MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d72189427c4e17ccdf9d992e0eaccffd7197448a89800b56e51969aeeda3e740. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RaccoonStealer
Vendor detections: 4
| SHA256 hash: | d72189427c4e17ccdf9d992e0eaccffd7197448a89800b56e51969aeeda3e740 |
|---|---|
| SHA3-384 hash: | 0b594d2ec3f23d436bd67e2251320cab5078ed1d200a29c3ef8e1b9410351a52fce83aaf312a144f6f6ebe935ddee1f2 |
| SHA1 hash: | 53800b3d64121ed9caa6e58bd5c3f2caff8d73cc |
| MD5 hash: | 76045ee25aea099b4420e7f16bf969ca |
| humanhash: | steak-ink-london-spring |
| File name: | c23e0ac1ce6406592451b6e7c25ed1e2.exe |
| Download: | download sample |
| Signature | RaccoonStealer |
| File size: | 551'936 bytes |
| First seen: | 2020-03-29 18:39:03 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 5be98ac985acbdb4368c26a681797375 (2 x RaccoonStealer) |
| ssdeep | 12288:09ueujJm6/nVWWuPYTPSAwGiAMXbT51EM2KuQ3ifAoStC2H:09u9lm6/VzoYTvcLTHENgH |
| Threatray | 164 similar samples on MalwareBazaar |
| TLSH | 66C49F2175B18072E17280727DA8E760597DBC3009354D5B73EC4A2E1EF2AD2EB25B7B |
| Reporter |  abuse_ch |
| Tags: | exe GuLoader RaccoonStealer |
abuse_ch
Payload dropped by GuLoader from the following URL:https://ophtalmiccenter.com/wp-content/themes/06f8f5e0c9a1f9e3fe2f4d72fcaa84ea1760e236_encrypted_1B94070.bin
Intelligence
File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Gathering data
Threat name:
Win32.Trojan.Racealer
Status:
Malicious
First seen:
2020-03-29 19:35:34 UTC
File Type:
PE (Exe)
AV detection:
29 of 47 (61.70%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 154 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
2fc1c1626f905d4a8cb906edbe4a21eff43864ac50a14241cb37cccbee4eb896
Dropped by
MD5 c23e0ac1ce6406592451b6e7c25ed1e2
Dropped by
MD5 5709cebbf8ca3f7ade5498a50100b52e
Dropped by
GuLoader
Dropped by
SHA256 2fc1c1626f905d4a8cb906edbe4a21eff43864ac50a14241cb37cccbee4eb896
Dropped by
SHA256 53a588bf4cb891309cf246fccf926560e509558300d4221fca3f7044096c8562
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::ConvertSidToStringSidW |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance |
| DP_API | Uses DP API | CRYPT32.dll::CryptUnprotectData |
| GDI_PLUS_API | Interfaces with Graphics | gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipGetImageEncodersSize gdiplus.dll::GdipGetImageEncoders gdiplus.dll::GdipAlloc |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetTokenInformation |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteA |
| WIN32_PROCESS_API | Can Create Process and Threads | ADVAPI32.dll::CreateProcessWithTokenW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle WINHTTP.dll::WinHttpCloseHandle |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileTransactedA KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateDirectoryTransactedA KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileW |
| WIN_BASE_USER_API | Retrieves Account Information | KERNEL32.dll::GetComputerNameA ADVAPI32.dll::GetUserNameA |
| WIN_BCRYPT_API | Can Encrypt Files | bcrypt.dll::BCryptDecrypt bcrypt.dll::BCryptDestroyKey bcrypt.dll::BCryptGenerateSymmetricKey bcrypt.dll::BCryptOpenAlgorithmProvider bcrypt.dll::BCryptSetProperty bcrypt.dll::BCryptCloseAlgorithmProvider |
| WIN_CRED_API | Can Manipute Windows Credentials | ADVAPI32.dll::CredEnumerateW |
| WIN_CRYPT_API | Uses Windows Crypt API | ADVAPI32.dll::CryptAcquireContextA ADVAPI32.dll::CryptCreateHash ADVAPI32.dll::CryptGetHashParam ADVAPI32.dll::CryptHashData |
| WIN_HTTP_API | Uses HTTP services | WINHTTP.dll::WinHttpConnect WINHTTP.dll::WinHttpOpen WINHTTP.dll::WinHttpOpenRequest WINHTTP.dll::WinHttpQueryDataAvailable WINHTTP.dll::WinHttpQueryHeaders WINHTTP.dll::WinHttpReadData |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegQueryValueExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.