MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f14734d04f355fa903c6482fc4f3662c3ac1ab892ad14f2f135ae357d1f04db4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f14734d04f355fa903c6482fc4f3662c3ac1ab892ad14f2f135ae357d1f04db4
SHA3-384 hash: ecde549614ea3382caae5611fbf7157385c3dd2142601c808fdd35dd0ee8572ad9001ac81a904e8364459c2b4daed125
SHA1 hash: 522783d0897555e724d7b04073ce9d04b171be09
MD5 hash: ab8fa91945810d20ad825e5a65f6f0fe
humanhash: thirteen-three-fanta-charlie
File name:file
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:294'224 bytes
First seen:2023-11-14 08:45:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c7d0efed001e965dd9c0307904ea44a (6 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 3072:uKv9R0UoknF0m8eW/lNUq/x3nrlKgELrjuxOAg0FujQGS2vmqFKy3vtZ8xB3/j6S:uKIU/FKe4lNUq/Vr58AOUGHOqwiu50
TLSH T112547B0A75C18873E567103A95F7BAB6983D35218FB258EF97A48F7D0F202C1D638E16
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RaccoonStealer


Avatar
andretavare5
Sample downloaded from http://doodlesz.app/Morning.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458454/
Detection(s):
Win.Malware.Botx-10004968-0
Create hunting rule

Win.Trojan.Fugrafa-10010052-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin overlay packed
Link:
https://www.filescan.io/uploads/655333cc8dc4c0f223093467/reports/127d51c9-1543-487d-935f-37d1b29429d9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f14734d04f355fa903c6482fc4f3662c3ac1ab892ad14f2f135ae357d1f04db4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2271ffaf-9e51-4098-9e56-7e1748248a55
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1342175
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
DLL side loading technique detected
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1342175 Sample: file.exe Startdate: 14/11/2023 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic 2->30 32 Multi AV Scanner detection for domain / URL 2->32 34 Found malware configuration 2->34 36 4 other signatures 2->36 6 file.exe 1 2->6         started        process3 signatures4 38 Contains functionality to inject code into remote processes 6->38 40 Writes to foreign memory regions 6->40 42 Allocates memory in foreign processes 6->42 44 Injects a PE file into a foreign processes 6->44 9 AppLaunch.exe 33 6->9         started        14 AppLaunch.exe 6->14         started        16 conhost.exe 6->16         started        18 AppLaunch.exe 6->18         started        process5 dnsIp6 28 195.20.16.35, 49705, 80 EITADAT-ASFI Finland 9->28 20 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 9->20 dropped 22 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 9->22 dropped 24 C:\Users\user\AppData\LocalLow\mozglue.dll, PE32 9->24 dropped 26 4 other files (none is malicious) 9->26 dropped 46 Found many strings related to Crypto-Wallets (likely being stolen) 9->46 48 Tries to harvest and steal browser information (history, passwords, etc) 9->48 50 DLL side loading technique detected 9->50 52 Tries to steal Crypto Currency Wallets 9->52 54 Found evasive API chain (may stop execution after checking mutex) 14->54 56 Tries to delay execution (extensive OutputDebugStringW loop) 14->56 file7 signatures8
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f14734d04f355fa903c6482fc4f3662c3ac1ab892ad14f2f135ae357d1f04db4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f14734d04f355fa903c6482fc4f3662c3ac1ab892ad14f2f135ae357d1f04db4/
Threat name:
Win32.Trojan.RedlineStealer
Create hunting rule
Status:
Malicious
First seen:
2023-11-14 08:46:05 UTC
File Type:
PE (Exe)
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6fdtjucpgvp2sa6gjax4j43gfq5mdk4jfliu6lytllrvpupqjw2a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon stealer
Link:
https://tria.ge/reports/231114-kpavgaae22/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Raccoon
Raccoon Stealer payload
Unpacked files
SH256 hash:
e44690b5fdd8eb8995cd3ff90176a75dcdb251d2ddcfd373d2dc1095bd5b5feb
MD5 hash:
291aeb3b279f131de996f12dc72e94cc
SHA1 hash:
050a5038eb07c388915245743e7335ad1680d327
Detections:
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/fc35f944-d6e2-4cbb-aed8-3f8a3072f4fd/
Parent samples :
f14734d04f355fa903c6482fc4f3662c3ac1ab892ad14f2f135ae357d1f04db4
8e6021918d108cbb2e19ab300a03e25b1e1e0c6e621754f5940e6db2ac195d0a
SH256 hash:
f14734d04f355fa903c6482fc4f3662c3ac1ab892ad14f2f135ae357d1f04db4
MD5 hash:
ab8fa91945810d20ad825e5a65f6f0fe
SHA1 hash:
522783d0897555e724d7b04073ce9d04b171be09
Link:
https://www.unpac.me/results/fc35f944-d6e2-4cbb-aed8-3f8a3072f4fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Raccoon
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f14734d04f355fa903c6482fc4f3662c3ac1ab892ad14f2f135ae357d1f04db4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/458454/

Comments