MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d29dc3449c2f57e59efd78dd51214ae7bbf71da44834f4cec458758de17513b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d29dc3449c2f57e59efd78dd51214ae7bbf71da44834f4cec458758de17513b7
SHA3-384 hash: c4727134aa2ba31276b8ea8cf8e618ae0358dd0c1f69529da49a9c760e4de397066f2cf5ed9c50513057bf03a2780505
SHA1 hash: d5e30de9048d8504bdb107cc2f6c0cf03b2f2944
MD5 hash: 244e2b33409a9e54f6b1cc980ea663a4
humanhash: sixteen-bulldog-princess-glucose
File name:d29dc3449c2f57e59efd78dd51214ae7bbf71da44834f4cec458758de17513b7
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'624'096 bytes
First seen:2020-10-08 07:37:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (54 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 98304:LX4/fyzQFVeBTk3l8bsMwyGpTcuHbvhjGxsAYs:7Efk43l8QMSpTcu7JHA
Threatray 159 similar samples on MalwareBazaar
TLSH CE261227B298653EC4AA37310573A01058FBA6BDF517BE1677F4C88DCF660C01E3AA65
Reporter JAMESWT_WT
Tags:Grina LLC Raccoon RaccoonStealer Racealer signed

Code Signing Certificate

Organisation:Grina LLC
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Oct 3 00:00:00 2020 GMT
Valid to:Oct 3 23:59:59 2021 GMT
Serial number: 7709D2DF39E9A4F7DB2F3CBC29B49743
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 04349BA0F4D74F46387CEE8A13EE72AB875032B4396D6903A6E9E7F047426DE8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'635
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69138/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Sending a UDP request
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file
Moving a recently created file
Deleting a recently created file
Creating a process with a hidden window
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Launching a process
Replacing files
DNS request
Sending a custom TCP request
Reading critical registry keys
Delayed reading of the file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
81 / 100
Link:
https://www.joesandbox.com/analysis/485096
Signature
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295000 Sample: 6VZtrDL9zf.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 81 80 Multi AV Scanner detection for domain / URL 2->80 82 Antivirus detection for URL or domain 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 4 other signatures 2->86 12 6VZtrDL9zf.exe 2 2->12         started        process3 file4 56 C:\Users\user\AppData\...\6VZtrDL9zf.tmp, PE32 12->56 dropped 15 6VZtrDL9zf.tmp 8 20 12->15         started        process5 file6 66 C:\Program Files (x86)\is-RAF9H.tmp, PE32 15->66 dropped 68 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 15->68 dropped 70 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 15->70 dropped 72 2 other files (none is malicious) 15->72 dropped 18 wscript.exe 1 15->18         started        20 build.exe 15->20         started        process7 process8 22 cmd.exe 2 18->22         started        24 cmd.exe 1 18->24         started        26 WerFault.exe 23 9 20->26         started        dnsIp9 29 host.exe 22->29         started        32 7z.exe 22->32         started        35 7z.exe 3 22->35         started        41 6 other processes 22->41 37 conhost.exe 24->37         started        39 timeout.exe 1 24->39         started        74 192.168.2.1 unknown unknown 26->74 process10 file11 88 Detected unpacking (changes PE section rights) 29->88 90 Maps a DLL or memory area into another process 29->90 92 Contains functionality to detect sleep reduction / modifications 29->92 43 host.exe 29->43         started        54 C:\ProgramData\VWnJ\extracted\host.exe, PE32 32->54 dropped signatures12 process13 dnsIp14 76 telete.in 195.201.225.248, 443, 49769 HETZNER-ASDE Germany 43->76 78 rsttrs.site 161.117.254.2, 443, 49771, 49774 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 43->78 58 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 43->58 dropped 60 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 43->60 dropped 62 C:\Users\user\AppData\...\vcruntime140.dll, PE32 43->62 dropped 64 57 other files (none is malicious) 43->64 dropped 94 Tries to steal Mail credentials (via file access) 43->94 96 Tries to harvest and steal browser information (history, passwords, etc) 43->96 48 cmd.exe 43->48         started        file15 signatures16 process17 process18 50 conhost.exe 48->50         started        52 timeout.exe 48->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d29dc3449c2f57e59efd78dd51214ae7bbf71da44834f4cec458758de17513b7/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-10-08 02:03:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
29 of 48 (60.42%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ko4gre4f5l6lhx5pdovcikk4657ohneja2pjtwelb2y3ylvco3q._file
Verdict:
malicious
Similar samples:
23d54479375d0aca8bf45a1d3a23ea344fa8fe60af98a497dd87268f354b9daa
RaccoonStealer
278025020e29df0c27394f4c5f17ac1a39752f87b913239f1a97e959ea7e8e87
RaccoonStealer
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
RaccoonStealer
61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
RaccoonStealer
9bcc8c53b64a1c1204d082fec31ee35cf9c140fd945facd23cb04f576eb2c3fc
RaccoonStealer
9c2978d525c68cceb114ea784ca6a6975dfee9ea7f2ac6aaebeb209a915524cb
RaccoonStealer
a1863d5f70d6f6f41b86c9608d9995b3ba1f19616681851d5c2a2e254d14c9a4
RaccoonStealer
c24d4b0bad49ff53860f0e1fde9455cef29bea9dd78d13c70f8cf402113522e4
RaccoonStealer
d8b4f035a0bfea78b46dcb6c904fa4ca84d7f758d2d5c749182e36d9f352a6b1
RaccoonStealer
da045fcbd63520920626c45655b87da65e0e6cdc26f7bc20dfbfb6f667be9dbf
RaccoonStealer
+ 149 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
spyware discovery
Link:
https://tria.ge/reports/201008-pq3cc5wnra/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies registry class
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
ServiceHost packer
Unpacked files
SH256 hash:
d29dc3449c2f57e59efd78dd51214ae7bbf71da44834f4cec458758de17513b7
MD5 hash:
244e2b33409a9e54f6b1cc980ea663a4
SHA1 hash:
d5e30de9048d8504bdb107cc2f6c0cf03b2f2944
Link:
https://www.unpac.me/results/5309496d-7b4d-4585-b7be-2688f42f4d17/
SH256 hash:
6f2f288831ddda74306d25e8d1d9e52fb6d81cf9250214b3011d1bf705ea5314
MD5 hash:
6573faf8fe7d6f2ac8d779e42acaaccf
SHA1 hash:
02a2f8600cde8d656ec4b4f9bbcc97935188ca17
Link:
https://www.unpac.me/results/5309496d-7b4d-4585-b7be-2688f42f4d17/
SH256 hash:
506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811
MD5 hash:
8e2d270339dcd0a68fbb2f02a65d45dd
SHA1 hash:
bfcdb1f71692020858f96960e432e94a4e70c4a4
Link:
https://www.unpac.me/results/5309496d-7b4d-4585-b7be-2688f42f4d17/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/5309496d-7b4d-4585-b7be-2688f42f4d17/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d29dc3449c2f57e59efd78dd51214ae7bbf71da44834f4cec458758de17513b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_raccoon_a0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69138/

Comments