys, PE32+ 59->162 dropped 164 C:\Users\...\lRfXIJ8JVBOEeTFE34328YSz.exe, PE32 59->164 dropped 166 C:\Users\user\AppData\Local\...\is-POJHP.tmp, PE32 59->166 dropped 168 2 other malicious files 59->168 dropped 268 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 59->268 270 Disables Windows Defender (deletes autostart) 59->270 272 Tries to harvest and steal browser information (history, passwords, etc) 59->272 274 3 other signatures 59->274 77 cmd.exe 59->77         started        79 taskkill.exe 59->79         started        81 6 other processes 59->81 file13 signatures14 process15 file16 276 Multi AV Scanner detection for dropped file 63->276 278 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 63->278 280 Maps a DLL or memory area into another process 63->280 284 2 other signatures 63->284 83 explorer.exe 63->83 injected 108 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 66->108 dropped 88 oneetx.exe 66->88         started        110 C:\Users\...\3315b57a417e941f64231d113c31739c, SQLite 69->110 dropped 282 Tries to harvest and steal browser information (history, passwords, etc) 69->282 98 2 other processes 69->98 112 C:\Users\user\AppData\Local\...\Install.exe, PE32 71->112 dropped 90 Install.exe 71->90         started        114 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 73->114 dropped 116 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 73->116 dropped 118 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 73->118 dropped 120 6 other files (5 malicious) 73->120 dropped 92 Rec613.exe 73->92         started        94 conhost.exe 75->94         started        100 2 other processes 77->100 96 conhost.exe 79->96         started        102 3 other processes 81->102 signatures17 process18 dnsIp19 186 95.164.86.244 VAKPoltavaUkraineUA Gibraltar 83->186 188 201.124.226.142 UninetSAdeCVMX Mexico 83->188 196 4 other IPs or domains 83->196 122 C:\Users\user\AppData\Roaming\htcvght, PE32 83->122 dropped 124 C:\Users\user\AppData\Local\Temp\7AFD.exe, PE32 83->124 dropped 126 C:\Users\user\AppData\Local\Temp\400.exe, PE32 83->126 dropped 236 System process connects to network (likely due to code injection or exploit) 83->236 238 Benign windows process drops PE files 83->238 240 Hides that the sample has been downloaded from the Internet (zone.identifier) 83->240 242 Multi AV Scanner detection for dropped file 88->242 244 Creates an undocumented autostart registry key 88->244 128 C:\Users\user\AppData\Local\...\JnSdzry.exe, PE32 90->128 dropped 190 45.12.253.56 CMCSUS Germany 92->190 192 45.12.253.72 CMCSUS Germany 92->192 194 45.12.253.75 CMCSUS Germany 92->194 130 C:\Users\user\AppData\Roaming\...\Kz36Y.exe, PE32 92->130 dropped 132 C:\Users\user\...\fuckingdllENCR[1].dll, data 92->132 dropped 104 conhost.exe 98->104         started        106 conhost.exe 98->106         started        file20 signatures21 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a650b7af16721e46686633a253c967184414183a7d2be0cb64978e4d8880ba6/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-06-13 16:01:52 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjsqw6xrm4q6izugmm5ckpewogcecqmdu7jl4dfwjf4ojweibota._file
Verdict:
suspicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/230613-tb7fyshd5w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Downloads MZ/PE file
PrivateLoader
Unpacked files
SH256 hash:
e124c7571e9b6fe91ec6643ec40bd401726493a1306cbc2a02a14a0fa53a08ca
MD5 hash:
2f8d0a44d6d41aba5e0263033e55b04a
SHA1 hash:
45faea7e438ae04b332b0b3b9fdfccd1bff80a5d
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/c2f86dc7-1938-4aae-b386-78b1b8b7d989/
SH256 hash:
7a650b7af16721e46686633a253c967184414183a7d2be0cb64978e4d8880ba6
MD5 hash:
831f2a5b64f7c7193b2d54777dcf3c14
SHA1 hash:
51c75c5597c7775c6186f7cd9c8f94a79492cc32
Link:
https://www.unpac.me/results/c2f86dc7-1938-4aae-b386-78b1b8b7d989/
Malware family:
RedLine.E
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a650b7af167/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a650b7af16721e46686633a253c967184414183a7d2be0cb64978e4d8880ba6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/398472/
  
URLhaus
https://urlhaus.abuse.ch/url/2659225/

Comments