MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90608df647f490150050db8a8cbcc66d15166957f53882a732699f78a939656b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90608df647f490150050db8a8cbcc66d15166957f53882a732699f78a939656b
SHA3-384 hash: e7fd3785bd1bd44e544deeb349d1ab55141709dca697ab95291603d48ddcbcc3445504689dba3c99954f93f9835c91c9
SHA1 hash: 385cfeddc1ac761723119ff06b3f042a2a3f4577
MD5 hash: adefe9227efad76eb767140ac9fefb5b
humanhash: rugby-nevada-stream-carpet
File name:17E503AEF3804C0513838FB4AE3E00F323B1260BF753D99DBF0AE415BA54DE11.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:542'208 bytes
First seen:2024-07-24 11:40:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 81e0f16a51609ebf094e59cd813ed787 (2 x RaccoonStealer)
ssdeep 12288:p+9KFURIZbfKZXwNkbQkduJqKKFeKTjMAfZsiP:0mjZb4LQUuQ7Fn1RhP
TLSH T17EB4E110BBE0D035E5B712F4497A8369B93E7AA06B2490CF33C466EB56746D0EC3235B
TrID 29.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
21.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
16.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
6.7% (.SCR) Windows screen saver (13097/50/3)
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter Anonymous
Tags:exe RaccoonStealer


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
3'971
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Virus.Wapomi-9802127-0
Create hunting rule

Win.Dropper.Generickdz-9939781-0
Create hunting rule

Win.Trojan.Generickdz-9950759-0
Create hunting rule

Win.Trojan.Generickdz-9951389-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a0e8526f74caeb2f89b3c8
Tags:
Execution Generic Network Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Connection attempt to an infection source
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Connection attempt
Modifying an executable file
DNS request
Sending a custom TCP request
Query of malicious DNS domain
Infecting executable files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66a0e851b45fbebc0edb9eb8/reports/840e8bf1-a45f-41ef-ba9a-d22f51218ce5/overview
Verdict:
Malicious
Labled as:
Wapomi.BA virus
Link:
https://www.hybrid-analysis.com/sample/90608df647f490150050db8a8cbcc66d15166957f53882a732699f78a939656b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9fcc534-6e2b-462d-b989-266bfeba9385
Result
Threat name:
Bdaejec, Raccoon
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1479985
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Yara detected Bdaejec
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/90608df647f490150050db8a8cbcc66d15166957f53882a732699f78a939656b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90608df647f490150050db8a8cbcc66d15166957f53882a732699f78a939656b/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 11:41:05 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sbqi35sh6sibkacq3ofizpggnukrm2kx6u4ifjzsngpxrkjzmvvq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:4b8853263bfbfde368561fd97dd96c93b6b91e4f aspackv2 discovery stealer
Link:
https://tria.ge/reports/240724-ntewrsxele/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Raccoon
Raccoon Stealer V1 payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b16e6669-33ae-47c9-818b-7add98dfca01
Unpacked files
SH256 hash:
a35a7bc0683a747b96e34d35346f6357dfcec7fa883a7f3d9c1270a44119400a
MD5 hash:
6f82e26086f750bd745a35601efa6451
SHA1 hash:
404efb41831c48d76bc92e8763a51e4055f4b9ae
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/95c4d2ea-122d-4dd6-8921-71a4baa7a1ad/
Parent samples :
3c072e8447a090783007f41a0293c619b455742d4d1b35011eb112a1b8cc2e12
2631bb84e6e34dd72aca532864d09e51d161c687ae3f5e495c16a2fded1213aa
e14e3ba37274e5efe932d789e8e24e20c7c21ad852978df80bb9392f5acf238e
0a7dcaf9e64345aeb5abd12728983253beacd114e4dbe2b3f5addfb7f198d854
cdc3c8092da2ff6ac49b6097aea6afb00439eb1638150042f78b561b6fa2d512
dbe977eb38b4307dcadcc923553535f94f762b91dd28eb11d27cdd6b8f9eab4f
84862dd214cf92e7ba589fda632e1a7d1748341da19ed2d4cc56029f8a1bb6ce
65fa28bc56a1b8132aede30afcb70685f90cfccd32f899ffda736b1b4f46144c
c9894dc1091f69ddf411b90853eaf2a4447e20b5a3f7dae5a6997c5c03b470fc
772b0096bf5c9bb9c71a7ea2ba9a631a80b115134f1d480c08af549fb6f90d87
bd0f4b38b5f2edfdaf836e9d4642488de3fe04f3e855826408cbc31f1bda138a
bab33596106fd683cb7190eedfb32a219fffc5691bed72c151893b3270f06c09
dd2db9bfa45002375af028ac00ca1b5e0c1db30a116c21cac2b4c75cb4ff9aec
3816d18b6f051f046a039ee937185509c8c3326f2842ba04de9d81e4e6ca7de5
bdff4c55eb7dd5a7d125a3629189c26ad2a3f1145a1801c4ba871e144a520895
f09393a0c14c0c4560743e75e59a025aff474c1f27eddd08f19d0ecea80b0988
8406f862c281a32094311d40f1cc275666ea3c368b9607db4ebb91b9cf9b5d3b
6c58e340f883a4f80f9fb47658671fecfd6bb2db2766326e6e360f8e495896c1
329cb82245c769af6159fde26e4bdb1831a0c0a7d16b9be24501fbe973563463
bdb06abce0a193e24ecb55cbda52963d6fbeb5b4c9efb8b45d588aef2ba7b943
d381f45d013f6b50a2be84d5d21f4743bf4271b789e3e81d5cf3b6fd3071ea20
353057209b0d75d63612db91a802368735d5954667946584e1ad0f6f84a892d2
17e503aef3804c0513838fb4ae3e00f323b1260bf753d99dbf0ae415ba54de11
90608df647f490150050db8a8cbcc66d15166957f53882a732699f78a939656b
SH256 hash:
0c01a813bff0d2afbc3c29daf8fc0b3f27646e038033a1382b012637a53dce34
MD5 hash:
5f993a3e3344ca4a545f064bc7e60b2c
SHA1 hash:
5b16942e48ab740efeee7b9d639aec679944bfda
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/95c4d2ea-122d-4dd6-8921-71a4baa7a1ad/
SH256 hash:
90608df647f490150050db8a8cbcc66d15166957f53882a732699f78a939656b
MD5 hash:
adefe9227efad76eb767140ac9fefb5b
SHA1 hash:
385cfeddc1ac761723119ff06b3f042a2a3f4577
Link:
https://www.unpac.me/results/95c4d2ea-122d-4dd6-8921-71a4baa7a1ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90608df647f490150050db8a8cbcc66d15166957f53882a732699f78a939656b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RaccoonStealer

Executable exe 90608df647f490150050db8a8cbcc66d15166957f53882a732699f78a939656b

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindNextVolumeW
KERNEL32.dll::FindNextVolumeMountPointA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FillConsoleOutputCharacterA
KERNEL32.dll::FillConsoleOutputCharacterW
KERNEL32.dll::WriteConsoleInputA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleOutputCharacterA
KERNEL32.dll::WriteConsoleA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileWithProgressW
KERNEL32.dll::MoveFileA

Comments