MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7158275bd1aeb9c788acaea6e8e8c683ac897844ccf7ea27a45dc3fe82b58c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7158275bd1aeb9c788acaea6e8e8c683ac897844ccf7ea27a45dc3fe82b58c3
SHA3-384 hash: 04ac5c35e252a25806972924eb1f7bfbf93d5b5d623054f3f66d476b20739ceb6b3a176d5fe9f09a87b85f6b6fb1cdcf
SHA1 hash: 08ac759597c2cbf891b251643152e0b6afdfac9b
MD5 hash: d498ec8286774d0d30c3563e84775653
humanhash: william-summer-sad-mars
File name:SecuriteInfo.com.W32.AIDetectGBM.malware.02.16429.30290
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:688'485 bytes
First seen:2021-02-21 13:51:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 12288:S5393whFOBBeGB0Rn9u9RK1i8RerebsahueyZ42FrHtRwliyIjfQJphs:S53uhF5O0l09RK1fRNbthXyq0HtMSj4W
Threatray 519 similar samples on MalwareBazaar
TLSH 30E412A1B9D250F7C0D3763056613E9A22BAFD2C0B1826D7779426077F632E1EB3D582
Reporter SecuriteInfoCom
Tags:RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118143/
Detection(s):
SecuriteInfo.com.W32.AIDetectGBM.malware.02.16429.30290.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.Generic-6843329-0
Create hunting rule

PUA.Win.Dropper.Driverpack-6931197-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.File.Generic-7135455-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613434
Signature
Contains functionality to register a low level keyboard hook
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355733 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 21/02/2021 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected Raccoon Stealer 2->47 9 SecuriteInfo.com.W32.AIDetectGBM.malware.02.16429.exe 4 2->9         started        process3 file4 35 C:\Users\user\AppData\...\AppVShNotify.exe, PE32 9->35 dropped 53 Contains functionality to register a low level keyboard hook 9->53 13 AppVShNotify.exe 13 9->13         started        signatures5 process6 signatures7 55 Detected unpacking (changes PE section rights) 13->55 57 Detected unpacking (overwrites its own PE header) 13->57 59 Maps a DLL or memory area into another process 13->59 16 AppVShNotify.exe 80 13->16         started        process8 dnsIp9 37 telete.in 195.201.225.248, 443, 49718 HETZNER-ASDE Germany 16->37 39 yearofthepig.top 104.21.50.15, 443, 49724 CLOUDFLARENETUS United States 16->39 27 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 16->27 dropped 29 C:\Users\user\AppData\...\vcruntime140.dll, PE32 16->29 dropped 31 C:\Users\user\AppData\...\ucrtbase.dll, PE32 16->31 dropped 33 56 other files (none is malicious) 16->33 dropped 49 Tries to steal Mail credentials (via file access) 16->49 51 Tries to harvest and steal browser information (history, passwords, etc) 16->51 21 cmd.exe 1 16->21         started        file10 signatures11 process12 process13 23 conhost.exe 21->23         started        25 timeout.exe 1 21->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7158275bd1aeb9c788acaea6e8e8c683ac897844ccf7ea27a45dc3fe82b58c3/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-02-20 16:17:46 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4kye5n5dlvzy6ekzlvg5dumna5mrf4ejthx5it2ixod72blldbq._file
Verdict:
malicious
Similar samples:
19d1a823a542c9b1ad03d2bf4d8a4382d549422e3b5dfd663131c669262ff546
RaccoonStealer
20e7b49fd70f92e6baf15b30760c19c88cf99f7cafd76be5c395e45b2f50c6c6
RaccoonStealer
3d52abc51bee95d4af35f871dd6b35fd1d08b89fb191b192d8da47988ec82e24
RaccoonStealer
5183727d0d1efeb8c406d0f94b128baca13431fed7fc8921173e5dfafdc26e21
RaccoonStealer
5ce6bbd67a94b1746e7201830358003aff2897e047f6b411acf459eb7ed1eab7
RaccoonStealer
72ffb33848edcaf7bd2c4fc56d9e65d2572f97ede9aaf9b98eb3bee837fe1a34
RaccoonStealer
86858e54ef062ffaf88f1fe285196d220d9fa32337f575d8eaa056995e292303
RaccoonStealer
90c5e2705fad463d320dc095b073115c7bf5bd1542b98deb87008ec83c925b20
RaccoonStealer
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
RaccoonStealer
eefd904b1e93918405583c367158e617077f8019ed16f1c2026707a1fda0cc50
RaccoonStealer
+ 509 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:324730a107fc8faf47c841b56b981a382de05954 discovery spyware stealer
Link:
https://tria.ge/reports/210221-g795ybhx7x/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Raccoon
Unpacked files
SH256 hash:
2a304174fa127b71c62cd03a9091f5404ed6df692231b7e34194b9be959cf654
MD5 hash:
6c4b6a82f3204ee73f5082cbc10bd285
SHA1 hash:
16660d042c15bb792255647135e5cc4684700f46
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/5d5f04e1-d38c-43df-88ed-3e42a50bd797/
Parent samples :
90c5e2705fad463d320dc095b073115c7bf5bd1542b98deb87008ec83c925b20
2a304174fa127b71c62cd03a9091f5404ed6df692231b7e34194b9be959cf654
19d1a823a542c9b1ad03d2bf4d8a4382d549422e3b5dfd663131c669262ff546
0104f14eaed47f8e6d367dcf82261bd01beca877952fffad629aac1a0d000fd9
c7158275bd1aeb9c788acaea6e8e8c683ac897844ccf7ea27a45dc3fe82b58c3
SH256 hash:
b6b1e76168d48a618cce6d6983ecb018af0e9452909aec797b3c708a45c281ca
MD5 hash:
2c58c129dd88e63f79f53b7105593f5f
SHA1 hash:
6c16dda17440a401f8bfa0e703390d627c557b99
Link:
https://www.unpac.me/results/5d5f04e1-d38c-43df-88ed-3e42a50bd797/
SH256 hash:
b672df029ce99ae7a7d1d44230772a8a92c06c4c287119ac6c2a9b43ec1bd42f
MD5 hash:
763cf745d331f54a0a07b45c38a1415d
SHA1 hash:
7bd327b1d67ede892c1364d3de9f9928a034f103
Link:
https://www.unpac.me/results/5d5f04e1-d38c-43df-88ed-3e42a50bd797/
SH256 hash:
c7158275bd1aeb9c788acaea6e8e8c683ac897844ccf7ea27a45dc3fe82b58c3
MD5 hash:
d498ec8286774d0d30c3563e84775653
SHA1 hash:
08ac759597c2cbf891b251643152e0b6afdfac9b
Link:
https://www.unpac.me/results/5d5f04e1-d38c-43df-88ed-3e42a50bd797/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe c7158275bd1aeb9c788acaea6e8e8c683ac897844ccf7ea27a45dc3fe82b58c3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1000486/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/118143/

Comments