MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd75325c7035eee20647ca9d5a101167165d2dba88f6bf54a7afc50c276aba90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd75325c7035eee20647ca9d5a101167165d2dba88f6bf54a7afc50c276aba90
SHA3-384 hash: ab260c0bbbedb5f94dc67a33db8a7f272c3e28fc37e79434b40da89983fa49764e457e622c290ac5a328abdd1da32862
SHA1 hash: 7b8cadc70ee00aeaf0f808ce608d9d1f2cf488a2
MD5 hash: fdac2e9e28dab9d46d75e1a9d0463485
humanhash: mobile-colorado-floor-oranges
File name:fdac2e9e28dab9d46d75e1a9d0463485.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'100'224 bytes
First seen:2021-10-04 05:22:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 94e2b0572ac9e87d08b3c525a2cff4f7 (16 x RedLineStealer, 4 x RaccoonStealer, 2 x ArkeiStealer)
ssdeep 49152:H7YMArGklBn1sel23vbqNsJfz1WnVcihBMVcEzx116:lKBeU23DXEjPCx
Threatray 1'809 similar samples on MalwareBazaar
TLSH T181A533FD7A91D779DDE85FF9CAF74A64308C0D8FE0C780191886617AC826AC62B47784
File icon (PE):PE icon
dhash icon 489669d8d8699648 (53 x AgentTesla, 24 x SnakeKeylogger, 16 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-10-03 23:14:19 UTC
Tags:
evasion trojan loader opendir rat redline stealer vidar raccoon
Link:
https://app.any.run/tasks/cb311b13-cfe0-4e26-a0c6-2e7ac44206d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194416/
Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/615c2fa0b95458900cdc6414/reports/cbdb47ed-1e01-472f-8f94-35a57b5b8eb8/overview
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/caf68b94-afc2-48be-a392-003b4883aad6
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863642
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
DLL side loading technique detected
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 496070 Sample: sDv1F90oB9.exe Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Antivirus detection for URL or domain 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 4 other signatures 2->42 8 sDv1F90oB9.exe 2->8         started        process3 signatures4 44 Query firmware table information (likely to detect VMs) 8->44 46 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->46 48 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 8->48 50 4 other signatures 8->50 11 RegSvcs.exe 80 8->11         started        process5 dnsIp6 30 194.180.174.82, 49745, 80 MIVOCLOUDMD unknown 11->30 32 teletop.top 172.67.176.216, 49744, 80 CLOUDFLARENETUS United States 11->32 34 192.168.2.1 unknown unknown 11->34 22 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 11->22 dropped 24 C:\Users\user\AppData\LocalLow\...\nss3.dll, PE32 11->24 dropped 26 C:\Users\user\AppData\...\mozglue.dll, PE32 11->26 dropped 28 56 other files (none is malicious) 11->28 dropped 52 Tries to steal Mail credentials (via file access) 11->52 54 Tries to harvest and steal browser information (history, passwords, etc) 11->54 56 DLL side loading technique detected 11->56 16 cmd.exe 1 11->16         started        file7 signatures8 process9 process10 18 conhost.exe 16->18         started        20 timeout.exe 1 16->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd75325c7035eee20647ca9d5a101167165d2dba88f6bf54a7afc50c276aba90/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-03 17:45:54 UTC
AV detection:
17 of 40 (42.50%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0c73474ceb5c96ff4c0231b9d542d65c1d78b82de926bbfd4413d81684d78e58
RaccoonStealer
2232ded5541847acb7f73006ebe047b9008b4876f90590d9ffd324360f785037
RaccoonStealer
47ecf9882778e09cd99f29b89aa75d4396e783c1ef5c8e931601d6c1957fb3e5
RaccoonStealer
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
RaccoonStealer
9a1f36511ec56cbf0cf30080cdc11d8f261823079838cedd5ce0e6391ec815ef
RaccoonStealer
9debd5d7a5f7cf87a37d1f1432878baa0ac7cf6ecca5b4bfdcfa1163f07a6953
RaccoonStealer
a52de63a368575c4aded6fee0452dc23043e4c260388caac93c2242f0bdfe97c
RaccoonStealer
d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
RaccoonStealer
e9abbf811d367cf26f493d72ccd96749e534804ac27d36956dce0484b1440f25
RaccoonStealer
+ 1'799 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:�u"jhi�g �˴��syp���@��nk6"a�b�g�=�(� evasion stealer trojan
Link:
https://tria.ge/reports/211004-f26qfsfgh3/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Unpacked files
SH256 hash:
2fe75510523207495c84bdee4ab5cbcc50553ec81cbe3d70a0b60885d497b5f8
MD5 hash:
df5592e78516cbd1e01d87559b440d10
SHA1 hash:
853bf2d02d77880092e0635aecddb152b2afebb0
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/0827b4bd-8c86-406e-9917-93a3c847f4ae/
SH256 hash:
6e4fd5cfe9c3629067f5f1ec89f70e3ddce1b379e7ec18b5bee37392cf23619e
MD5 hash:
8371456a6ef47103a0aa3e068a09a500
SHA1 hash:
88ce7d2099d4ed2579b42c362ff7e25e24683f25
Link:
https://www.unpac.me/results/0827b4bd-8c86-406e-9917-93a3c847f4ae/
SH256 hash:
dd75325c7035eee20647ca9d5a101167165d2dba88f6bf54a7afc50c276aba90
MD5 hash:
fdac2e9e28dab9d46d75e1a9d0463485
SHA1 hash:
7b8cadc70ee00aeaf0f808ce608d9d1f2cf488a2
Link:
https://www.unpac.me/results/0827b4bd-8c86-406e-9917-93a3c847f4ae/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dd75325c7035/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/dd75325c7035eee20647ca9d5a101167165d2dba88f6bf54a7afc50c276aba90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe dd75325c7035eee20647ca9d5a101167165d2dba88f6bf54a7afc50c276aba90

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1642901/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194416/

Comments