MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4664c5755201698e642717b53a4f091908cba27ee4750ca6be358567823822a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	f4664c5755201698e642717b53a4f091908cba27ee4750ca6be358567823822a
SHA3-384 hash:	19d3d71eaed146f3a25e1002fb8d22d7bff81c9cc17eef5059af9332a2b387b8330aa18145996367787beb0f469b1450
SHA1 hash:	2165e895efeab787f091756a2c94e6146e9e439c
MD5 hash:	50d31d1729448eea5670ab537b81e378
humanhash:	king-east-potato-lake
File name:	50d31d1729448eea5670ab537b81e378.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	5'125'120 bytes
First seen:	2021-09-08 13:39:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b48b287269e92bb8351a5352bcb3c60b (1 x RaccoonStealer)
ssdeep	98304:49+euXgg8ll6W/xK4qfPE63360AiV9EsW2xTeI+a6:4AeuXZ8llv/sPfPE63360AiHEstxn+a6
Threatray	69 similar samples on MalwareBazaar
TLSH	T1B336233342662040F1FCCD3ED9377EA472FA026F464578359697A5C32A229E5E707A8F
Reporter	abuse_ch
Tags:	exe RaccoonStealer

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Cube_WW2.exe

Verdict:

Malicious activity

Analysis date:

2021-09-08 11:08:27 UTC

Tags:

loader autoit evasion trojan rat redline stealer raccoon

Link:

https://app.any.run/tasks/52a01106-e6c5-4ed4-a46d-cd63f9df776d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/186370/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

DNS request

Creating a file

Deleting a recently created file

Reading critical registry keys

Delayed reading of the file

Running batch commands

Launching a process

Sending a UDP request

Query of malicious DNS domain

Connection attempt to an infection source

Sending a TCP request to an infection source

Stealing user critical data

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/36b17e52-75b5-42f5-abd3-3c87f75e8f7b

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/847443

Signature

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Self deletion via cmd delete

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/f4664c5755201698e642717b53a4f091908cba27ee4750ca6be358567823822a/

Threat name:

Win32.Infostealer.Racealer

Status:

Malicious

First seen:

2021-09-08 13:40:19 UTC

AV detection:

10 of 27 (37.04%)

Threat level:

5/5

Verdict:

unknown

RaccoonStealer

196de41048232f60a7d93e73e7dd03bd524a79217c3408b98e69b855c7f83504

RaccoonStealer

1ba0f8177f56072e3e45ddcbb425c767bf7ffc6f096792240423f63ee5a962d2

RaccoonStealer

2448bed4db497e26e9def8dc20369bfd843bcb0e73dab435fe61ead1cc2f869a

RaccoonStealer

3ce688f6b00b57a37f3ffa4c5410cc02ed5fa05eab37304d44e2d8399aa8b8e2

RaccoonStealer

7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1

RaccoonStealer

b0bc5a3dae0127da8f7743df8dc4014e9ba08c5a29928448aed8764242050da2

RaccoonStealer

bfe5a7e03d6d57dae9d1eb74e5a1d837a04ac3c9c9822e1ee26c6a586c6a7342

RaccoonStealer

f1aae79787fff8edd5f6769ebecf43eb5a94d392cb3723810a66dd9868ec2925

RaccoonStealer

+ 59 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

discovery evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/210908-qylafshgbq/

Behaviour

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Themida packer

Downloads MZ/PE file

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

ea0d6d17433e0f212d031a03df5f81daac6641ea36ab7e9926363bdf9a26308a

MD5 hash:

04d88f15854f882e593759825f55cd40

SHA1 hash:

733685456934408b655982a362c766140bded1b7

Link:

https://www.unpac.me/results/a2f798d2-4401-4a7a-9376-e06e80008017/

SH256 hash:

f4664c5755201698e642717b53a4f091908cba27ee4750ca6be358567823822a

MD5 hash:

50d31d1729448eea5670ab537b81e378

SHA1 hash:

2165e895efeab787f091756a2c94e6146e9e439c

Link:

https://www.unpac.me/results/a2f798d2-4401-4a7a-9376-e06e80008017/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f4664c5755201698e642717b53a4f091908cba27ee4750ca6be358567823822a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.