MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d73091cdaa94599269cac0340ee1bc463581cd01639995af12fbd7e8ac18ce13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	d73091cdaa94599269cac0340ee1bc463581cd01639995af12fbd7e8ac18ce13
SHA3-384 hash:	232aacc184d4987d1d20de0148b4bbf345e9849be8a545e6cb4408f6fe681647fcc0bcec9514582f93bc87c90715ae70
SHA1 hash:	9aebddfe5c91d43de8df6df3a91c5ce7e49fa5e2
MD5 hash:	d4c5c222087782c82c8866b7f918d78c
humanhash:	foxtrot-fanta-red-salami
File name:	Main-Installer.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	486'912 bytes
First seen:	2021-07-03 06:22:45 UTC
Last seen:	2021-07-03 06:54:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	372f389f6695b5e1ea358dd4c58300aa (2 x CryptBot, 1 x RaccoonStealer)
ssdeep	12288:s/iwsGhQs3PZ/KlKNGGkrP9ISrSqHFzgyX1zl3ifKmVGxV53:sawthX0B9B0yFxSfKpD
TLSH	3CA41212F680C032CC9250700E64C7615E7D7D322AB8C947B3D91BABEF717D2B5AA75A
Reporter	RTrappman
Tags:	exe RaccoonStealer

Intelligence

File Origin

# of uploads :

# of downloads :

192

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Main-Installer.exe

Verdict:

No threats detected

Analysis date:

2021-07-03 06:28:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b0e5587c-517e-493b-adc3-081c7538e12f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/169474/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.37178058.6364.5508.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ed3f483b-21ba-4a35-86ed-51d273025af2

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/d73091cdaa94599269cac0340ee1bc463581cd01639995af12fbd7e8ac18ce13/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-07-02 20:40:19 UTC

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=24yjdtnksrmze2okya2a5yn4iy2ydtibmomzllys7pl6rlayzyjq._file

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon discovery spyware stealer

Link:

https://tria.ge/reports/210703-ekwkz114xe/

Behaviour

Delays execution with timeout.exe

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Raccoon

Unpacked files

SH256 hash:

43a804b6325edb78f72e14a39313a9e18ae5e1f07f5e57b830d30b048e84616a

MD5 hash:

e8ef88e32e94cdd311ad3217870dd677

SHA1 hash:

663e829715e6ddb7b9fada1a53a997e93746b6f5

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/a40cd562-5a3c-4cb7-9ab1-6645500dd67e/

Parent samples :

d73091cdaa94599269cac0340ee1bc463581cd01639995af12fbd7e8ac18ce13
d69d7bbed75165b50ae8be1e9d3afd6752d4aa19d985af13b8134f8938901e5a
17ed7923fd51a37a4511508b3f54b79ac2d62196e148dd13230d3f9be95b362f

SH256 hash:

d73091cdaa94599269cac0340ee1bc463581cd01639995af12fbd7e8ac18ce13

MD5 hash:

d4c5c222087782c82c8866b7f918d78c

SHA1 hash:

9aebddfe5c91d43de8df6df3a91c5ce7e49fa5e2

Link:

https://www.unpac.me/results/a40cd562-5a3c-4cb7-9ab1-6645500dd67e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d73091cdaa94599269cac0340ee1bc463581cd01639995af12fbd7e8ac18ce13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon/Racealer infostealer

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/169474/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample