MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8f770f30f9183c128d62fd61e50b2a65d2afbcbbb68d8804803b220d81ef053. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	d8f770f30f9183c128d62fd61e50b2a65d2afbcbbb68d8804803b220d81ef053
SHA3-384 hash:	d8f615f5f526040bb4020419cde7f8410e7c0f27d08141a1317f503a3f55e4eb7454d5fa5a668274a99d366a1b21693c
SHA1 hash:	788217a2349fd3e1feef6f9443fffbe64df2316c
MD5 hash:	535a6e90854ce3933a96c9d32a47c830
humanhash:	kentucky-high-social-romeo
File name:	file
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	143'360 bytes
First seen:	2022-12-21 09:29:44 UTC
Last seen:	2022-12-22 13:15:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d864a0f85533793e0e80b085aa445269 (1 x CoinMiner, 1 x RaccoonStealer, 1 x RedLineStealer)
ssdeep	3072:HGJUD+nJQQ5auAGFui3Swp9T4zZuN/zlTHve:HGeKnJD5RD9pZP/zl
Threatray	160 similar samples on MalwareBazaar
TLSH	T151E38E2B6F4410B2F611FFB28C2980B2E2BE52F527185C797B5F6929F6720C91235727
TrID	40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 12.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.0% (.EXE) Win32 Executable (generic) (4505/5/1) 5.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	andretavare5
Tags:	exe RaccoonStealer

andretavare5

Sample downloaded from https://vk.com/doc16081047_653449642?hash=JbS6uQOaXWOegXRORL5XEk7l2qxZzCWgG2j8wrZ5Qu4&dl=GE3DAOBRGA2DO:1671611882:2g3m6O53XWlroDhMxas1aZp83V8YDqTIuc3ZYGKEh4z&api=1&no_preview=1#ustan10k

Intelligence

File Origin

# of uploads :

643

# of downloads :

222

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

file

Verdict:

No threats detected

Analysis date:

2022-12-21 09:30:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8d3a629e-f3d5-4a0e-98b7-5ca62e1f13ff

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/348656/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.18700.16833.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Searching for synchronization primitives

Сreating synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Unauthorized injection to a system process

Sending an HTTP POST request to an infection source

Gathering data

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/28849c92-ebfa-4394-9dd3-d5637c5b8942

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d8f770f30f9183c128d62fd61e50b2a65d2afbcbbb68d8804803b220d81ef053/

Threat name:

Win32.Trojan.Rozena

Status:

Malicious

First seen:

2022-12-21 09:30:07 UTC

File Type:

PE (Exe)

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3d3xb4ypsgb4ckgwf7lb4ufsuzosv66lxnunraciaozcbwa66bjq._file

Verdict:

malicious

Label(s):

raccoon

Similar samples:

0ab667dc59ad6ac24333bab211bf1bf9c85f90be59f12cfc7ca46b1ee2e9393d

0cca5a92d41a8ea26a8e4051cf62f6a7ab157461006f34bb139684c365dfc6f9

260d69ea7e9147cacca89536dc28598a00707c37c568c610d119faa532ac0a8d

93cb7dd5d6bfd3d1d2d14b2f9bc1dbc57666343bfd42f289525e0999987c2d7e

aa4185102f68d05e1dc41d46e7b65cfb4a12e1f8694b7300264a6044a51f6931

b8a0a0d472bfa63a3a41fb6a321a73874460a4e25971959c64450d1da3aacc91

d3ebf5179cfeee390848119eac91057385b6746835b80093f47637cb83895b42

ed75d66b5d971ec01613881d3e088081222411e8315428e6cb049d5699ce31bc

f0aaf7ed92def94883ce317c950802e8779a7807b807d3efcc922116e8cad652

+ 150 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/221221-lgghqafb2s/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

11cc4b4d8d4d79ddf72ef244ed8634bb666865d2cad7de8e23a33825fffb52a0

MD5 hash:

e8f6f714bb57444964b2c9244835ccaf

SHA1 hash:

c26f31eacd0ad5eb07aa8956e4a0f9c599732831

Link:

https://www.unpac.me/results/2a232f22-efe5-4a7e-93c9-376e208db6ca/

SH256 hash:

d8f770f30f9183c128d62fd61e50b2a65d2afbcbbb68d8804803b220d81ef053

MD5 hash:

535a6e90854ce3933a96c9d32a47c830

SHA1 hash:

788217a2349fd3e1feef6f9443fffbe64df2316c

Link:

https://www.unpac.me/results/2a232f22-efe5-4a7e-93c9-376e208db6ca/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d8f770f30f91/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d8f770f30f9183c128d62fd61e50b2a65d2afbcbbb68d8804803b220d81ef053

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

Cape

https://www.capesandbox.com/analysis/348656/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample