MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5eee53cdd6b6cbbd5019764f7ad3a74de92d1629619e972b8a3a1a7d2994170. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5eee53cdd6b6cbbd5019764f7ad3a74de92d1629619e972b8a3a1a7d2994170
SHA3-384 hash: e658940748936b42a1f06c80325a20cc9f90bec268ced1ef25ec35eb4b628d50a015aaf8c5a3ab15911b0ed6fd7cb73b
SHA1 hash: fda1a269ace06d9b044f36b63101a5ec1fc10708
MD5 hash: 05807156c2c50bb5161b5d1f432d8c58
humanhash: moon-diet-venus-island
File name:05807156c2c50bb5161b5d1f432d8c58.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'688'000 bytes
First seen:2021-03-13 07:27:50 UTC
Last seen:2021-03-13 09:48:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:w/2zBMwQENQm4pZvxoDf6IG/qEPR4tJ+UA5k9EI:w/EBMtEIpZWDfyhutJ+UAk9Z
Threatray 447 similar samples on MalwareBazaar
TLSH 1BC5F102F4559CD5D7E615B2A8AFD4240262EEAFF071731F2AAA362495B32331417F8F
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
05807156c2c50bb5161b5d1f432d8c58.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-13 07:31:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a4fedc58-bb62-4864-8413-cb02cbc23441

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/124039/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42869.3542.7161.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/638452
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Contains functionality to steal Internet Explorer form passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5eee53cdd6b6cbbd5019764f7ad3a74de92d1629619e972b8a3a1a7d2994170/
Threat name:
ByteCode-MSIL.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-03-08 20:25:24 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
49c3cd2478d1dcf8ce1d1f49b31049bac657b957183d397ba670f522dd9e21a7
RaccoonStealer
61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
RaccoonStealer
a1863d5f70d6f6f41b86c9608d9995b3ba1f19616681851d5c2a2e254d14c9a4
RaccoonStealer
c3c2a6747a34c92023bef1d5abc604f697408e60ee64d1155af7a8c62727e894
RaccoonStealer
ce4c9d123144cb01aaa09ecfc34a21b6808c8d891fdd777e3bc8736fc3d877ca
RaccoonStealer
d29dc3449c2f57e59efd78dd51214ae7bbf71da44834f4cec458758de17513b7
RaccoonStealer
d2c1530870532abdf2123652c9f97dc9de79dc8aabbb8cfd185b1011d6cdbb01
RaccoonStealer
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
RaccoonStealer
da045fcbd63520920626c45655b87da65e0e6cdc26f7bc20dfbfb6f667be9dbf
RaccoonStealer
e4b66c012c3fc7ea1857807a3fba0aa9b5c70d975a3c3152550709aa0d7cb9e7
RaccoonStealer
+ 437 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:99fdcb30af520f176f0e14e858c8bb23c13330d9 agilenet stealer
Link:
https://tria.ge/reports/210313-7qgjd5kpse/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Obfuscated with Agile.Net obfuscator
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
c5eee53cdd6b6cbbd5019764f7ad3a74de92d1629619e972b8a3a1a7d2994170
MD5 hash:
05807156c2c50bb5161b5d1f432d8c58
SHA1 hash:
fda1a269ace06d9b044f36b63101a5ec1fc10708
Link:
https://www.unpac.me/results/a68a7151-a276-4d10-b0bb-e00c6298f705/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/c5eee53cdd6b6cbbd5019764f7ad3a74de92d1629619e972b8a3a1a7d2994170

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe c5eee53cdd6b6cbbd5019764f7ad3a74de92d1629619e972b8a3a1a7d2994170

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1061083/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/124039/

Comments