MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d40788efcdad214c3e3e280d956c1fb0af25dec1502e64f4a0cbe5e6c8676d83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d40788efcdad214c3e3e280d956c1fb0af25dec1502e64f4a0cbe5e6c8676d83
SHA3-384 hash: b3b94ee92b98a95397356e0ee41acbb9b0fe293cb188e31dfe68ab97f98b800ebff0690a5b5b46eb6c7d05a2aa615e94
SHA1 hash: ef13643a9104dd7e8f83e2bb0465d63bfd29594f
MD5 hash: c9acb5656d5c2fea03a1d840bce3b318
humanhash: river-kitten-lithium-cold
File name:c9acb5656d5c2fea03a1d840bce3b318
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:731'648 bytes
First seen:2022-02-28 22:20:32 UTC
Last seen:2022-03-01 00:17:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash acb91f91490aac8ffe4a6888d08bb763 (1 x RaccoonStealer, 1 x TeamBot)
ssdeep 12288:6qGVrDsT2KNmuZ4jJDAC2kLdYliaieJI52KPdbFhHJEpsPUC8:61MzNmuZCDBpYAn2KtHtP/8
Threatray 6'227 similar samples on MalwareBazaar
TLSH T119F42322B6D2DC76D19520708CF4DBA52FBFB82105208D4F7764273A7E62BD19B3A352
File icon (PE):PE icon
dhash icon 38b078cccacccc43 (123 x Smoke Loader, 83 x Stop, 63 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2022-03-02 14:00:16 UTC
Tags:
evasion trojan socelars stealer loader rat redline vidar
Link:
https://app.any.run/tasks/4d136add-ea56-4adc-bcd8-63d66657739f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/245449/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.17860.28717.7169.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Siggen17.17860.13022.15081.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7651/overview
Behaviour
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/621d4ad1b94fb38cb428641f/reports/74362427-77e6-4924-97a9-d776e7c5e7d1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2b7fd73-9175-4b00-accd-15482eb7f41e
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/947716
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 580201 Sample: CClB2hFvbS Startdate: 28/02/2022 Architecture: WINDOWS Score: 100 31 store-images.s-microsoft.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 4 other signatures 2->45 9 CClB2hFvbS.exe 2->9         started        signatures3 process4 signatures5 47 Detected unpacking (changes PE section rights) 9->47 49 Detected unpacking (overwrites its own PE header) 9->49 51 Self deletion via cmd delete 9->51 53 2 other signatures 9->53 12 CClB2hFvbS.exe 80 9->12         started        process6 dnsIp7 33 103.155.93.35, 80 TWIDC-AS-APTWIDCLimitedHK unknown 12->33 35 194.180.191.241, 49751, 49754, 49756 MIVOCLOUDMD unknown 12->35 37 2 other IPs or domains 12->37 23 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->23 dropped 25 C:\Users\user\AppData\...\ucrtbase.dll, PE32 12->25 dropped 27 C:\Users\user\AppData\...\softokn3.dll, PE32 12->27 dropped 29 56 other files (none is malicious) 12->29 dropped 55 Tries to steal Mail credentials (via file / registry access) 12->55 57 Self deletion via cmd delete 12->57 59 Tries to harvest and steal browser information (history, passwords, etc) 12->59 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d40788efcdad214c3e3e280d956c1fb0af25dec1502e64f4a0cbe5e6c8676d83/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-02-28 17:48:00 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2qdyr36nvuquypr6fagzk3a7wcxslxwbkaxgj5fazps6nsdhnwbq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
4e44bb177a3084e4475796d79a2f0c356a29953bd4f4ce8385e6098502d5ea31
RaccoonStealer
548ba1f0793f18ad70fa7efaf7295d97c68e44094de7c1cd20d850fe968401a0
RaccoonStealer
5d9e7a9e96e1c2f8310fd9b4198029b6ea0c63dd46a694eace7ca16e936b613e
RaccoonStealer
66aa75b6ff30878da162d4d3de032a34bf5a9b6cf69bdd203e3a35d7ad34722d
RaccoonStealer
bc111014315d5632ee5baad01a4956e0fd74996935e2ce531a6dea163451f415
RaccoonStealer
caeb2e0940afbfa4b23dbb65614ebc7dfdb74e7b1ab9c1f764d539322628c289
RaccoonStealer
fe05e12308ece58217a0a37f2c13659402a4a6fe734a19d69e29f9e4ce50889b
RaccoonStealer
+ 6'217 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1c0fad6805a0f65d7b597130eb9f089ffbe9857d stealer suricata
Link:
https://tria.ge/reports/220228-19myjagfep/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
Unpacked files
SH256 hash:
548ba1f0793f18ad70fa7efaf7295d97c68e44094de7c1cd20d850fe968401a0
MD5 hash:
b5786ba43f74847fb464f3e4c61b2f1a
SHA1 hash:
18a1cdbe72301c40b8c7edcf93f988ffbd96d4af
Link:
https://www.unpac.me/results/41450b6b-1a15-49b3-b72f-ce896787aae6/
SH256 hash:
66aa75b6ff30878da162d4d3de032a34bf5a9b6cf69bdd203e3a35d7ad34722d
MD5 hash:
ac6e1ae6d9ce785835571a72729132f2
SHA1 hash:
51c0c9f75bdad7d7097f42b735b3b2c18721a33a
Link:
https://www.unpac.me/results/41450b6b-1a15-49b3-b72f-ce896787aae6/
SH256 hash:
57d8722b81f3422d9e11479df8cdb6d060a88a9a19d5830081b6e438359bfffd
MD5 hash:
99a2d926038a79ae9fb71464b9bbc446
SHA1 hash:
c8bbe2953a8f56e738c961c496d84b616fa22fa7
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/41450b6b-1a15-49b3-b72f-ce896787aae6/
Parent samples :
58a1c32643b0852076d2ef9a0c2a1cea7a518bc90719e0253d13f17201d0067e
2d2a03a2eb59a64eef9f15d160a2919707c5dee2844144d8ec9fdaae724a4162
15f994bbaf8a66f84e627fbb55798e7691afdccdf893f8af63b38cd2c4a7f09b
e7a411cdeff8c26a8d746d912e165f60699c01bb3d6fa433bb8475c59ef487a9
7637d1c0f03248e2cec84bbe9af2d0bb1413aa0840a8ef33b8bb13996e29f910
d7ba6f9e3f8bfcea94b789db587d80d23288b2ab8bab2a10321416e8733b0b1a
e7b464b3d4f9857ebe6ed7caa3074b629b448c0eb8f66f8a0d580a6d558e8649
451f3d1b5f2823224e244d06c52423f0e68df54937a8cff948f28f307afe9cfe
a29d7107c47447f6f030cad72f57a019491736220db72eaeb6218455bf3b9c84
e755f359ac97981ff8ff47f1494b03e2869e42e95f2bbc3d90daf401fbb139bb
66aa75b6ff30878da162d4d3de032a34bf5a9b6cf69bdd203e3a35d7ad34722d
7ff5e231698ca21b5b8f2e74354411db5e25fc41884fbf5f12b06df9c36455bb
9fda1aafd986513ea5f5948a72b132a4d2666ed46a7126aae8e431663f703994
548ba1f0793f18ad70fa7efaf7295d97c68e44094de7c1cd20d850fe968401a0
6ca6b7b7a221701518cd240a938af6cfa7dd8257333f03ba0ab3dabeeddb5d04
bcba37ea39dbe60b1dd38557aaccf5aca3d6e2d754fa6e6d81e07e18ff3d7e58
ce6f0ae83b8633dca1eb926b922c1f95b0cfb6f7701705c5032e025434f20dc6
4e44bb177a3084e4475796d79a2f0c356a29953bd4f4ce8385e6098502d5ea31
5d9e7a9e96e1c2f8310fd9b4198029b6ea0c63dd46a694eace7ca16e936b613e
d40788efcdad214c3e3e280d956c1fb0af25dec1502e64f4a0cbe5e6c8676d83
52fcacd0a3ab4a6106aaebf4edc3397bb36e08c0f48ac6eab6460ab9cb1ede6e
ff7f9819fae56695cb050049e7d19bedc070975f499d52735218085c7f3291d1
dacb3244a7ab72f942a4f9f18b8f559ef88082e62e88cd147907f452a29f2a2c
1f7b4f7177a601ba168f0aea91ea7f3e517cde434fbd30e6417a757e85d16663
fd27b423af903ced7fb330011ba124b59b60cbdbc64b533132a22ecf983a437d
ec642b740a50f40817b916be127f134645b403ddb31c014bd1e85b4ce785d9a7
c9ac2f3d59f78f95bfc4c7276a58d4be9382f5646f191d407212c279b7a85656
7fcc48b2b40ebd39192948c22ee86521efa5214b39902ba7700908031d294afd
22bded9e774d255a377f74b6f565b0d5df8e23e8612cc52b900a116d69bea02c
2c709cff5a598470d744d9e5ef8abcaadaa6e79df04c138b05e4d4bdafbeabc8
354d08e5328a5ff62c2d78e3c66194b52dc4907a4cdb624c0aef4b4a72d2fd9e
3963cd89bb2d8ab3b3cf093cd70c5bebb9d1a10404c2c6414566b1ec86691e55
0119840753a6856f54c78aa99175502f3a9d8f652ee945a7dc59a56682c7f7d8
543b301962f679c9550e70616c84e3ed0b78ea3ae70916aa2ecd4d2ac257a6d7
69eda8136b98f80bf6c09d8bff8f19551e23c06a82d59715ca37274331e33efd
43b1ec0b060303ab2154b434a4142502b9367dd7cb951725bfd55b679a5398ef
8e0caed1df3b6a4b202d41b71406761c6111263eb22bfdb9b7c0df081e8d4dad
5f8efd8bb77c1fb4b6f501a149d523e537ba70995567d7fc2b541fb6c76aa368
3b616203dd828d928f361a33d49caabbdcc9fe22d58e7033d8b0a9ca49be62e5
6524ee3db299399fb8942869050b092f86970530ffeed461ef82206008b19061
b7aa18a92712cdd14629e5ec03173f3127c364a28ec90f1613dc772bd0e8c362
5835d2ce0985153deb9b41be631586e6a18a2407dcc4e738a2345d31aa0f67ea
a4de6b05daac0da9e80c020a83350fe787f72fdcd6646fdabc15cda395845231
31581bd5462402b881d915d8675facdaf35dd855834b05923e45bdc098284c78
SH256 hash:
d40788efcdad214c3e3e280d956c1fb0af25dec1502e64f4a0cbe5e6c8676d83
MD5 hash:
c9acb5656d5c2fea03a1d840bce3b318
SHA1 hash:
ef13643a9104dd7e8f83e2bb0465d63bfd29594f
Link:
https://www.unpac.me/results/41450b6b-1a15-49b3-b72f-ce896787aae6/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d40788efcdad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d40788efcdad214c3e3e280d956c1fb0af25dec1502e64f4a0cbe5e6c8676d83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe d40788efcdad214c3e3e280d956c1fb0af25dec1502e64f4a0cbe5e6c8676d83

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2067301/
Cape
Cape
https://www.capesandbox.com/analysis/245449/

Comments


Avatar
zbet commented on 2022-02-28 22:20:33 UTC

url : hxxp://file-coin-coin-10.com/files/8243_1646062349_9751.exe