MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b993ca2a752e9bd918f76db3cff5b987977821bd5874c3d867ad16d82156682f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b993ca2a752e9bd918f76db3cff5b987977821bd5874c3d867ad16d82156682f
SHA3-384 hash: 8ec446fbd0dd17bf4b529304caea0a02eac248c8d22fb7c29d2a8e33f126d873679c015884d853a94164a355efed0190
SHA1 hash: d8b035f84e304ea9a46405ebf9eb7bd726905ece
MD5 hash: d83cc585ac9329d79f29bbf45b25cccb
humanhash: stairway-double-fillet-don
File name:file
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'835'176 bytes
First seen:2022-10-26 07:32:25 UTC
Last seen:2022-10-26 14:26:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d11871fc716f77feec71c42bf958e3e1 (1 x RaccoonStealer, 1 x SystemBC)
ssdeep 98304:Al1rwhciArkfIDpQz3RuCiDwTr7E7T5cl21HL2OMCD:21rw+JDpQFMcsRPrDD
Threatray 775 similar samples on MalwareBazaar
TLSH T1D326BFF03E0DD7DFF87A05B5B50ACA47996463E94204D60BFBAA387C45B2D520ECA760
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon 9170e4b8e2eadc79 (1 x RaccoonStealer)
Reporter andretavare5
Tags:exe RaccoonStealer signed

Code Signing Certificate

Organisation:www.granular.com
Issuer:www.granular.com
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-25T11:46:16Z
Valid to:2023-10-25T12:06:16Z
Serial number: 372c53a5410e658d45e5e44327fc18e2
Thumbprint Algorithm:SHA256
Thumbprint: 379e84b7930cd7d752d1245197135f0321d9a38f2320f9e372149fc082b2f4a4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc733883836_657569256?hash=ulqwzXmRHb9Xsy1Ncab3qbNEl58y4w8zDvcbfz7lcJw&dl=G4ZTGOBYGM4DGNQ:1666768778:sPLLmBDqsqGydMblQZ23Zhz1cGmE2FI9GQKhFP9Zc0z&api=1&no_preview=1#bvs1

Intelligence

File Origin
# of uploads :
184
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-10-26 07:35:18 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/c8e49db9-3e79-4505-9ffc-7fad37ae616e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324259/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.32119.10122.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Creating a window
Creating a file in the system32 subdirectories
Creating a file
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18c92d7e-7e5e-48c9-a414-ed07887095c7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1098146
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b993ca2a752e9bd918f76db3cff5b987977821bd5874c3d867ad16d82156682f/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2022-10-26 08:12:57 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xgj4uktvf2n5sghxnwz475nzq6lxqin5lb2mhwdhvulnqikwnaxq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c
RaccoonStealer
4dd0e5762e6ae6553863f594262e8a1d3f48635d1f49ced7975fc5842fa69a14
RaccoonStealer
70b5392192a57314e1c7793599439b518dbf2a0affcbd849cecf779063bd792a
RaccoonStealer
72da013062ea0fd8acf955c4517f8998fef0f6f6d467c9610f8d9b5f77169f57
RaccoonStealer
980095faad7ac452f5f2827290c5f00904f9aaed2facf9ed690850f8739437ed
RaccoonStealer
99b0dac266ed96c1ae6a9b32b624e4697e1bac4348144376e737bf8e292e35f5
RaccoonStealer
e1ff33ee4dab36c7f0cf9e8abf6f1ce95fbe23e3b02d076b56d720f98cc163f0
RaccoonStealer
+ 765 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/221026-jdhv9sfae4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/716fbd43-2779-4268-b880-fa6d5f94954b
Unpacked files
SH256 hash:
2fef27c5dab426a215f7027850cf511283e46b9b47c25232c4f8868fce8d79a3
MD5 hash:
78a45997b87c742b58b6fd8938e692f2
SHA1 hash:
09ae4d69f874ef35c639e18327bb13f0d5bfae76
Link:
https://www.unpac.me/results/e97a2813-37c8-4cd0-b7c6-d3e6c23a5e6c/
SH256 hash:
cdebc077f5761a42a78da59adf356fe5f33c07ee86e66616e8802ee06468ba44
MD5 hash:
a893f8eb736792fb9ddf59bce8b2c34e
SHA1 hash:
ab10dfdbb013cd908dd018947ddbbfe0a8717cd9
Link:
https://www.unpac.me/results/e97a2813-37c8-4cd0-b7c6-d3e6c23a5e6c/
SH256 hash:
b993ca2a752e9bd918f76db3cff5b987977821bd5874c3d867ad16d82156682f
MD5 hash:
d83cc585ac9329d79f29bbf45b25cccb
SHA1 hash:
d8b035f84e304ea9a46405ebf9eb7bd726905ece
Link:
https://www.unpac.me/results/e97a2813-37c8-4cd0-b7c6-d3e6c23a5e6c/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b993ca2a752e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b993ca2a752e9bd918f76db3cff5b987977821bd5874c3d867ad16d82156682f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/324259/

Comments