MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f
SHA3-384 hash: 246ee00042935ad88227af158beb58fef7644fb0f5503afc1c54cacb9e684d00f51107961caf7963a86a424ab6f6d6fd
SHA1 hash: fbc94c649ba3d8bb6c7e1d98e7fdeea40cd395b2
MD5 hash: 5d9e72d1e3a99bec71fad561fa95037c
humanhash: sad-two-ohio-butter
File name:ChrоmеSеtuр.msi
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:3'583'488 bytes
First seen:2023-09-26 20:56:59 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:E6rGohlj9szAlopTyWD57kEv53rw6cvOlM3w99xYF/gr/QaTdxKJWNYCILZ:qoSTyqk7vvO8Q9xU/w/QPOI9
Threatray 13 similar samples on MalwareBazaar
TLSH T1B5F5E021B387C136D52D0177E968EE5E1A38BE730B3101E777E8796E49F48C1A279B42
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter Wajih
Tags:msi RaccoonStealer signed

Code Signing Certificate

Organisation:GoogleLLC.Chrome
Issuer:GoogleLLC.Chrome
Algorithm:sha256WithRSAEncryption
Valid from:2023-09-21T11:32:38Z
Valid to:2024-09-21T11:52:38Z
Serial number: 143fa0127adca794432413827e620d3d
Thumbprint Algorithm:SHA256
Thumbprint: 0690566d0430921b9ec3663ea8a65269a26f4765145a4ea4d45263d9b77502fe
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Wajih
https://reedx51mut.com/ZgbN19Mx link is showing up as an iframe on my poor website "honeybearcabins.com" and keeps asking to update my browser. i have tried opera, chrome and firefox. only uploaded the chrome malware as all the files are same in size just the names are different.

I am looking for a solution to this since it is disturbing my business a lot

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
PK PK
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451356/
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
control lolbin msiexec remote shell32
Link:
https://www.filescan.io/uploads/6513459f1edabd9982a0838b/reports/a27454bb-d279-4a03-bcda-8b4f41af486f/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1314821
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1314821 Sample: Chr#U043em#U0435S#U0435tu#U... Startdate: 26/09/2023 Architecture: WINDOWS Score: 100 90 Snort IDS alert for network traffic 2->90 92 Found malware configuration 2->92 94 Antivirus detection for URL or domain 2->94 96 5 other signatures 2->96 8 msiexec.exe 28 68 2->8         started        12 cmd.exe 1 2->12         started        14 msiexec.exe 2 2->14         started        process3 file4 50 C:\Windows\Installer\MSIDD92.tmp, PE32 8->50 dropped 52 C:\Windows\Installer\MSIDD62.tmp, PE32 8->52 dropped 54 C:\Windows\Installer\MSIDD41.tmp, PE32 8->54 dropped 56 13 other malicious files 8->56 dropped 98 Drops executables to the windows directory (C:\Windows) and starts them 8->98 16 palemoon.exe 1 8->16         started        19 msiexec.exe 8->19         started        21 msiexec.exe 8->21         started        23 MSIA0F1.tmp 8->23         started        100 Suspicious powershell command line found 12->100 25 powershell.exe 9 35 12->25         started        29 conhost.exe 12->29         started        signatures5 process6 dnsIp7 78 Maps a DLL or memory area into another process 16->78 31 cmd.exe 3 16->31         started        74 thumbnailmybis.xyz 104.21.66.236, 443, 49781 CLOUDFLARENETUS United States 25->74 58 C:\Users\user\AppData\...\oz1hahud.cmdline, Unicode 25->58 dropped 80 Performs DNS queries to domains with low reputation 25->80 82 Found many strings related to Crypto-Wallets (likely being stolen) 25->82 35 csc.exe 3 25->35         started        37 msiexec.exe 1 25->37         started        39 DeviceCredentialDeployment.exe 1 25->39         started        file8 signatures9 process10 file11 68 C:\Users\user\AppData\Local\...\kihofdkcmvdvm, PE32 31->68 dropped 70 C:\Users\user\AppData\Local\Temp\efsadu.exe, PE32 31->70 dropped 84 Found hidden mapped module (file has been removed from disk) 31->84 86 Maps a DLL or memory area into another process 31->86 88 Sample uses process hollowing technique 31->88 41 efsadu.exe 23 31->41         started        46 conhost.exe 31->46         started        72 C:\Users\user\AppData\Local\...\oz1hahud.dll, PE32 35->72 dropped 48 cvtres.exe 1 35->48         started        signatures12 process13 dnsIp14 76 65.109.2.42, 49794, 80 ALABANZA-BALTUS United States 41->76 60 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 41->60 dropped 62 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 41->62 dropped 64 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 41->64 dropped 66 4 other files (2 malicious) 41->66 dropped 102 Detected unpacking (changes PE section rights) 41->102 104 Detected unpacking (overwrites its own PE header) 41->104 106 Found evasive API chain (may stop execution after checking mutex) 41->106 108 3 other signatures 41->108 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Suspicious
First seen:
2023-09-26 18:02:24 UTC
File Type:
Binary (Archive)
Extracted files:
82
AV detection:
8 of 37 (21.62%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wau3ic5nvmbjzpmrnkzokfd6t4a2xukh4g7z4xwrkzhoisqnbb7q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
39c1944344d6709fd7caa9539c0f02577c260ef9cd67ae3ec6551c81d97eb2a0
RaccoonStealer
5eec94a4cd6f1e0fa8a361ef8e78464431092718c4bda40ad5c83d607ef9a31c
RaccoonStealer
6dce075c0610501315ccfbc95bbd9b305e0b5b76345a28bab4a678aef82cb8c5
RaccoonStealer
cb0ee322bc88fbe0bbf4b5a783bf000e4fa70e526dacfbfcc60c68b61d0a0e99
RaccoonStealer
d28cc4e73e11cca19cc73a7dfcb3d605ceadbb997a1b4b3eec3a51288ffae784
RaccoonStealer
d5b1a96dc7d4007a9228abee105cd77305827ed28aac77932e7c416c888c9d30
RaccoonStealer
eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
RaccoonStealer
+ 3 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:5e2505d8647542f05843f89ae7cd18e7 stealer
Link:
https://tria.ge/reports/230926-zrkj1sde6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Raccoon
Raccoon Stealer payload
Malware Config
C2 Extraction:
http://65.109.2.42:80/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b029b40badab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Microsoft Software Installer (MSI) msi b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f

(this sample)

  
Link
https://honeybearcabins.com
  
Link
https://reedx51mut.com/ZgbN19Mx
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/451356/

Comments