MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5758fdd9563e9b445b84a1644d9c37b3ff16903b67e7e05872c068ddd6be0c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5758fdd9563e9b445b84a1644d9c37b3ff16903b67e7e05872c068ddd6be0c6
SHA3-384 hash: 178312a6c762f30138fc97c08a2c48edbf4442c29344ba62c220e8474496d35494bccba1b237762666aa679a4111f3d2
SHA1 hash: cddc4f2499ffb79666db8b8c38d9f2c74b9ab219
MD5 hash: f7d51f78838308cdcd53b9c4f4af65e1
humanhash: lima-mars-blossom-pizza
File name:f7d51f78838308cdcd53b9c4f4af65e1.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'090'774 bytes
First seen:2021-01-22 07:23:43 UTC
Last seen:2021-01-22 09:15:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:o53uhFTnIdI5i415W1SzNraelGZtx+1iiMCgfkAyN5U0:o5+hFEdM15W1QNdcHSO3yNy0
Threatray 343 similar samples on MalwareBazaar
TLSH D2351284BB9950FED2E7723004313BA92AF6FF250B5643CBA71471262D775E2863C6C6
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fw3.exe
Verdict:
Malicious activity
Analysis date:
2020-12-25 12:07:54 UTC
Tags:
trojan stealer raccoon
Link:
https://app.any.run/tasks/52a7e412-756a-4229-96f9-707413642bd1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113462/
Detection(s):
PUA.Win.Trojan.Generic-6843329-0
Create hunting rule

PUA.Win.Dropper.Driverpack-6931197-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.File.Generic-7135455-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Sending a UDP request
Creating a file
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/588057
Signature
Contains functionality to register a low level keyboard hook
Contains functionality to steal Internet Explorer form passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f5758fdd9563e9b445b84a1644d9c37b3ff16903b67e7e05872c068ddd6be0c6/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-12-25 16:41:19 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a
RaccoonStealer
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1
RaccoonStealer
3763ca24308739b3916d8c6c76081b7a878aea11d78550b5a7096b93f80e9d60
RaccoonStealer
70a71789d47c49a03c3547aec8ec74aa76c43811aacb2dd43dd455590c11a2cc
RaccoonStealer
7216531f7bdf08e92cf69d0754b27da97d716c62ec5294fa03ccebb7e652bfdb
RaccoonStealer
94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf
RaccoonStealer
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d
RaccoonStealer
bd95c8709b9a82ab2af9d1454996fbdbd3a7da4e8335bf8481bd567430130184
RaccoonStealer
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
RaccoonStealer
d00ee0e6eab686424f8d383e151d22005f19adbda5b380a75669629e32fe12a6
RaccoonStealer
+ 333 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon ransomware stealer
Link:
https://tria.ge/reports/210122-kcf4v5jnqs/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Program crash
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
542282ed737d2cb55e3cb59d05e58e8dbf6473d63461194a9ba597f0f3eb5d75
MD5 hash:
0ab09caf48c9dcbcbd53aef80493abd2
SHA1 hash:
fd985c8ed98d443fde035be26592b92662b9c5ea
Link:
https://www.unpac.me/results/c8c8961d-43bc-4c7d-8274-f06ff49ba751/
SH256 hash:
c653b2b32f59e17c585fc217205ecb854fd5823e4c9cb1b5d25db1b7be4d5d76
MD5 hash:
c3eedf2981fd599ab9eaf1cf8bee6a8a
SHA1 hash:
bf8fa0e3685ab8c62acaf01e5b7e6ff33cda6501
Detections:
win_raccoon_a0
Create hunting rule
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/c8c8961d-43bc-4c7d-8274-f06ff49ba751/
SH256 hash:
46d3802acb6c708fcba3fa7b0432b362a06220c078e4a16c89b248022d753e72
MD5 hash:
2706c4174f7f3794cf3428823e8e452b
SHA1 hash:
9f135a396459c2ef6b501fd6a0ad66d683da7e24
Link:
https://www.unpac.me/results/c8c8961d-43bc-4c7d-8274-f06ff49ba751/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/c8c8961d-43bc-4c7d-8274-f06ff49ba751/
SH256 hash:
409773a9fcd702bcc1d6c9e72241a139e11551bffcbc0d91440af746ae91455d
MD5 hash:
00bcf34fbeed4df2261fdb4bb771d34f
SHA1 hash:
14f09f262150b634d5ed54f8663301d2ffed0723
Link:
https://www.unpac.me/results/c8c8961d-43bc-4c7d-8274-f06ff49ba751/
SH256 hash:
f9286ca4de785ab6fe19a7e7c8cd56efcb12902c09c26080ae95ee301000c1df
MD5 hash:
0421daabd23a1b3a54b828c7df64887a
SHA1 hash:
b3667c4ab540055c9832a48fd7995b78b72a4e78
Link:
https://www.unpac.me/results/c8c8961d-43bc-4c7d-8274-f06ff49ba751/
SH256 hash:
f5758fdd9563e9b445b84a1644d9c37b3ff16903b67e7e05872c068ddd6be0c6
MD5 hash:
f7d51f78838308cdcd53b9c4f4af65e1
SHA1 hash:
cddc4f2499ffb79666db8b8c38d9f2c74b9ab219
Link:
https://www.unpac.me/results/c8c8961d-43bc-4c7d-8274-f06ff49ba751/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/f5758fdd9563e9b445b84a1644d9c37b3ff16903b67e7e05872c068ddd6be0c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_a0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe f5758fdd9563e9b445b84a1644d9c37b3ff16903b67e7e05872c068ddd6be0c6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/934843/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113462/

Comments