MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de3e53ef11c40625568ffbf773486d23efdbcc6831e1bca61915348940798ae9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de3e53ef11c40625568ffbf773486d23efdbcc6831e1bca61915348940798ae9
SHA3-384 hash: 166920785d46f7ad5fdd3e4c6c4bcf61d906421cab41b37927b87c5f204f179c0efb5afdb36f411fd29af21d4a38bae5
SHA1 hash: 58b410c4a41f4dfd18cc02c61337ed7b8ea63d87
MD5 hash: c066a9b74c6ed33fb7e8a8f94413b798
humanhash: oxygen-nuts-harry-venus
File name:driver_booster_setup.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:33'573'449 bytes
First seen:2023-09-17 10:39:31 UTC
Last seen:2023-09-17 11:44:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ee3b0da38e7b7c567f93f357ca3751c (2 x RedLineStealer, 2 x RaccoonStealer, 1 x QuasarRAT)
ssdeep 786432:hE3jlM8Ok4SswMWifNtt7Z1oGwnicL1cHDC0s3T:y3jlgk37MW8NttpSLCH0D
Threatray 74 similar samples on MalwareBazaar
TLSH T14F772330738AC53BD6621570AA2CDBAF51697BB50F7294C7A3D81D6E04B48C29732E37
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c0d4ec80b0b4b4e4 (5 x RaccoonStealer, 4 x RedLineStealer, 4 x LummaStealer)
Reporter likeastar20
Tags:exe Raccoon Stealer RaccoonStealer RAT Redline

Intelligence

File Origin
# of uploads :
2
# of downloads :
400
Origin country :
BG BG
Vendor Threat Intelligence
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
control fingerprint greyware lolbin msiexec overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/6506d78386207ed6281f2e09/reports/adde6db9-2280-4cee-b8a8-a772841d9d96/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/de3e53ef11c40625568ffbf773486d23efdbcc6831e1bca61915348940798ae9
Result
Verdict:
MALICIOUS
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1309568
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1309568 Sample: driver_booster_setup.exe Startdate: 17/09/2023 Architecture: WINDOWS Score: 100 84 Multi AV Scanner detection for domain / URL 2->84 86 Found malware configuration 2->86 88 Antivirus detection for URL or domain 2->88 90 9 other signatures 2->90 9 msiexec.exe 90 40 2->9         started        12 driver_booster_setup.exe 51 2->12         started        process3 file4 48 C:\Windows\Installer\MSI7B07.tmp, PE32 9->48 dropped 50 C:\Windows\Installer\MSI7AE7.tmp, PE32 9->50 dropped 52 C:\Windows\Installer\MSI7AC7.tmp, PE32 9->52 dropped 60 4 other malicious files 9->60 dropped 14 Patch.exe 1 9->14         started        17 driver_booster_setup.exe 2 9->17         started        20 msiexec.exe 9->20         started        22 msiexec.exe 9->22         started        54 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 12->54 dropped 56 C:\Users\user\...\driver_booster_setup.exe, PE32 12->56 dropped 58 C:\Users\user\AppData\Roaming\...\Patch.exe, PE32 12->58 dropped 62 2 other malicious files 12->62 dropped 24 msiexec.exe 4 12->24         started        process5 file6 102 Antivirus detection for dropped file 14->102 104 Multi AV Scanner detection for dropped file 14->104 106 Machine Learning detection for dropped file 14->106 108 4 other signatures 14->108 26 RegAsm.exe 15 6 14->26         started        30 RegAsm.exe 14->30         started        46 C:\Users\user\...\driver_booster_setup.tmp, PE32 17->46 dropped 33 driver_booster_setup.tmp 25 17->33         started        signatures7 process8 dnsIp9 78 microsoft-auth-network.cc 85.217.144.194, 49725, 80 WS171-ASRU Bulgaria 26->78 80 95.214.24.244, 49726, 80 CMCSUS Germany 26->80 64 C:\Users\user\AppData\...\WindowsServices.exe, PE32 26->64 dropped 35 WindowsServices.exe 3 26->35         started        38 conhost.exe 26->38         started        110 Found evasive API chain (may stop execution after checking mutex) 30->110 112 Tries to delay execution (extensive OutputDebugStringW loop) 30->112 66 C:\Users\user\AppData\...\libssl-1_1.dll, PE32 33->66 dropped 68 C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 33->68 dropped 70 C:\Users\user\AppData\Local\...\RdZone.dll, PE32 33->70 dropped 72 6 other files (5 malicious) 33->72 dropped 40 setup.exe 33->40         started        file10 signatures11 process12 dnsIp13 92 Antivirus detection for dropped file 35->92 94 Multi AV Scanner detection for dropped file 35->94 96 Machine Learning detection for dropped file 35->96 100 2 other signatures 35->100 43 RegAsm.exe 35->43         started        74 cs833182181.wpc.etacdn.net 152.195.19.156, 49732, 49733, 49734 EDGECASTUS United States 40->74 76 update.iobit.com 40->76 98 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 40->98 signatures14 process15 dnsIp16 82 193.142.147.59, 80 FREERANGECLOUDCA Netherlands 43->82
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-17 10:40:09 UTC
File Type:
PE (Exe)
Extracted files:
2325
AV detection:
10 of 23 (43.48%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3y7fh3yryqdckvup7p3xgsdnepx5xtdighq3zjqzcu2isqdzrluq._file
Verdict:
malicious
Similar samples:
0240347f0a7e6318facda5d29103c2dba44ef0d45f76706cd5ade058a69c0c55
RaccoonStealer
0ec8d01e78f2157589701925ec97ada690046fa17ca65a0db766d96533529aab
RaccoonStealer
0fbf1658860a6f656fea88c476e1de6302babb5f615d11119fd4c74de7397507
RaccoonStealer
72e8ea93fb9881413437161535b9a6206f7aabeafd9b86b025f2b7e32025ffdc
RaccoonStealer
943b334ccda76270d430e89e6c60486473fce93d0b773faeb39a8839cdf67c3d
RaccoonStealer
b2a09ad10595641bc731dd1ced0cb493d47663894ba57da9a941031d1a73ce8a
RaccoonStealer
d48b986d716fe5388a53ae46e743038128f9b0b79213467314fcc76715725ac3
RaccoonStealer
d82b69c1b464213cb75866f3b9a01f23df9bd968eb1c8e88fbf54f9749d01047
RaccoonStealer
+ 64 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230917-mqhykshf8z/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de3e53ef11c40625568ffbf773486d23efdbcc6831e1bca61915348940798ae9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropping
Redline

Comments