MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad901092cbfd7145f8066f1f89c73db3c8d9c3fc9cfffea1d550daf43dc4978f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad901092cbfd7145f8066f1f89c73db3c8d9c3fc9cfffea1d550daf43dc4978f
SHA3-384 hash: b8f2fa03b637c5d07a7dcb90bd4438c25e0037298f1f8174f4d99d89f54306f869970f604b28b450e9b21597f2ef18ec
SHA1 hash: d493db59b6ec1686c603c30b42436474de8529bf
MD5 hash: 2fe5b54253ada505c9b5c255c2c951e0
humanhash: rugby-foxtrot-batman-florida
File name:file
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:6'466'560 bytes
First seen:2023-12-04 01:11:13 UTC
Last seen:2023-12-05 09:29:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4badf5cc096c479bb9d07f7fe1f1b22c (2 x RiseProStealer, 1 x RaccoonStealer)
ssdeep 196608:C2gpwjlq+kONFI57jtjhholOiFOVw9ESkU:2wjQ+k7hYOi0wSSv
Threatray 23 similar samples on MalwareBazaar
TLSH T19C563373631721C1C8DC88338F23FD9072F6B26D8F819DBD58A6ACC66AD25E5D612943
TrID 35.1% (.SCR) Windows screen saver (13097/50/3)
17.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.5% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:exe RaccoonStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc418490229_669054729?hash=JWlzYUnPhQIlnUsbclYOnp2lZFSlFpZZA3VF27wTZRT&dl=9viQSDFOCXLmeKbd5KiKnnCNc53pLvsInE9tqUrvI30&api=1&no_preview=1#kisrise

Intelligence

File Origin
# of uploads :
20
# of downloads :
365
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462202/
Detection(s):
SecuriteInfo.com.Trojan-PSW.Win32.RisePro.mn.2683.19739.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% subdirectories
Creating a file
Launching a process
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto lolbin packed packed risepro setupapi shell32 vmprotect
Link:
https://www.filescan.io/uploads/656d2763380413dc0c2eec14/reports/ffb548e0-738d-4503-abb0-89d47547f167/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ad901092cbfd7145f8066f1f89c73db3c8d9c3fc9cfffea1d550daf43dc4978f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/83856b33-bd57-4ea7-aee3-508f4dc95c5b
Result
Threat name:
PrivateLoader, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1352834
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected PrivateLoader
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1352834 Sample: file.exe Startdate: 04/12/2023 Architecture: WINDOWS Score: 100 38 ipinfo.io 2->38 44 Snort IDS alert for network traffic 2->44 46 Antivirus detection for URL or domain 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 4 other signatures 2->50 8 file.exe 1 73 2->8         started        13 LegalHelper2.exe 2 2->13         started        15 OperaConnect2.exe 2 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 40 91.92.251.47, 49729, 49731, 49732 THEZONEBG Bulgaria 8->40 42 ipinfo.io 34.117.59.81, 443, 49730 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->42 30 C:\Users\user\AppData\...\OperaConnect2.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\...\LegalHelper2.exe, PE32 8->32 dropped 34 C:\ProgramData\IEUpdater2\IEUpdater2.exe, PE32 8->34 dropped 36 C:\...\H3zoYnzKEjIFDPLAyfK5SCLLpd6LyFsM.zip, Zip 8->36 dropped 60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->60 62 Tries to steal Mail credentials (via file / registry access) 8->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->64 74 2 other signatures 8->74 19 IEUpdater2.exe 2 8->19         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        66 Antivirus detection for dropped file 13->66 68 Multi AV Scanner detection for dropped file 13->68 70 Machine Learning detection for dropped file 13->70 72 Tries to detect virtualization through RDTSC time measurements 15->72 file6 signatures7 process8 signatures9 52 Antivirus detection for dropped file 19->52 54 Multi AV Scanner detection for dropped file 19->54 56 Detected unpacking (creates a PE file in dynamic memory) 19->56 58 3 other signatures 19->58 26 conhost.exe 22->26         started        28 conhost.exe 24->28         started        process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ad901092cbfd7145f8066f1f89c73db3c8d9c3fc9cfffea1d550daf43dc4978f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad901092cbfd7145f8066f1f89c73db3c8d9c3fc9cfffea1d550daf43dc4978f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-04 01:12:09 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
11 of 23 (47.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwibbewl7vyul6agn4pytrz5wpentq74tt775iovkdnpipoes6hq._file
Verdict:
suspicious
Label(s):
raccoon
Create hunting rule
Similar samples:
10cef0b0f286a3f715aaad09fa089a97c10b98cf01cbae4c702eb49c7331f461
RaccoonStealer
3b58ac66aba1916652103fdff909940378b77c555e1763f2b1e6b1ba32f7b0a5
RaccoonStealer
444b40a3b51dbd1b40e4f96a5a4dbf04f329b5ee12411cf4c8788b8c84e07ead
RaccoonStealer
4d9f699e258f6565aa256c4d657a9b52727326cdbe80f3d9d6ddbc4f5377f08a
RaccoonStealer
4f05a5578ecdf2695c30935820746aee082b63f0da0e9343e03ae3651de312af
RaccoonStealer
b1fab4e05f980678d6e3acba9910b8b07d422de7b80a5eded0dccf200310be01
RaccoonStealer
bbd1de6202cbf7b144035b2f82d48567c36cc77909a6f8a52604bacdfd80449f
RaccoonStealer
f1c24bb882f602e83ab8f2132047bf6a0bc0b4dadd6a55ef7db32b3f91b52836
RaccoonStealer
fb2cf7074ef8fe5a896a06d43dcdf815847894e02e2a776dda7cd9f11a921cdd
RaccoonStealer
fcf5537cc477bb7aefdce475431fadaac9f101a4baedcacaaba20502bf4ba37e
RaccoonStealer
+ 13 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro collection discovery loader persistence spyware stealer
Link:
https://tria.ge/reports/231204-bkhj3sgd4t/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
PrivateLoader
RisePro
Malware Config
C2 Extraction:
91.92.251.47
Unpacked files
SH256 hash:
d719bfcd65095cc7f41d0475bf42d172fdf289ed6100f2fd151ad0d474b95816
MD5 hash:
1ece6e418e15e9773e693e5a5a6d972f
SHA1 hash:
b69fa65a55aada8ab9e154653842493b5fea0003
Link:
https://www.unpac.me/results/4d17d9b4-aa41-4356-a311-1e6f7771022d/
SH256 hash:
ad901092cbfd7145f8066f1f89c73db3c8d9c3fc9cfffea1d550daf43dc4978f
MD5 hash:
2fe5b54253ada505c9b5c255c2c951e0
SHA1 hash:
d493db59b6ec1686c603c30b42436474de8529bf
Link:
https://www.unpac.me/results/4d17d9b4-aa41-4356-a311-1e6f7771022d/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ad901092cbfd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad901092cbfd7145f8066f1f89c73db3c8d9c3fc9cfffea1d550daf43dc4978f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/462202/

Comments