MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb8455a49caa35beaa645fb26a4b760a84e2abcce810b9261518fc978d6027c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb8455a49caa35beaa645fb26a4b760a84e2abcce810b9261518fc978d6027c9
SHA3-384 hash: 91f2f5e5fa62cba53432e4db7540158deef463f1791d585fbc948a64c294c46d1995fb6fa8d072bc5c06395af2a92528
SHA1 hash: 0d45d3ea30740a2a6df523396cf143dd59ebeec7
MD5 hash: 8f7c7aadf506d8850c65d6fad2646438
humanhash: cat-low-iowa-ink
File name:8f7c7aadf506d8850c65d6fad2646438
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:5'315'072 bytes
First seen:2023-09-18 10:16:52 UTC
Last seen:2023-09-18 10:49:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash caf409edf21090c6acdae1ee93adcc04 (1 x RaccoonStealer, 1 x RecordBreaker)
ssdeep 98304:sbpLElLpmF74U66BS5vdypRR67nVUEFUCfbN1xi0zCB/Rr97XJ:sbpLEFpmKU66BYVyr4nV7+Crxi0Ur9T
TLSH T14F362203D625814EE2BA68F18CBF2FB45EE46D5B8A6442F57B80FE186CF5911740FB09
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 06208c868686303a (7 x LummaStealer, 2 x RaccoonStealer, 2 x RecordBreaker)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
347
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
8f7c7aadf506d8850c65d6fad2646438
Verdict:
Malicious activity
Analysis date:
2023-09-18 11:04:55 UTC
Tags:
stealer raccoon recordbreaker loader
Link:
https://app.any.run/tasks/7def030e-1aa2-4dde-8a48-ae86c2f82af4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/449322/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.31902.24991.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Сreating synchronization primitives
Connecting to a non-recommended domain
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Reading critical registry keys
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed packed replace themidawinlicense xpack
Link:
https://www.filescan.io/uploads/650823a41edabd99829c4a88/reports/cd31a965-aa93-4b37-87f7-96d361c69476/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/eb8455a49caa35beaa645fb26a4b760a84e2abcce810b9261518fc978d6027c9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3ae126a2-6fff-4d5a-b115-551a3e5668bc
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1309926
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb8455a49caa35beaa645fb26a4b760a84e2abcce810b9261518fc978d6027c9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-17 03:25:42 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
22 of 38 (57.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ocflje4vi235ktel6zgus3wbkcofk6m5ailsjqvdd6jpdlae7eq._file
Verdict:
malicious
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon evasion stealer themida trojan
Link:
https://tria.ge/reports/230918-mbc4saba46/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Raccoon Stealer payload
Unpacked files
SH256 hash:
fff0887c71f5a23fc2dec14c90ce9e5d5accf09edc6deccef2abfab6e7883c47
MD5 hash:
8f97ae73b99443e649fd2fc1d67c777f
SHA1 hash:
7364b1c7de5a893e5bbb371e863ee3dd80f9a8d3
Link:
https://www.unpac.me/results/ed49ded3-0149-4cbe-8638-4cdd10fa741c/
SH256 hash:
eb8455a49caa35beaa645fb26a4b760a84e2abcce810b9261518fc978d6027c9
MD5 hash:
8f7c7aadf506d8850c65d6fad2646438
SHA1 hash:
0d45d3ea30740a2a6df523396cf143dd59ebeec7
Link:
https://www.unpac.me/results/ed49ded3-0149-4cbe-8638-4cdd10fa741c/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eb8455a49caa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Raccoon
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb8455a49caa35beaa645fb26a4b760a84e2abcce810b9261518fc978d6027c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe eb8455a49caa35beaa645fb26a4b760a84e2abcce810b9261518fc978d6027c9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2712299/
Cape
Cape
https://www.capesandbox.com/analysis/449322/

Comments


Avatar
zbet commented on 2023-09-18 10:16:53 UTC

url : hxxps://hndcakewalkers.com/update1.exe