MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e41b64675f161f9a4c044cb7b4d97d3c023a24793c04d503949147e4368bac41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e41b64675f161f9a4c044cb7b4d97d3c023a24793c04d503949147e4368bac41
SHA3-384 hash: b558c503cad1faaaec432fb15ec8dd8808c377a605af0a12d96238d8fce17fab4961a5eb71436428a74390a7a33375c0
SHA1 hash: d755ec2f966882e822bb23c872ff5dfdcb8578f5
MD5 hash: e87911e6aacf962405c5a6b70cfb60cd
humanhash: december-november-minnesota-winner
File name:e41b64675f161f9a4c044cb7b4d97d3c023a24793c04d503949147e4368bac41
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'552'632 bytes
First seen:2022-02-11 07:49:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 753299917becf744b6f235bdd7247b63 (1 x RaccoonStealer)
ssdeep 24576:LG6evjfmUUcISeRcHBvvBAZ4KhakE5JWqtObS29EOm2eHiS0C0bjpE8udeelTU3a:LG7fPU9Seq9vKqK0kMEtS2eHiSR0bjpO
Threatray 5'711 similar samples on MalwareBazaar
TLSH T164752362B698D586DA514933EC95F6F28166BC7EEC900253B0EAFF1F3475432901CB2B
File icon (PE):PE icon
dhash icon 2c3464321292b060 (1 x RaccoonStealer)
Reporter JAMESWT_WT
Tags:exe Polaroid Candy WN PVL-6008-02 RaccoonStealer signed

Code Signing Certificate

Organisation:Polaroid Candy WN (PVL-6008-02)
Issuer:Polaroid Candy WN (PVL-6008-02)
Algorithm:sha1WithRSAEncryption
Valid from:2022-01-20T00:14:31Z
Valid to:2032-01-21T00:14:31Z
Serial number: 31582be87924a98b4d96694329d3c700
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0b92dae13284f9409550fa85aacd62d89333a7bd0c7336c2df63348eb874b84f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://licensefree.net/malwarebytes-crack/
Verdict:
Malicious activity
Analysis date:
2022-01-24 13:01:53 UTC
Tags:
trojan stealer raccoon
Link:
https://app.any.run/tasks/35685cf7-9c6b-48f2-a449-c58bbb3b5f71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/240860/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi overlay packed racealer
Link:
https://www.filescan.io/uploads/62061535289e2f3e4fc15f17/reports/a3a64620-b5e9-4421-a1ff-d4d8fc72192d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ryuk
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11cabe81-fe1d-4b23-8365-012ee6443cc1
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/938315
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e41b64675f161f9a4c044cb7b4d97d3c023a24793c04d503949147e4368bac41/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2022-01-24 13:10:37 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4qnwiz27cypzutaejs33jwl5hqbdujdzhqcnka4usfd6inulvraq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0ed974de469222788be4db09ddf1720ea96a39e959df8eda85e6dcccb73e4a59
RaccoonStealer
33c853d0f6d5467701301b6c4dfcf49da0e556b3ac2363b5619f673033627dca
RaccoonStealer
5dc7331a3854d359e2813683cfd477ba76e25ce24fea278cbd2d8a5fe37fdd97
RaccoonStealer
6d2a3832a1b693d9f5eed571212585443e6ee282429160973d67e17736c43629
RaccoonStealer
84a1953e1964885eee0c73a77decbd59896295464a6fb64903f9275c1af56665
RaccoonStealer
8f0ce948ee3b5f284eed19d5065de393931e6979eac0d177464d55e2e470c3e7
RaccoonStealer
94b6f442982377412659b219dffc88f6d171b044c66583cc025335de2f8e6aa4
RaccoonStealer
+ 5'701 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:76ceaa03948c29e09bdcb52ab6f8a8ea28a4ca08 stealer
Link:
https://tria.ge/reports/220211-jpctdsccg8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Raccoon
Unpacked files
SH256 hash:
9511e354870a6864bc42c8b4095f5c808c7983660c7e1a3aa946768c561e9e7f
MD5 hash:
efbee7fa8a3df24f7ffbaecaa8852580
SHA1 hash:
daf37c90270b2f2621393dcf0766e8b5459baf95
Link:
https://www.unpac.me/results/9c27f75c-cda2-464b-8c57-90a5537a22d0/
SH256 hash:
e41b64675f161f9a4c044cb7b4d97d3c023a24793c04d503949147e4368bac41
MD5 hash:
e87911e6aacf962405c5a6b70cfb60cd
SHA1 hash:
d755ec2f966882e822bb23c872ff5dfdcb8578f5
Link:
https://www.unpac.me/results/9c27f75c-cda2-464b-8c57-90a5537a22d0/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:downloader_macros
Create hunting rule
Author:ddvvmmzz
Description:downloader macros
Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:obfuscate_macros
Create hunting rule
Author:ddvvmmzz
Description:obfuscate macros

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/240860/

Comments