MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a37df5fce07d7117d94f0322ce995c9298827d44a77ebc0d077a80d104a865e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a37df5fce07d7117d94f0322ce995c9298827d44a77ebc0d077a80d104a865e
SHA3-384 hash: 0fed6eca4aea7ae6b2418714fd9e94ae0e8d6114d6d6a135b708603f56355d5e563641884df76493065972c2a699d8c3
SHA1 hash: 26d5bc53f42f8016aa2b6102d63076d5b8ad4404
MD5 hash: dda0e888c50add74a5ef9e2d467aa607
humanhash: delta-potato-fillet-magnesium
File name:file
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:994'456 bytes
First seen:2023-10-10 06:07:49 UTC
Last seen:2023-10-11 21:32:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fbe73ebaafab027a78c9c7613f7ead13 (1 x RaccoonStealer)
ssdeep 24576:ee6fhchVB2HsvYhTxC7KQC3wsmhgzBUgB2gZoZwRX0:/IhfHsiTxmKQ8wsmI7Ci0
Threatray 672 similar samples on MalwareBazaar
TLSH T16F250214BB80D031D9A30434DA96DB776E7AFA711356C0CBE3C45BA96D70EC2AA39347
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon eae0aeaad4b6aad4 (1 x RaccoonStealer)
Reporter andretavare5
Tags:exe RaccoonStealer


Avatar
andretavare5
Sample downloaded from https://filehosting.linkpc.net/ch4cvanhvvczjl06ea54oj7z95c6tmzd/original1.exe

Intelligence

File Origin
# of uploads :
75
# of downloads :
354
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://karyaindahperkasa.com/879876/download/zip.7z
Verdict:
Malicious activity
Analysis date:
2023-10-10 07:21:59 UTC
Tags:
privateloader evasion opendir loader risepro stealer redline tofsee botnet stealc ransomware stop miner smoke lumma amadey trojan arkei vidar dcrat rat backdoor remote teamspy
Link:
https://app.any.run/tasks/4821ed30-d49b-4bfa-b491-28816e545461

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Launching cmd.exe command interpreter
Transferring files using the Background Intelligent Transfer Service (BITS)
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Moving a file to the %AppData% subdirectory
Creating a process from a recently created file
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
fingerprint greyware lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6524ea43e509ddb6cd1f0578/reports/98c54ba0-c3f0-447b-8cf2-ba02fd53638d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/8a37df5fce07d7117d94f0322ce995c9298827d44a77ebc0d077a80d104a865e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9bb9a108-ba63-41b2-99f4-542baa441603
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1322581
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1322581 Sample: file.exe Startdate: 10/10/2023 Architecture: WINDOWS Score: 100 46 www.ieee802.org 2->46 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 2 other signatures 2->62 9 file.exe 15 2->9         started        13 dockerFast_test.exe 15 2->13         started        signatures3 process4 dnsIp5 50 www.ieee802.org 54.84.190.55, 443, 49740, 49746 AMAZON-AESUS United States 9->50 74 Contains functionality to infect the boot sector 9->74 76 Maps a DLL or memory area into another process 9->76 78 Contains functionality to compare user and computer (likely to detect sandboxes) 9->78 15 cmd.exe 6 9->15         started        19 cmd.exe 13->19         started        signatures6 process7 file8 44 C:\Users\user\AppData\Local\Temp\Hecli1.exe, PE32 15->44 dropped 52 Writes to foreign memory regions 15->52 54 Maps a DLL or memory area into another process 15->54 21 Hecli1.exe 31 15->21         started        26 conhost.exe 15->26         started        28 Hecli1.exe 26 19->28         started        30 conhost.exe 19->30         started        signatures9 process10 dnsIp11 48 149.248.79.83, 49745, 49751, 80 COEXTRO-01CA Canada 21->48 36 C:\Users\user\AppData\...\vcruntime140.dll, PE32 21->36 dropped 38 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 21->38 dropped 40 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 21->40 dropped 42 4 other files (none is malicious) 21->42 dropped 64 Detected unpacking (changes PE section rights) 21->64 66 Detected unpacking (overwrites its own PE header) 21->66 68 Found evasive API chain (may stop execution after checking mutex) 21->68 72 2 other signatures 21->72 32 WerFault.exe 21 16 21->32         started        70 Tries to harvest and steal browser information (history, passwords, etc) 28->70 34 WerFault.exe 28->34         started        file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a37df5fce07d7117d94f0322ce995c9298827d44a77ebc0d077a80d104a865e/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-10 06:08:06 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
17 of 22 (77.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ri356x6oa7lrc7mu6azcz2mvzeuyqj6ujj36xqgqo6ua2eckqzpa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
22e2b816a20424bb37abf9cfc22605709173aa4208b9e383fe10266469b2f916
RaccoonStealer
67be4b70e80509300c6d739bea9af68b56c17deb32edae8acec3c683171bf103
RaccoonStealer
69d090774ce99b248f9e76d50312cfcbc7cc8c333f390a0fdffc95f62d7a9631
RaccoonStealer
7fa1b425c7bc7f04e84aae8b76cd1e6d1db56dab966ff273b5101816525f61c4
RaccoonStealer
8129a8a2a4c77198a9a65c393cfc37f8f6ab83842a9c9f430ab1186db9cd0771
RaccoonStealer
84d1b1f0588cac4fb502da345ed7ee3bae4000b7f6b096a7bc797789c1fe8120
RaccoonStealer
e3f6666bcc343098a21a2c52ee8a63d03c042b9dfd4cb1dfbf984c6d0e985da0
RaccoonStealer
e5bb90639329e6ea1595260e72a4ffd479e0c2957086bcdb180efb1617adcdde
RaccoonStealer
e7924441cf355557372d5d058eeb30341f9bb4be80f54449ea66b288d183b928
RaccoonStealer
+ 662 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:06c02dbb2bc71b35b706e4b2e04d7f00 discovery spyware stealer
Link:
https://tria.ge/reports/231010-gvwscade25/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Raccoon Stealer payload
Malware Config
C2 Extraction:
http://149.248.79.83:80/
Unpacked files
SH256 hash:
8a37df5fce07d7117d94f0322ce995c9298827d44a77ebc0d077a80d104a865e
MD5 hash:
dda0e888c50add74a5ef9e2d467aa607
SHA1 hash:
26d5bc53f42f8016aa2b6102d63076d5b8ad4404
Link:
https://www.unpac.me/results/9f475d67-774c-442f-b3e7-1bcbe00df943/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a37df5fce07d7117d94f0322ce995c9298827d44a77ebc0d077a80d104a865e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2716338/

Comments