MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d97e8c4b846f1743bae248137e96b7ed4c241ef71aaa2227347e71f509f0cd78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	d97e8c4b846f1743bae248137e96b7ed4c241ef71aaa2227347e71f509f0cd78
SHA3-384 hash:	779f8cb85d018f8047342695c260e105faee7d980014bdc3e1d8fa8abf2bad18ac5912df46ae930e6985053b2c6817e5
SHA1 hash:	26490592f3d71c2aaff76760e9d6ce7daeaf8a8f
MD5 hash:	be6381dc3f83d6134c2d23f6607be2ed
humanhash:	three-pluto-don-mango
File name:	file
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	2'195'456 bytes
First seen:	2023-08-16 14:05:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'604 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:7NDh/Et25n61RW2wzG9RI7Z7v4uCJIJIJv5nQmDFzyLW0/Yzq1xxqKOI:MY4uCJIJIJR4WAd1
TLSH	T156A53B017E54DA12F059D237C2DF440907E4BC047BA7FB2B7BA8776D58123AB3C499AA
TrID	51.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 22.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.4% (.EXE) Win64 Executable (generic) (10523/12/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	f0f0d0d0d8c0c4c4 (1 x RaccoonStealer)
Reporter	andretavare5
Tags:	exe RaccoonStealer

andretavare5

Sample downloaded from https://vk.com/doc801981293_667932148?hash=qDkXeRt6iOUx4359rV0YzPCJLHTvqLQciH6GiJqIBqg&dl=4rySXFmh26SemrnHj2C8pb0cgHJ82YSfX78sv47pj4T&api=1&no_preview=1#v2

Intelligence

File Origin

# of uploads :

# of downloads :

356

Origin country :

Vendor Threat Intelligence

Malware family:

raccoon

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-08-16 14:06:32 UTC

Tags:

stealer raccoon recordbreaker raccoon_stealer loader

Link:

https://app.any.run/tasks/5c26b4a9-4c91-4487-a946-5f5f26b74505

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon Infostealer

Link:

https://www.capesandbox.com/analysis/443069/

Detection(s):

SecuriteInfo.com.FileRepMalware.683.26385.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/d97e8c4b846f1743bae248137e96b7ed4c241ef71aaa2227347e71f509f0cd78

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/28d5e53d-6e19-42b2-aadf-6e85ccad21b3

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1292200

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

DLL side loading technique detected

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected AntiVM3

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d97e8c4b846f1743bae248137e96b7ed4c241ef71aaa2227347e71f509f0cd78/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-08-16 14:06:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3f7iys4en4luhoxcjajx5fvx5vgcihxxdkvcejzupzy7kcpqzv4a._file

Verdict:

malicious

Label(s):

raccoon

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:8c02f5edc9bd60a9dac0ee41df0c95a1 stealer

Link:

https://tria.ge/reports/230816-redxpsbc64/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Raccoon

Raccoon Stealer payload

Malware Config

C2 Extraction:

http://91.103.252.217:80/

Unpacked files

SH256 hash:

144966f6e5582455830b72b940dad542820f2630ebefbef63df534fae1ac6d34

MD5 hash:

61f0d89d924ddb8566992113c97636da

SHA1 hash:

c0a347d19d8123e533eaa4a2c7433cb6e1cbc9ef

Link:

https://www.unpac.me/results/871d779f-1c64-46dc-b1f4-8411aea1d92b/

SH256 hash:

e7460215eed839d51240db93d6cb714798d78422d839e69e5dbce91af568dbef

MD5 hash:

0ad872711d0efccbbfe76c1ff09191ef

SHA1 hash:

31b9eeee4fff05b3f5933a3022ea12febc6e031d

Link:

https://www.unpac.me/results/871d779f-1c64-46dc-b1f4-8411aea1d92b/

SH256 hash:

198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05

MD5 hash:

9b3a1b5d3ffe9fb9db6c5aaefa1ae076

SHA1 hash:

0da05e4c72430da0d061a02cd6cf50c41e6bd83a

Link:

https://www.unpac.me/results/871d779f-1c64-46dc-b1f4-8411aea1d92b/

SH256 hash:

d97e8c4b846f1743bae248137e96b7ed4c241ef71aaa2227347e71f509f0cd78

MD5 hash:

be6381dc3f83d6134c2d23f6607be2ed

SHA1 hash:

26490592f3d71c2aaff76760e9d6ce7daeaf8a8f

Link:

https://www.unpac.me/results/871d779f-1c64-46dc-b1f4-8411aea1d92b/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d97e8c4b846f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d97e8c4b846f1743bae248137e96b7ed4c241ef71aaa2227347e71f509f0cd78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/443069/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample