MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3a521d5c3658738ad9392436a7bfa4b494b6881b09173b0408d8a21473f31a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3a521d5c3658738ad9392436a7bfa4b494b6881b09173b0408d8a21473f31a0
SHA3-384 hash: 78fcb76f503c5f4f14f6ca6b5a7945dd33f45ab1e2e0eed16b2b4ace77c9672bcdb2629c2c3ce3e05ceefc5eef81166c
SHA1 hash: 017b9a4738fee94a998dc6c802ac8ba4af26ce6b
MD5 hash: 1b79fd18ad017aa7b390c80ce912ee09
humanhash: papa-freddie-arkansas-mobile
File name:1b79fd18ad017aa7b390c80ce912ee09.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:6'233'368 bytes
First seen:2023-01-20 19:53:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e8bb1d2b3d7a38a26a36311f1c89ad6c (1 x SystemBC, 1 x LaplasClipper, 1 x RaccoonStealer)
ssdeep 98304:lwkoaGws9O18gFy8XklHcTfL68xRav060uhIj9eh8FE5gVA5ikWO+feDTLdKe:lwkoos9WQ8W8fGcavrJSj9e2FJCTMfeR
Threatray 238 similar samples on MalwareBazaar
TLSH T1AC5622A356654045D8E1D83EC633FDE531F22A538F81EC3B26EE39CB61325A1E64B607
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 787c78fa87f7e6c4 (16 x Gh0stRAT, 11 x Pikabot, 9 x ManusCrypt)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1b79fd18ad017aa7b390c80ce912ee09.exe
Verdict:
Malicious activity
Analysis date:
2023-01-20 19:59:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2b96610d-315d-4095-9d78-bf4306cb6e38

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355131/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/61859/overview
Behaviour
MalwareBazaar
Verdict:
Unknown
Threat level:
n/a  -.1/10
Confidence:
80%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63caf1271c9cbf7d6250b94e/reports/838140a0-1cf8-44ef-85ec-2a3b771645f0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/aed7ae26-9286-4691-9389-bda3d1940536
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1155797
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses ping.exe to check the status of other devices and networks
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 788529 Sample: FJ9qlGQf2M.exe Startdate: 20/01/2023 Architecture: WINDOWS Score: 92 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected RedLine Stealer 2->73 13 FJ9qlGQf2M.exe 1 4 2->13         started        process3 file4 49 C:behaviorgraphPUCache\IGCCTray.exe, PE32 13->49 dropped 51 C:behaviorgraphPUCache\IGCCTray.exe:Zone.Identifier, ASCII 13->51 dropped 105 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->105 107 Query firmware table information (likely to detect VMs) 13->107 109 Self deletion via cmd or bat file 13->109 111 3 other signatures 13->111 17 IGCCTray.exe 1 13->17         started        20 cmd.exe 1 13->20         started        signatures5 process6 signatures7 61 Antivirus detection for dropped file 17->61 63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->63 65 Query firmware table information (likely to detect VMs) 17->65 69 3 other signatures 17->69 22 IGCCTray.exe 1 17->22         started        67 Uses ping.exe to check the status of other devices and networks 20->67 25 PING.EXE 1 20->25         started        28 conhost.exe 20->28         started        30 chcp.com 1 20->30         started        process8 dnsIp9 81 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->81 83 Query firmware table information (likely to detect VMs) 22->83 85 Hides threads from debuggers 22->85 32 IGCCTray.exe 1 22->32         started        53 127.0.0.1 unknown unknown 25->53 signatures10 process11 signatures12 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 32->55 57 Query firmware table information (likely to detect VMs) 32->57 59 Hides threads from debuggers 32->59 35 IGCCTray.exe 1 32->35         started        process13 signatures14 75 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 35->75 77 Query firmware table information (likely to detect VMs) 35->77 79 Hides threads from debuggers 35->79 38 IGCCTray.exe 1 35->38         started        process15 signatures16 87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 38->87 89 Query firmware table information (likely to detect VMs) 38->89 91 Hides threads from debuggers 38->91 41 IGCCTray.exe 1 38->41         started        process17 signatures18 93 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 41->93 95 Query firmware table information (likely to detect VMs) 41->95 97 Hides threads from debuggers 41->97 44 IGCCTray.exe 1 41->44         started        process19 signatures20 99 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 44->99 101 Query firmware table information (likely to detect VMs) 44->101 103 Hides threads from debuggers 44->103 47 IGCCTray.exe 44->47         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3a521d5c3658738ad9392436a7bfa4b494b6881b09173b0408d8a21473f31a0/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-01-20 08:26:39 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ossdvodmwdtrlmtsjbwu672jneuw2ebwcixhmcarwfccrz7ggqa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1e5c7dcfbe4a1e9da06229b4512229c463b0268832b9cb6cdb35a1153963be37
RaccoonStealer
37923fb04b4ee3103e82cb67c78febda94b8ce7c93ef35d90bb8ff371600342b
RaccoonStealer
56d901c98e235d2c02936b0553839e7fec6bec501097f87996a47da1f0ae501c
RaccoonStealer
ba9b4ed1a5f1e4f658430f393969f1b6a602c5534d745ad3f12fae35cf2a64d1
RaccoonStealer
d72645347b3fa6134cc416b6b9d73eec9d4ef2af4dbf26c6b91da795144c394c
RaccoonStealer
fd3f9ee2a7b4e35be97140818562dc4470f90705cbd959e87c07ed983692e33d
RaccoonStealer
+ 228 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230120-yl1tdahf86/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
e3a521d5c3658738ad9392436a7bfa4b494b6881b09173b0408d8a21473f31a0
MD5 hash:
1b79fd18ad017aa7b390c80ce912ee09
SHA1 hash:
017b9a4738fee94a998dc6c802ac8ba4af26ce6b
Link:
https://www.unpac.me/results/ad6e4156-9875-41cf-9510-b063b7c0054f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e3a521d5c3658738ad9392436a7bfa4b494b6881b09173b0408d8a21473f31a0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe e3a521d5c3658738ad9392436a7bfa4b494b6881b09173b0408d8a21473f31a0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2512362/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/355131/

Comments