MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3cad582268b165711e2f2b1834891c7bcb5e57a7efb1e709e3df19d011ad656. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	c3cad582268b165711e2f2b1834891c7bcb5e57a7efb1e709e3df19d011ad656
SHA3-384 hash:	82278202cee725e554bf0d16b877806662564844919cd03cd361fada4810b7f07870125d40481b77e37d13fbe7c37176
SHA1 hash:	2a34b5110f5c3c2424ae9685f57261e2546bd963
MD5 hash:	ae6510d9815c44a818f722ecae6844b8
humanhash:	potato-crazy-louisiana-glucose
File name:	ae6510d9815c44a818f722ecae6844b8.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	7'336'385 bytes
First seen:	2022-01-15 08:35:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c5640c7a22008f949f9bc94a27623f95 (3 x RaccoonStealer, 3 x IrisStealer, 2 x CoinMiner)
ssdeep	196608:l++hvICteEroXxqENE+sKsXXgvkwuUxNhMC/CKN7kL:BInEroXjsKkXgs/EhWKNY
Threatray	4 similar samples on MalwareBazaar
TLSH	T1BA763300A3F808DEF87B8638C565C221A0B2B467975AD4DF17BC835A5F971E36E73A14
Reporter	abuse_ch
Tags:	exe RaccoonStealer

Intelligence

File Origin

# of uploads :

# of downloads :

212

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ae6510d9815c44a818f722ecae6844b8.exe

Verdict:

No threats detected

Analysis date:

2022-01-15 08:39:46 UTC

Tags:

installer

Link:

https://app.any.run/tasks/5d22fdb5-3de4-450a-b77a-cef589a5bfd5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

PyInstaller

Link:

https://www.capesandbox.com/analysis/219461/

Detection(s):

SecuriteInfo.com.Variant.Tedy.68030.15589.1459.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Running batch commands

Creating a process from a recently created file

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

Sending an HTTP POST request

Launching the default Windows debugger (dwwin.exe)

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/4252/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe expand.exe greyware overlay packed

Link:

https://www.filescan.io/uploads/61e28779e997359713f157ad/reports/3d101691-1fac-421b-99aa-f54607002093/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ac6e661a-9589-48c7-bd27-eaee03cd7164

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/921085

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c3cad582268b165711e2f2b1834891c7bcb5e57a7efb1e709e3df19d011ad656/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-01-15 02:29:30 UTC

File Type:

PE+ (Exe)

Extracted files:

516

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Verdict:

malicious

RaccoonStealer

80f4e41827dfe57bd2217eabe487099a2912be536fe4b0aef95b4bbb215c8a2a

RaccoonStealer

ffc3d4c2d7568d3d632ba01f05fcb54bb8bc2b73afabc4741999957498011568

RaccoonStealer

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:loaderbot family:raccoon loader miner persistence pyinstaller stealer

Link:

https://tria.ge/reports/220115-khlcmadde7/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Drops startup file

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

LoaderBot executable

LoaderBot

Raccoon

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

c3cad582268b165711e2f2b1834891c7bcb5e57a7efb1e709e3df19d011ad656

MD5 hash:

ae6510d9815c44a818f722ecae6844b8

SHA1 hash:

2a34b5110f5c3c2424ae9685f57261e2546bd963

Link:

https://www.unpac.me/results/d5759bf8-f9c3-4a08-9739-307f255a0742/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c3cad582268b165711e2f2b1834891c7bcb5e57a7efb1e709e3df19d011ad656

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.