MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4f050d928fd7fa9598b6eaa3fceb24503b3e5d9592373c74d1e479878bb2fd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	c4f050d928fd7fa9598b6eaa3fceb24503b3e5d9592373c74d1e479878bb2fd5
SHA3-384 hash:	be46f5e34de2b6d098fe28fe93da4c275452bf799da702b0be20280a2bc3910ffa5d866ac107c36936bf80706ea414e7
SHA1 hash:	70f670be17a72b32d81919b71deeed59a6442983
MD5 hash:	3194220035151f5557c3ece5e4bcc5ee
humanhash:	sad-bacon-fanta-quebec
File name:	file
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	6'652'928 bytes
First seen:	2022-10-04 12:00:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b5af53b96a03972def1a5f287c0c1d5c (23 x RecordBreaker, 8 x RaccoonStealer)
ssdeep	98304:AkTO6eDUxqJuaOUq7GkAL1LmZPFlimU0HUBi9sA0m4WtimEehaSw5n:AkTORYqUatqaZIXtUjBixZnCn5
Threatray	588 similar samples on MalwareBazaar
TLSH	T1936612A752294987FBD48C35D436EFF772B4327B9F83943830EAE6C63401A91E50B526
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon	80aaa27169696969 (1 x RaccoonStealer)
Reporter	andretavare5
Tags:	exe RaccoonStealer

andretavare5

Sample downloaded from https://omgwowxisj.tk/login/ybiotmwcnprgwdk.c.exe

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/316498/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP POST request

Sending an HTTP GET request

Creating a file

Creating a file in the system32 subdirectories

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/41067/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/633c2047d5955f6f49d5de3f/reports/90851423-bebf-4cd6-b474-24ba4104b9c0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/08fcf3ad-a1bf-4961-b915-fd03f5d93d05

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1083209

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c4f050d928fd7fa9598b6eaa3fceb24503b3e5d9592373c74d1e479878bb2fd5/

Threat name:

Win32.Packed.Generic

Status:

Suspicious

First seen:

2022-10-04 12:01:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ytyfbwji7v72swmln2vd7tvsiub3hzozlerxhr2ndzdzq6f3f7kq._file

Verdict:

suspicious

Label(s):

raccoon

RaccoonStealer

1617243bf260c15ffcb501df0b05d89af6f0590d1e779be89a53e56823f6e8b7

RaccoonStealer

462d28d7f7f0ceb1a2e5f59f8dbf5f1650e4370a0edc8faccfad3ebac73baafc

RaccoonStealer

4ec69d6a18974df6344363827ce77bb9e5eee5bf5082f71698f134c91c9a6138

RaccoonStealer

754d637166838352780c8e0e611a21f4886f98a82cca0c8a32bf1df3e3c35f1f

RaccoonStealer

78b811d0d4031e590324cc4892780f4caa5bb94dc92bbc04f8ea2dc254ac5c8b

RaccoonStealer

a48ba6c3447ff9e85c9524ce4a90771735e5ca09c917b74fce272e5ba171e5a7

RaccoonStealer

+ 578 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:f28f2d25a477bb5982a99746a8f3492c discovery spyware stealer

Link:

https://tria.ge/reports/221004-n6bpwabbdq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Raccoon

Malware Config

C2 Extraction:

http://94.131.101.170/

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/da6753fa-7129-46c2-ad10-2f0448a08e0f

Unpacked files

SH256 hash:

92fd221325d2c2c3579725334e9ec1baea60919f6489d2da189312c45ebc8937

MD5 hash:

3963e4ab0a21271af8efaa701b10c2d6

SHA1 hash:

9722380c66fea6e582fdfc2d5149610738bfa313

Link:

https://www.unpac.me/results/3372967d-b2b1-4b07-a733-048527b418e7/

SH256 hash:

c4f050d928fd7fa9598b6eaa3fceb24503b3e5d9592373c74d1e479878bb2fd5

MD5 hash:

3194220035151f5557c3ece5e4bcc5ee

SHA1 hash:

70f670be17a72b32d81919b71deeed59a6442983

Link:

https://www.unpac.me/results/3372967d-b2b1-4b07-a733-048527b418e7/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c4f050d928fd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c4f050d928fd7fa9598b6eaa3fceb24503b3e5d9592373c74d1e479878bb2fd5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/316498/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample