MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4a92bcb6f677bbf9ede6ad7b290f83bc27592fefae0a8b3c6bf8026ff3327ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4a92bcb6f677bbf9ede6ad7b290f83bc27592fefae0a8b3c6bf8026ff3327ee
SHA3-384 hash: 335b6832e354a2354da22bd69e4d4f1adf4eabd905b4738d11fdd21c79cd5f16d801c7bd996cd3debd9a975fb5f65833
SHA1 hash: f1c2d99b75b73359b6618580cbb70198719e3c56
MD5 hash: 38957512a38650e191c1b520f8383b2e
humanhash: delaware-burger-ten-ten
File name:38957512a38650e191c1b520f8383b2e.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:458'408 bytes
First seen:2021-07-28 18:04:06 UTC
Last seen:2021-07-28 18:57:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:PirZ3mcxsLZe/ZasZrOEMugESi04qm9kXzQQ:P4Fmcx7rMuqs6zQQ
Threatray 1'876 similar samples on MalwareBazaar
TLSH T180A42210EEF5BA63FCE863B9E8F0045EF5724316BDE7D5192B8128486E8CBC51C46279
dhash icon 70c48ad8e4a4d874 (2 x ArkeiStealer, 1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
38957512a38650e191c1b520f8383b2e.exe
Verdict:
Malicious activity
Analysis date:
2021-07-28 18:25:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a70c9760-48b3-4cec-a33b-85e3503dbc03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174771/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.49794.5883.15270.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe37d491-6fcc-4586-9505-4e7ae8bfeb0a
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/823391
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 19:40:51 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wsusxs3pm5537hw6nll3fehyhpbhlex67lqkrm6gx6acn7zte7xa._file
Verdict:
malicious
Similar samples:
1c474449c67becb01f8689bd34ba10ee57b0ff2688592ea87be2368474af819e
RaccoonStealer
445d66bf5ba2df185287c3cb77ca459c45819d53d808a48981f3e8396f1c9658
RaccoonStealer
55dae3a9ea2e8108b1c8552f9605f2a8f8ce7116b055d96cf1c827989ac0efd5
RaccoonStealer
991cd470e36b51d3640eb6a1a40b6dbd54d2f82d6543fe38a46404bfc0a6bc76
RaccoonStealer
c2789581cd578f5d0d40e0d774ace1ac3ce93793b20d12eca3136a83e1d67ce2
RaccoonStealer
cada28cf855a9059f761e89e4441797a92aed1e4a5878c2e87171090295dcaea
RaccoonStealer
fe65170a6f6cd5ba0df997262bca40350b650067db206bc83bfaf80da94bba9e
RaccoonStealer
+ 1'866 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210728-3qtavrjs82/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Core1 .NET packer
Unpacked files
SH256 hash:
a6992f701cde5b51839a1d5edd605acb002b583626630e68940093596fd8504d
MD5 hash:
17745ef27eca3c0ea3f5437188d915e4
SHA1 hash:
adafd022e5189a32dc65b4db0fb2dc59ea6fad3f
Link:
https://www.unpac.me/results/ffcc11c9-9db5-43a0-be24-a2dafe8a65f1/
SH256 hash:
d2a2e51a40fc3183536974426b393ccdb7307585a781ee34b7d728568c0fe369
MD5 hash:
1a1f73747551a4fde33dd28293365949
SHA1 hash:
899bfdb17a06cba9963bb9a493edd27be063daf1
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/ffcc11c9-9db5-43a0-be24-a2dafe8a65f1/
SH256 hash:
b4a92bcb6f677bbf9ede6ad7b290f83bc27592fefae0a8b3c6bf8026ff3327ee
MD5 hash:
38957512a38650e191c1b520f8383b2e
SHA1 hash:
f1c2d99b75b73359b6618580cbb70198719e3c56
Link:
https://www.unpac.me/results/ffcc11c9-9db5-43a0-be24-a2dafe8a65f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4a92bcb6f677bbf9ede6ad7b290f83bc27592fefae0a8b3c6bf8026ff3327ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe b4a92bcb6f677bbf9ede6ad7b290f83bc27592fefae0a8b3c6bf8026ff3327ee

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/174771/
  
URLhaus
https://urlhaus.abuse.ch/url/1480064/
  
Delivery method
Distributed via web download

Comments