MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa1b0b2f6f06f622abf2128ecafed1929682221c5ff4dd2426f16b9ae272fdf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa1b0b2f6f06f622abf2128ecafed1929682221c5ff4dd2426f16b9ae272fdf9
SHA3-384 hash: e9e0cad0e01807a12677b3f76825921a8fdddfbb3e003cddb6f41324ea663d34bab18053c5d64bf370eb9e9fea55fa4f
SHA1 hash: 0df63fe311154434f7d14aae2f29f47a6222b053
MD5 hash: 7fbe056c414472cc2fcc6362bb66d212
humanhash: cola-potato-leopard-potato
File name:7fbe056c414472cc2fcc6362bb66d212
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:82'432 bytes
First seen:2024-01-16 03:48:53 UTC
Last seen:2024-01-16 05:20:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 52fcc5c1bcda70fa4759c08995c5a5fb (5 x RecordBreaker, 2 x RaccoonStealer)
ssdeep 1536:KX0PI6ORWFPekAZZ0XCkSBIPV1Fn1p06QcKUp3sFqH:9PI6GWpeVsXCLMrxbQOp8FqH
TLSH T1198319C154B14906E184A87303C3D935979AEE3A18177D83E389E662816DDC32DBF7BB
TrID 39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
3'934
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/471044/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.38170.19802.27797.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto explorer greyware lolbin recordbreaker shell32
Link:
https://www.filescan.io/uploads/65a5fcae3c61cd5b4251155c/reports/098aab71-35cc-4c69-86dc-98914f631771/overview
Verdict:
Malicious
Labled as:
Trojan.RecordBreaker
Link:
https://www.hybrid-analysis.com/sample/aa1b0b2f6f06f622abf2128ecafed1929682221c5ff4dd2426f16b9ae272fdf9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ddf4d81e-b4ab-4281-a41f-daa78627d1e0
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1375141
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aa1b0b2f6f06f622abf2128ecafed1929682221c5ff4dd2426f16b9ae272fdf9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa1b0b2f6f06f622abf2128ecafed1929682221c5ff4dd2426f16b9ae272fdf9/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2024-01-11 15:46:35 UTC
File Type:
PE (Exe)
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vinqwl3pa33cfk7sckhmv7wrsklieiq4l72n2jbg6fvzvyts7x4q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:afed87781b48070c555e77a16d871208
Link:
https://tria.ge/reports/240116-edca9sceal/
Malware Config
C2 Extraction:
http://185.16.39.253:80/
Unpacked files
SH256 hash:
aa1b0b2f6f06f622abf2128ecafed1929682221c5ff4dd2426f16b9ae272fdf9
MD5 hash:
7fbe056c414472cc2fcc6362bb66d212
SHA1 hash:
0df63fe311154434f7d14aae2f29f47a6222b053
Detections:
win_recordbreaker_auto
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
MALWARE_Win_RaccoonV2
Create hunting rule
Link:
https://www.unpac.me/results/049ec553-b21d-4f54-888a-6dba07692842/
Parent samples :
28a08faeade7234ec9b0e78b780c1787137581641c57ef6e8088d314b447751a
aa1b0b2f6f06f622abf2128ecafed1929682221c5ff4dd2426f16b9ae272fdf9
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa1b0b2f6f06/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Raccoon
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa1b0b2f6f06f622abf2128ecafed1929682221c5ff4dd2426f16b9ae272fdf9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_RaccoonV2
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon Stealer 2.0, also referred to as RecordBreaker
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe aa1b0b2f6f06f622abf2128ecafed1929682221c5ff4dd2426f16b9ae272fdf9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2748952/
Cape
Cape
https://www.capesandbox.com/analysis/471044/

Comments


Avatar
zbet commented on 2024-01-16 03:48:54 UTC

url : hxxps://ummotosmexico.mx/test/2.3.1.1.exe