MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 829579ba6d7c9e90371a9238ac081d671e291cedf3ac53103aa28c1460d74822. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 829579ba6d7c9e90371a9238ac081d671e291cedf3ac53103aa28c1460d74822
SHA3-384 hash: 76cc0e02b52cf4f618186e3036924eedba9d7d550ade045d33234d77c998b88cf351649636276cc76e8438dee9ff1347
SHA1 hash: 40a44c7600b6b78da7e304ca81757621797d9f40
MD5 hash: 922297e8cf0a1132dee7508cd4f912e9
humanhash: snake-happy-ten-texas
File name:Setup.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:6'996'992 bytes
First seen:2023-01-17 14:26:59 UTC
Last seen:2023-01-17 16:35:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 46 x PureHVNC, 28 x RedLineStealer)
ssdeep 196608:XU9fJAaleqTeyGXuQdxYtOXMzLypn3f5G+c:cpeyGeQxY8XMzK33
Threatray 7'376 similar samples on MalwareBazaar
TLSH T14666339FF8D5F4D8CCE802F07DF4692D62C091E6662AA4D0AF0E7AE50736150FB94B49
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2023-01-17 14:28:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/43d0bfa6-0d14-43ef-a79e-050c56239acf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353820/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Generic.2355.13423.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c6b03a8352dc7065e34b16/reports/cdc3be31-9270-44a0-84e0-9dbf01739b0d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9fcf68d0-d1bc-4cfb-9713-9090ca9f5d0d
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1153336
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Raccoon Stealer v2
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786068 Sample: Setup.exe Startdate: 17/01/2023 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for dropped file 2->48 50 10 other signatures 2->50 9 Setup.exe 4 2->9         started        process3 file4 28 C:\Users\user\AppData\Local\...\Setup.exe.log, CSV 9->28 dropped 60 Detected unpacking (changes PE section rights) 9->60 62 Query firmware table information (likely to detect VMs) 9->62 64 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->64 66 4 other signatures 9->66 13 InstallUtil.exe 26 9->13         started        signatures5 process6 dnsIp7 38 5.75.186.50, 49699, 80 HETZNER-ASDE Germany 13->38 40 github.com 140.82.121.4, 443, 49700 GITHUBUS United States 13->40 42 objects.githubusercontent.com 185.199.108.133, 443, 49701 FASTLYUS Netherlands 13->42 30 C:\Users\user\AppData\Local\...\r9ISlc4s.exe, PE32+ 13->30 dropped 32 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 13->32 dropped 34 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 13->34 dropped 36 5 other files (3 malicious) 13->36 dropped 68 Tries to harvest and steal browser information (history, passwords, etc) 13->68 70 DLL side loading technique detected 13->70 72 Tries to steal Crypto Currency Wallets 13->72 74 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 13->74 18 r9ISlc4s.exe 2 13->18         started        file8 signatures9 process10 file11 26 C:\ProgramData\Chrome\CNSWA.exe, PE32+ 18->26 dropped 52 Antivirus detection for dropped file 18->52 54 Detected unpacking (changes PE section rights) 18->54 56 Machine Learning detection for dropped file 18->56 58 Adds a directory exclusion to Windows Defender 18->58 22 powershell.exe 18 18->22         started        signatures12 process13 process14 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/829579ba6d7c9e90371a9238ac081d671e291cedf3ac53103aa28c1460d74822/
Threat name:
Win64.Spyware.Raccoonstealer
Create hunting rule
Status:
Suspicious
First seen:
2023-01-17 13:16:02 UTC
File Type:
PE+ (Exe)
Extracted files:
13
AV detection:
12 of 26 (46.15%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qkkxtotnpspjany2si4kyca5m4pcshhn6owfgeb2ukgbiygxjara._file
Verdict:
unknown
Similar samples:
5057ef66a52c6050f1cc10faa418c58d9e3cb5039f81846c35cb2ef40f607f10
RaccoonStealer
7f4b450947cbe4007402816a42e6281cd1f3d76ce090c547d5643d5b8f227d49
RaccoonStealer
867acada5e2a7723085e439a6d89226e69af216f719d6001db13bbe04e95f54e
RaccoonStealer
9d4a5344f0cb03807c0857078c93768d2ab92ad9cd8aec51922fd80137773ee1
RaccoonStealer
a0ee5991a87a49c2a3d877f34ae33b27a95c88c1e95eb13f0cc1658adc815b6a
RaccoonStealer
a8d00ba550db4bb552fb9d9eebde24e740d7d11b8041b381f94f331e60514fb6
RaccoonStealer
e1689f695b580c88f6b58274cfed905541749bd86f9f3cd95b70ae22387313ca
RaccoonStealer
e9450c3121f962ad35052a0eb013d667116a77c29299a43047ccd19bd3abfe40
RaccoonStealer
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c
RaccoonStealer
+ 7'366 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
bootkit evasion persistence trojan
Link:
https://tria.ge/reports/230117-rsefdsdd9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
829579ba6d7c9e90371a9238ac081d671e291cedf3ac53103aa28c1460d74822
MD5 hash:
922297e8cf0a1132dee7508cd4f912e9
SHA1 hash:
40a44c7600b6b78da7e304ca81757621797d9f40
Link:
https://www.unpac.me/results/e6b67f0e-1791-4c6d-aecf-beadc421c64f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/829579ba6d7c9e90371a9238ac081d671e291cedf3ac53103aa28c1460d74822

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/353820/

Comments