MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0aaf7ed92def94883ce317c950802e8779a7807b807d3efcc922116e8cad652. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0aaf7ed92def94883ce317c950802e8779a7807b807d3efcc922116e8cad652
SHA3-384 hash: 393019be9826b244450f4d9c00a5b40d4b0bee4da649a10a8c34024cb4eaa01dde0afa2c22fabcef9bf83f80a8e0c038
SHA1 hash: fe8299e94a166b93a3c0afb1ee5edc3b71b37613
MD5 hash: 64c3bcaf983cc5694b40230a07a66349
humanhash: rugby-lemon-bakerloo-south
File name:SecuriteInfo.com.Unwanted-Program.004d2a1d1.20619.24001
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'435'856 bytes
First seen:2022-12-05 23:33:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c69529633147fae61949183715b7d49d (1 x LgoogLoader, 1 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 24576:7BIpA296jBEhN75Pe3Jh6a5UHlKjCONg1/Hu9Zoyf8rlzl9zVqShoX:eqrjWRw5EkJA/HkoK8pR9RFhoX
Threatray 1'175 similar samples on MalwareBazaar
TLSH T185652202B3E0C423DDA617B064FA17A451B5FA36B79242AB278263FDBEB13C455B4347
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 58fcfcdcfcecccdc (1 x RaccoonStealer)
Reporter SecuriteInfoCom
Tags:exe RaccoonStealer signed

Code Signing Certificate

Organisation:www.startech.com
Issuer:DigiCert SHA2 Extended Validation Server CA
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-06T00:00:00Z
Valid to:2023-08-18T23:59:59Z
Serial number: 05c171e14a1330e1892ba2a1d097b3e3
Intelligence: 11 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 6180ab897bf336742cf99048c828ad81eef950b94a9bdfb043802ca2d8f64989
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Unwanted-Program.004d2a1d1.20619.24001
Verdict:
Malicious activity
Analysis date:
2022-12-05 23:39:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c7ec64ca-3c69-4fee-9084-ebdbc44fd76e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343116/
Detection(s):
SecuriteInfo.com.Unwanted-Program.004d2a1d1.20619.24001.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
DNS request
Sending a custom TCP request
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/638e7fec9a505ad9423d8542/reports/38454f8e-17e3-4a2b-9502-f0527f56b476/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d634b651-b1a6-49fa-bd2d-a566247448a0
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
90 / 100
Link:
https://www.joesandbox.com/analysis/1128514
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 761238 Sample: SecuriteInfo.com.Unwanted-P... Startdate: 06/12/2022 Architecture: WINDOWS Score: 90 61 s3-w.us-east-1.amazonaws.com 2->61 63 s3-1-w.amazonaws.com 2->63 65 3 other IPs or domains 2->65 81 Snort IDS alert for network traffic 2->81 83 Multi AV Scanner detection for domain / URL 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 4 other signatures 2->87 8 SecuriteInfo.com.Unwanted-Program.004d2a1d1.20619.24001.exe 10 2->8         started        12 focicip kix hinamog kafaye jobexey vidogaq fequaweg canalot beye niw dano.exe 14 2->12         started        signatures3 process4 file5 49 focicip kix hinamo...t beye niw dano.exe, PE32 8->49 dropped 51 focicip kix hinamo...exe:Zone.Identifier, ASCII 8->51 dropped 89 Self deletion via cmd or bat file 8->89 91 Uses schtasks.exe or at.exe to add and modify task schedules 8->91 14 focicip kix hinamog kafaye jobexey vidogaq fequaweg canalot beye niw dano.exe 15 8->14         started        18 cmd.exe 1 8->18         started        20 schtasks.exe 1 8->20         started        93 Writes to foreign memory regions 12->93 95 Allocates memory in foreign processes 12->95 97 Injects a PE file into a foreign processes 12->97 22 ngentask.exe 12->22         started        24 ngentask.exe 12->24         started        26 ngentask.exe 12->26         started        28 3 other processes 12->28 signatures6 process7 dnsIp8 67 bitbucket.org 104.192.141.1, 443, 49865, 49866 AMAZON-02US United States 14->67 69 s3-w.us-east-1.amazonaws.com 52.216.34.1, 443, 49867, 49868 AMAZON-02US United States 14->69 99 Writes to foreign memory regions 14->99 101 Allocates memory in foreign processes 14->101 103 Injects a PE file into a foreign processes 14->103 30 ngentask.exe 31 14->30         started        35 ngentask.exe 14->35         started        37 ngentask.exe 14->37         started        39 ngentask.exe 14->39         started        105 Uses ping.exe to check the status of other devices and networks 18->105 41 PING.EXE 1 18->41         started        43 conhost.exe 18->43         started        45 chcp.com 1 18->45         started        47 conhost.exe 20->47         started        signatures9 process10 dnsIp11 71 185.225.19.29, 49864, 80 MIVOCLOUDMD Romania 30->71 53 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 30->53 dropped 55 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 30->55 dropped 57 C:\Users\user\AppData\LocalLow\mozglue.dll, PE32 30->57 dropped 59 4 other files (none is malicious) 30->59 dropped 75 Tries to harvest and steal browser information (history, passwords, etc) 30->75 77 DLL side loading technique detected 30->77 79 Tries to steal Crypto Currency Wallets 30->79 73 127.0.0.1 unknown unknown 41->73 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0aaf7ed92def94883ce317c950802e8779a7807b807d3efcc922116e8cad652/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2022-12-05 23:34:13 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6cvpp3ms334ura6ogf6jkcac5b3zu6ahxad5h36msiqrn2gk2zja._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
01f285489137957af8b4ba23f67c70c1ac20d7a32084e3777087edfe39183bcf
RaccoonStealer
52697c1d25cb64b2939de7e887832f30927fc597074cc93f274daec609ff08e3
RaccoonStealer
72b24e99cdd46d7cee31af6d8858782b775db1753d4ed954774a2b1306d5dd89
RaccoonStealer
81e0959262728a0870a5fd08f80207d1157bdf2e00dde7d8481450fa17f5d718
RaccoonStealer
86360aa8ab41f3de1ba20cad54f2567c0d5994a20d5b58d0b71aa42c545bb9f8
RaccoonStealer
c3ac86b3dfaed540a466f230e12c3f12c56e10755b6d5d195001ca5523d80fa4
RaccoonStealer
d4169de488369dda6827795dfc9790587125fbe65a3e7ade917c2d2c52c8dd61
RaccoonStealer
f8325bd7e3326483a09455e11d1377fbee8c3cce5bf2c65fe430a3748aba1687
RaccoonStealer
+ 1'165 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221205-3kelzagg35/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Runs ping.exe
Enumerates physical storage devices
Program crash
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
9c1c4c4d0e3e1e037660962916083a4ee17f2281bc98c131d08aa6da50697721
MD5 hash:
d2b0cee1b55aa35d208d428d6e6914f2
SHA1 hash:
1750d95a91dc501ff2c51494bc39c87142feaa09
Link:
https://www.unpac.me/results/d7ce09e5-dff7-4b9b-af05-1068f611d4e1/
SH256 hash:
f0aaf7ed92def94883ce317c950802e8779a7807b807d3efcc922116e8cad652
MD5 hash:
64c3bcaf983cc5694b40230a07a66349
SHA1 hash:
fe8299e94a166b93a3c0afb1ee5edc3b71b37613
Link:
https://www.unpac.me/results/d7ce09e5-dff7-4b9b-af05-1068f611d4e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.27
Link:
https://yomi.yoroi.company/submissions/f0aaf7ed92def94883ce317c950802e8779a7807b807d3efcc922116e8cad652

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe f0aaf7ed92def94883ce317c950802e8779a7807b807d3efcc922116e8cad652

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2446838/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/343116/

Comments