MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2cde4100fdbb5841b0f68e1c5dbba912b38478e64698c0238edb62415d1ad70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	f2cde4100fdbb5841b0f68e1c5dbba912b38478e64698c0238edb62415d1ad70
SHA3-384 hash:	a857ccab52be075c41c1c928f866b4f427c8ba689274ec8bd322a8de67dceb282534de36a29d022ac2a7fe3feb9f7db0
SHA1 hash:	35966d13bbfbe4a85478343b35d1b4d5297fcbd1
MD5 hash:	3e2fd3c6aef426ee110e27a2a0ce1f8b
humanhash:	cup-oscar-happy-hot
File name:	payload.bin
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	109'568 bytes
First seen:	2023-02-06 04:23:55 UTC
Last seen:	2023-02-06 05:31:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	89766042e29aed5fce63c7340618b000 (6 x RecordBreaker, 3 x RaccoonStealer)
ssdeep	1536:Bpaiq0I2XvL/5kVvpyITHAOEH8pIZ+msXvsfJre8oJ1C7uj9m:BpaikE/5SppIZ+m2sfJrebJF
Threatray	607 similar samples on MalwareBazaar
TLSH	T108B35F51E8DBBC12D28100315ED2E7B3972CAE3E2CF4E84BA29D5AF07EA44157E6D5C1
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	x3ph1
Tags:	exe RaccoonStealer Racoon recordbreaker

Intelligence

File Origin

# of uploads :

# of downloads :

234

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

payload.bin

Verdict:

No threats detected

Analysis date:

2023-02-06 04:25:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1594a381-fa21-4645-a7a6-4081133c14fa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/360549/

Detection(s):

SecuriteInfo.com.Variant.Babar.137654.11344.25388.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Sending a custom TCP request

Sending an HTTP POST request to an infection source

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/65550/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

babar raccoon

Link:

https://www.filescan.io/uploads/63e080e62d4f6d560e245715/reports/d1397361-afb6-4cfe-a96a-6cb7a7de630c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/f2cde4100fdbb5841b0f68e1c5dbba912b38478e64698c0238edb62415d1ad70

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8df9038a-0019-4b7a-ad43-224364077748

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1166241

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f2cde4100fdbb5841b0f68e1c5dbba912b38478e64698c0238edb62415d1ad70/

Threat name:

Win32.Trojan.Babar

Status:

Malicious

First seen:

2023-02-06 03:21:19 UTC

File Type:

PE (Exe)

AV detection:

12 of 39 (30.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6lg6ieap3o2yigypndq4lw52sevtqr4omruyyary5w3ciforvvya._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

1fad340125437cbce625e7500dc2cd03e2610c5f9e50beddeddbe83b195663bf

RaccoonStealer

3cf79fc23f11a3083159b0a8b5b0c04068ccb93715a1f82e360ea31608a300bf

RaccoonStealer

3e1fbbd273800929e5d4a0d80655a43b262da68eb415141c346b7feb97dc6316

RaccoonStealer

748aa5ee3f5e51911bfd0bbaf90c9ea41be3aa272749f205dfe7d2a972e874d7

RaccoonStealer

7b5b681c38c257089057651620a683516c25318391a417015769ec273d66dbbd

RaccoonStealer

97f0590c95058e7177e57e48c36da9302f5016b21da44efcfa644d016d87330b

RaccoonStealer

b73552d4bc598b11f72051952d02e23d7d71f20f6f62be436d96b62058c8df5a

RaccoonStealer

d677f86403915b15ab62b1278cc7e6a8f2a98de2ba6a84ee67e06c1ffd696bc1

RaccoonStealer

+ 597 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery persistence spyware stealer

Link:

https://tria.ge/reports/230206-e1d4dafd8x/

Behaviour

GoLang User-Agent

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Unpacked files

SH256 hash:

f2cde4100fdbb5841b0f68e1c5dbba912b38478e64698c0238edb62415d1ad70

MD5 hash:

3e2fd3c6aef426ee110e27a2a0ce1f8b

SHA1 hash:

35966d13bbfbe4a85478343b35d1b4d5297fcbd1

Link:

https://www.unpac.me/results/69bea822-3401-4086-b51e-13c539a601e5/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f2cde4100fdb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f2cde4100fdbb5841b0f68e1c5dbba912b38478e64698c0238edb62415d1ad70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/360549/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample