MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 887d6ad4cffeedfd403427c94439bcb265e54d86e0166956bb978cfa24c55c27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 887d6ad4cffeedfd403427c94439bcb265e54d86e0166956bb978cfa24c55c27
SHA3-384 hash: 703eadc2a293f447623f97faeef67943a650747747b7e12a3f70bf30fbab8c14f46fa99665f8936085dffdc502e75b10
SHA1 hash: 4540f372d692d50c34faa6b09f4680fefd77eb26
MD5 hash: c94c7983fb95d8f023d030420173f721
humanhash: jig-utah-mango-saturn
File name:SecuriteInfo.com.Win32.Trojan-gen.4431.25973
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'406'104 bytes
First seen:2023-02-06 16:06:26 UTC
Last seen:2023-02-06 16:40:24 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a2833106949ae6e20c40ed0128f9df4b (5 x RecordBreaker, 4 x SystemBC, 3 x RedLineStealer)
ssdeep 24576:5LcBLA+03ZOxaPmRlO28e0T3k9JnqYCN//NmH8FizLTcje:YLlIZO0O+BlmhCN/biz3
Threatray 53 similar samples on MalwareBazaar
TLSH T18F55AF48BAC0808DC76469EB54672F745EB25B739A239C2F81972347827E2D3355FC8E
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 71f8dce8eec4e071 (1 x RaccoonStealer, 1 x RecordBreaker)
Reporter SecuriteInfoCom
Tags:dll RaccoonStealer signed

Code Signing Certificate

Organisation:www.handicap.com
Issuer:www.handicap.com
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-06T07:26:03Z
Valid to:2024-02-06T07:46:03Z
Serial number: 49d8843fe8488aa94d985459e93e9aca
Thumbprint Algorithm:SHA256
Thumbprint: 6dec9918ac6c1b04723463ce9de2a9930cc7cf65ae73996999bb3e6e6bc47dad
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/360971/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.4431.25973.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63e125a81c9cbf7d625627e3/reports/b484773c-3c68-4d83-a785-579eb0288d48/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/887d6ad4cffeedfd403427c94439bcb265e54d86e0166956bb978cfa24c55c27
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ba8a631-293b-45be-800c-a8eb8184f261
Result
Threat name:
Amadey, Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166823
Signature
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadeys stealer DLL
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 799598 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 06/02/2023 Architecture: WINDOWS Score: 100 83 Multi AV Scanner detection for submitted file 2->83 85 Yara detected Raccoon Stealer v2 2->85 87 Yara detected Amadeys stealer DLL 2->87 89 3 other signatures 2->89 11 loaddll32.exe 1 2->11         started        13 nbveek.exe 2->13         started        16 nbveek.exe 2->16         started        18 2 other processes 2->18 process3 signatures4 20 cmd.exe 1 11->20         started        22 rundll32.exe 11->22         started        24 WerFault.exe 9 11->24         started        26 conhost.exe 11->26         started        107 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->107 109 Query firmware table information (likely to detect VMs) 13->109 111 Hides threads from debuggers 13->111 process5 process6 28 rundll32.exe 67 20->28         started        33 WerFault.exe 20 9 22->33         started        35 conhost.exe 24->35         started        dnsIp7 75 167.235.233.181 ALBERTSONSUS United States 28->75 77 167.235.69.31 ALBERTSONSUS United States 28->77 81 2 other IPs or domains 28->81 65 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 28->65 dropped 67 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 28->67 dropped 69 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 28->69 dropped 71 5 other files (3 malicious) 28->71 dropped 113 System process connects to network (likely due to code injection or exploit) 28->113 115 Tries to harvest and steal browser information (history, passwords, etc) 28->115 117 Tries to steal Crypto Currency Wallets 28->117 37 XYa8b4W5.exe 3 28->37         started        41 cmd.exe 1 28->41         started        79 192.168.2.1 unknown unknown 33->79 file8 signatures9 process10 file11 63 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 37->63 dropped 91 Multi AV Scanner detection for dropped file 37->91 93 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 37->93 95 Query firmware table information (likely to detect VMs) 37->95 97 3 other signatures 37->97 43 nbveek.exe 14 37->43         started        47 conhost.exe 41->47         started        signatures12 process13 dnsIp14 73 5.75.139.35 HETZNER-ASDE Germany 43->73 99 Multi AV Scanner detection for dropped file 43->99 101 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 43->101 103 Query firmware table information (likely to detect VMs) 43->103 105 5 other signatures 43->105 49 cmd.exe 43->49         started        51 schtasks.exe 43->51         started        signatures15 process16 process17 53 conhost.exe 49->53         started        55 cmd.exe 49->55         started        57 cacls.exe 49->57         started        61 4 other processes 49->61 59 conhost.exe 51->59         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/887d6ad4cffeedfd403427c94439bcb265e54d86e0166956bb978cfa24c55c27/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-06 16:07:09 UTC
File Type:
PE (Dll)
Extracted files:
5
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rb6wvvgp73w72qbue7euion4wjs6ktmg4algsvv3s6gpujgflqtq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1a7e5e2d33b3f74fbae9e13f0494dbf29f517572180666589674a328595c27d1
RaccoonStealer
35914984b758d4dea8f6f8557f42b49a5ff64909a7a90fe3aea3f587ad8fd505
RaccoonStealer
3847c039ec8f75424201032f288b86d79822cd9c993e9b9f51bd2f904eed4dfe
RaccoonStealer
3b66abe3a8f155402ec2d039a4f469aa7c515379cfbc214a8b89406c16415a17
RaccoonStealer
9dfc2b987cfac7d4b2dc842bef5d9680724a0d8a65bef2ef175ad2e5672e429b
RaccoonStealer
9fc5f641a82e9a3bfb223dad7bd767cd3df7d27dda17b7dea4e307661f635a17
RaccoonStealer
b34748df4525113b3dc212c943295b4c33ef7b956e89505fd5cf5fe66ee6845a
RaccoonStealer
+ 43 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230206-tkmsxaeg46/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
887d6ad4cffeedfd403427c94439bcb265e54d86e0166956bb978cfa24c55c27
MD5 hash:
c94c7983fb95d8f023d030420173f721
SHA1 hash:
4540f372d692d50c34faa6b09f4680fefd77eb26
Link:
https://www.unpac.me/results/6fc83787-4d3e-4dd5-8a02-936381dc1e70/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/887d6ad4cffe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/887d6ad4cffeedfd403427c94439bcb265e54d86e0166956bb978cfa24c55c27

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

DLL dll 887d6ad4cffeedfd403427c94439bcb265e54d86e0166956bb978cfa24c55c27

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2532082/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/360971/

Comments