MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9777ac78ef7b256887f447ff395e8c43c04a20aebd290629f18bb4288065cfad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9777ac78ef7b256887f447ff395e8c43c04a20aebd290629f18bb4288065cfad
SHA3-384 hash: 1c74f64f25537f1f9544b4f877580dc56ada0428d745e20c5791aab71bc95eb8dadcc61b7b2675d35343b695c65a8041
SHA1 hash: 5e480d3f94c1fc6b6e69f60f99d43650b03dcd04
MD5 hash: 56ef69b1c4e3587bb8e9b7f699a92a83
humanhash: victor-india-salami-idaho
File name:file
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:3'466'768 bytes
First seen:2023-07-03 21:54:15 UTC
Last seen:2023-07-08 18:04:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a2d46086c374c42d1560f4bbef810708 (2 x PrivateLoader, 1 x RaccoonStealer)
ssdeep 49152:mXvjC+tk+8dMeCL9zhN8LxSTDoYjsEQO39w8Oy/LnXUSvUypv/IKARsmiiOyIQ:osO5hN3TDoYj3QOwjy/LnXUiU4vwZyiT
Threatray 5 similar samples on MalwareBazaar
TLSH T1F5F59FD13A0EA59FC23B5C70B58AEB43DBA463E183286511DCB63CBDC762F425C95A34
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4505/5/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:exe RaccoonStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc808950829_663764216?hash=k5xVc8lIdLzTPJlVnHzTqzYtuB1xU81XCH13U8zDVcX&dl=Jk3oMCTWsNPNHY7IXWoG6v3ZXyZpmvLiTuMYaI3Zzog&api=1&no_preview=1#kis_rise

Intelligence

File Origin
# of uploads :
21
# of downloads :
339
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-07-03 21:56:35 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/581a705c-3540-449c-bf69-0f739b622e0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/406210/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.626.13168.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control crypto lolbin packed packed setupapi shell32
Link:
https://www.filescan.io/uploads/64a343b8204315fbc16c90c7/reports/eb1e678a-4a8a-4937-97e2-f7df041c0f07/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9777ac78ef7b256887f447ff395e8c43c04a20aebd290629f18bb4288065cfad
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/236b3004-46a7-4dd6-9c42-7d5d2da18397
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266240
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1266240 Sample: file.exe Startdate: 03/07/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 5 other signatures 2->53 8 file.exe 37 2->8         started        13 oobeldr.exe 2->13         started        process3 dnsIp4 33 194.169.175.123, 49701, 50500 CLOUDCOMPUTINGDE Germany 8->33 35 ipinfo.io 34.117.59.81, 443, 49702 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->35 37 cdn.discordapp.com 162.159.133.233, 443, 49703, 49704 CLOUDFLARENETUS United States 8->37 27 C:\Users\user\...\cbaBsn_1sq8nPD6z83QQ.exe, MS-DOS 8->27 dropped 29 C:\Users\user\AppData\Local\...\KLIPE[1].exe, MS-DOS 8->29 dropped 55 Query firmware table information (likely to detect VMs) 8->55 57 May check the online IP address of the machine 8->57 59 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->59 67 4 other signatures 8->67 15 cbaBsn_1sq8nPD6z83QQ.exe 1 8->15         started        61 Antivirus detection for dropped file 13->61 63 Multi AV Scanner detection for dropped file 13->63 65 Detected unpacking (changes PE section rights) 13->65 19 schtasks.exe 1 13->19         started        file5 signatures6 process7 file8 31 C:\Users\user\AppData\Roaming\...\oobeldr.exe, MS-DOS 15->31 dropped 39 Antivirus detection for dropped file 15->39 41 Multi AV Scanner detection for dropped file 15->41 43 Detected unpacking (changes PE section rights) 15->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 15->45 21 schtasks.exe 1 15->21         started        23 conhost.exe 19->23         started        signatures9 process10 process11 25 conhost.exe 21->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9777ac78ef7b256887f447ff395e8c43c04a20aebd290629f18bb4288065cfad/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-03 21:55:07 UTC
File Type:
PE (Exe)
Extracted files:
100
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s532y6hppmswrb7ui77tsxumipaeuifoxuuqmkprro2cradfz6wq._file
Verdict:
suspicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1d0734db421451d1ed079c72f1fb3147c510f5b0df01d75af1a023968fd804cf
RaccoonStealer
de37e38d15933b163d7b104af7ac4392af4a5663f500f5567efc40c8c01e9968
RaccoonStealer
f327c2b5ab1d98f0382a35cd78f694d487c74a7290f1ff7be53f42e23021e599
RaccoonStealer
f767afef9083aed521760649129fae272dfe30f66c9922ca4529533bb81d0612
RaccoonStealer
fc9fa1695c11f2c3a8019b64b414137c47d1b2f57b8593f44eda1237e4b3293b
RaccoonStealer
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader discovery evasion loader spyware stealer themida trojan
Link:
https://tria.ge/reports/230703-1sr6xsac36/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
PrivateLoader
Unpacked files
SH256 hash:
96816bdede9d2732266a1506cacb3a0ffc1351ae2e8455d39cf4268a4e0304b0
MD5 hash:
2bed5eb869888ff925dfd5cc1b0468f7
SHA1 hash:
b9c597645cdd951870eb31e45bdee1396182c887
Detections:
RiseProXorStr
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/bbe2d076-89ef-476e-bb49-02f72d8164d1/
SH256 hash:
9777ac78ef7b256887f447ff395e8c43c04a20aebd290629f18bb4288065cfad
MD5 hash:
56ef69b1c4e3587bb8e9b7f699a92a83
SHA1 hash:
5e480d3f94c1fc6b6e69f60f99d43650b03dcd04
Link:
https://www.unpac.me/results/bbe2d076-89ef-476e-bb49-02f72d8164d1/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9777ac78ef7b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/406210/

Comments