MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85f8cc08adebd0f0fde64c59d5359524b63dbd9ae317349557aca86750eb12e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85f8cc08adebd0f0fde64c59d5359524b63dbd9ae317349557aca86750eb12e6
SHA3-384 hash: dc44d9c1224efaebe3724873c1f3e32912199165c51c4bc39cb46500d77cde20539945b648b70050dde19c0a81eeed6f
SHA1 hash: 9616cd3d6bf961324199db5602e8fa931080405d
MD5 hash: 41df82ed28950c0304e44dcc2e79cffb
humanhash: three-hotel-wolfram-lithium
File name:file
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:5'324'944 bytes
First seen:2022-12-28 01:03:31 UTC
Last seen:2023-08-26 21:27:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cc0d13e592b9ede7868f616c0fba8b8a (2 x RaccoonStealer)
ssdeep 98304:obY5lpzClP6G9Vv8VE+xpMV8CMapNRmhd12ec+:obYnNGrjoE+bRCJNR8c+
Threatray 271 similar samples on MalwareBazaar
TLSH T1E33623E313B6424ED0D98C36862B7FE030F287D76B827C749ACAADD126351E5B207957
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter jstrosch
Tags:exe RaccoonStealer signed

Code Signing Certificate

Organisation:*.dede.com
Issuer:*.dede.com
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-20T01:30:36Z
Valid to:2023-12-20T01:50:36Z
Serial number: 5f12cca5bb3cc3ba4d8b2293d3cd9764
Thumbprint Algorithm:SHA256
Thumbprint: 8f087a7966940f0b886a501d958d155668dcc744b94f659a2372ac77b1efd426
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2022-12-28 01:06:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fe372dd4-dcd7-4324-97ed-37de01be7767

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64570078.18141.22585.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63ab960b83a5ae8cb4a76091/reports/b4d11907-b0ef-42c2-b33c-f08c015b2196/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d85daf0b-bfe9-4a8b-a523-b86501e1dec9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1141841
Signature
Checks if the current machine is a virtual machine (disk enumeration)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85f8cc08adebd0f0fde64c59d5359524b63dbd9ae317349557aca86750eb12e6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-27 16:57:04 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
13 of 40 (32.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qx4mycfn5pipb7pgjrm5knmves3d3pm24mltjfkxvsugouhlclta._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
3534fd0b617be19bf24f9b7ff1e98ab23b98aef40bbc2413554a4ec5e016997e
RaccoonStealer
37af8d63e8e5adb5a5f30b471fe4e29f686c7923507583a21f46d3b2eb554f09
RaccoonStealer
411c449f978ff2425a9ee85a26157a0ba45a4895f6c1401a7c4d9a9c42c6a73b
RaccoonStealer
4671293ca0aceab6572cb9396bfef9371d51ec2505885b8bf453d693300dafb0
RaccoonStealer
81ae7aea498cdd4d50470b3dcd54088d7bce5bf5f6019b08d9d558acd190cb4d
RaccoonStealer
871f7fcfdd8e5466044d4fa7cc99a7f3f53876cde281dcb3c9d4063c7638c8bb
RaccoonStealer
b97aabb7096844d6df6ab9ff06ddc892fd368002543ae0aa36e9a673d0b2236a
RaccoonStealer
fd3f9ee2a7b4e35be97140818562dc4470f90705cbd959e87c07ed983692e33d
RaccoonStealer
+ 261 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/221228-beyzwacb4z/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
3847a06a56d8a0680f67abe55f7b41e67f7109b632f2cac686eda7529b23db56
MD5 hash:
a520f69b78aab739d044bb148e505a0a
SHA1 hash:
b59f4ecaf11b2e3636aa503e998162b997d757e9
Link:
https://www.unpac.me/results/c98261ba-b435-4ec8-bd75-05928017f693/
SH256 hash:
e156eb5fd31db2cc5f8aae687989b92a61a142514e6c26a6ee4e62eebf10f699
MD5 hash:
b2a73761429b2db3efd2fb62f8ac7ccc
SHA1 hash:
6c892caaaba545806e29302c217755d35bbfd30b
Link:
https://www.unpac.me/results/c98261ba-b435-4ec8-bd75-05928017f693/
SH256 hash:
85f8cc08adebd0f0fde64c59d5359524b63dbd9ae317349557aca86750eb12e6
MD5 hash:
41df82ed28950c0304e44dcc2e79cffb
SHA1 hash:
9616cd3d6bf961324199db5602e8fa931080405d
Link:
https://www.unpac.me/results/c98261ba-b435-4ec8-bd75-05928017f693/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/85f8cc08adebd0f0fde64c59d5359524b63dbd9ae317349557aca86750eb12e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 85f8cc08adebd0f0fde64c59d5359524b63dbd9ae317349557aca86750eb12e6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2483083/
  
URLhaus
https://urlhaus.abuse.ch/url/2483080/

Comments