MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cca3df47e9579ccc7c35bee02c9ab2c1b55643e50e57528abf840229b5d082a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cca3df47e9579ccc7c35bee02c9ab2c1b55643e50e57528abf840229b5d082a8
SHA3-384 hash: 02b02c13c328f0a529a1b26ff12fa756b9c925dd509edbbc651f8b7975b66fc76d60f78dc7c2f777027646ea959c15e4
SHA1 hash: 97b2eaec93100f16d1878e6903896eb00f626925
MD5 hash: 42e13e9fb45e01c567b6d3c34caab781
humanhash: bluebird-spring-shade-hotel
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.59718.4609.2369
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:83'952 bytes
First seen:2020-11-16 22:42:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9c8cd0b8ab3e6dcb84d86dab4529a94a (1 x RaccoonStealer)
ssdeep 1536:dLGFYt0df8opIRh0fyAqg010IpeqsR0FiRfA/bph3C6Ptz:YFY4kJX02ga7lsRUZplC61
Threatray 278 similar samples on MalwareBazaar
TLSH 11832833ED51D2E1F061CC309867A3F10E2A79F21B6041CE566C51DBFA6B2868E643F6
Reporter SecuriteInfoCom
Tags:RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.59718.4609.2369.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Sending a custom TCP request
Reading critical registry keys
Creating a window
Creating a file
Deleting a recently created file
Delayed reading of the file
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
DNS request
Sending an HTTP GET request
Stealing user critical data
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/538574
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ping.exe to check the status of other devices and networks
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318382 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 17/11/2020 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 Antivirus detection for URL or domain 2->51 53 6 other signatures 2->53 7 SecuriteInfo.com.Trojan.PWS.Siggen2.59718.4609.exe 21 2->7         started        process3 dnsIp4 37 icaterp.com 50.63.161.194, 49715, 49718, 80 GO-DADDY-COM-LLCUS United States 7->37 39 iplogger.org 88.99.66.31, 443, 49716 HETZNER-ASDE Germany 7->39 23 C:\Users\user\AppData\Roaming\D88A.tmp.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\jamkee[1].exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Local\...\fw1[1].exe, PE32 7->27 dropped 55 Detected unpacking (creates a PE file in dynamic memory) 7->55 57 Contains functionality to detect sleep reduction / modifications 7->57 12 D88A.tmp.exe 82 7->12         started        17 cmd.exe 1 7->17         started        file5 signatures6 process7 dnsIp8 41 telete.in 195.201.225.248, 443, 49721 HETZNER-ASDE Germany 12->41 43 puffpuff421.top 172.67.216.142, 443, 49724 CLOUDFLARENETUS United States 12->43 29 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 12->29 dropped 31 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->31 dropped 33 C:\Users\user\AppData\...\ucrtbase.dll, PE32 12->33 dropped 35 56 other files (none is malicious) 12->35 dropped 59 Detected unpacking (changes PE section rights) 12->59 61 Detected unpacking (overwrites its own PE header) 12->61 63 Tries to steal Mail credentials (via file access) 12->63 65 Tries to harvest and steal browser information (history, passwords, etc) 12->65 45 127.0.0.1 unknown unknown 17->45 19 conhost.exe 17->19         started        21 PING.EXE 1 17->21         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cca3df47e9579ccc7c35bee02c9ab2c1b55643e50e57528abf840229b5d082a8/
Threat name:
Win32.Trojan.Jobutyve
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 03:43:00 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zsr56r7jk6omy7bvx3qczgvsyg2vmq7fbzlvfcv7qqbctnoqqkua._file
Verdict:
malicious
Similar samples:
13f9aaf463af2f611a36afe435ba5f3518f4583ce0b2d6e2a493a6f89c961e53
RaccoonStealer
218333bd24c8318b23dd2c9579df008329219ef3841a9bcbc17b4a725c075cae
RaccoonStealer
3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e
RaccoonStealer
352f3584318b67778fd06d1d96962117d12cff0a5945b6ae8825e2c1bbdf8b8c
RaccoonStealer
3f5236a82af731f886881c3e9abafe621e40b481b220f0b7639387860f795c16
RaccoonStealer
59a7beab1c7583b7995b157e9e87beb6fa0785c49784bf0b9d13bd143a696541
RaccoonStealer
5c0a5184329fafa9ef105ad31e3163c3c94c3433d4c0882c4a03ffdd2d16c75e
RaccoonStealer
ca4f7d501b768375a9d3f839eb87a1c824f1c9dfdef9f8863332318523ba652a
RaccoonStealer
de79f76f370c9eaa2f7fc5b169f414860d283607fdc4ea9b3980b31cf211da03
RaccoonStealer
e964b2343b3f9b9f2fe25d4af384ceceeea24e5402622c449487019a9eab21ac
RaccoonStealer
+ 268 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware
Link:
https://tria.ge/reports/201116-hh1gge8edn/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
JavaScript code in executable
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
cca3df47e9579ccc7c35bee02c9ab2c1b55643e50e57528abf840229b5d082a8
MD5 hash:
42e13e9fb45e01c567b6d3c34caab781
SHA1 hash:
97b2eaec93100f16d1878e6903896eb00f626925
Link:
https://www.unpac.me/results/a87dea21-ce7f-41e7-89b4-9537bcb4482f/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe cca3df47e9579ccc7c35bee02c9ab2c1b55643e50e57528abf840229b5d082a8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/824217/
  
Delivery method
Distributed via web download

Comments