MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f62d3ac335a3bff0698d08076dd7fb06c806706879fcf66bfc17a25eb7673fdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f62d3ac335a3bff0698d08076dd7fb06c806706879fcf66bfc17a25eb7673fdf
SHA3-384 hash: 92183934c8d23f29a1cc4431dae475317782ad61ebd2d347819aae84ff388a6de0ef681b1b6633b59822bf2104e68966
SHA1 hash: 6e6f76ee79e649106a4d5bef79742f5418a43502
MD5 hash: e6cf53ed54800ab07af736446dd66565
humanhash: xray-paris-solar-coffee
File name:e6cf53ed54800ab07af736446dd66565
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:232'960 bytes
First seen:2023-10-02 20:11:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8fec1822a77f67d0edd5b706c96f40bc (6 x Smoke Loader, 3 x Stealc, 3 x Glupteba)
ssdeep 3072:nZZr8yUJfe0BXi+UTz7xbUMfQylcCGfEFmGpy2QGNOSqOaZ5u1F25/Q+:Z7Oe0BCT5YMfQy2CGskGEmASqOT25
Threatray 45 similar samples on MalwareBazaar
TLSH T12A34D02275B0C032D5E742B65434DBA0EEBFB8632BB4C57F27140AAE6E202D19776753
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0202020510101000 (1 x RaccoonStealer)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
9f5e9c7125371340b125a859ed102f07.exe
Verdict:
Malicious activity
Analysis date:
2023-10-02 19:47:31 UTC
Tags:
gcleaner loader stealer raccoon recordbreaker
Link:
https://app.any.run/tasks/d6cbb028-7f49-4aec-83f2-be855f6ba4ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/651b24169b16696e9f8d238c/reports/2d401694-6cef-4c6e-b889-ec174afe1fab/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/f62d3ac335a3bff0698d08076dd7fb06c806706879fcf66bfc17a25eb7673fdf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9348be6c-371a-4e85-b807-1b1904f6ee8b
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318269
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f62d3ac335a3bff0698d08076dd7fb06c806706879fcf66bfc17a25eb7673fdf/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 20:12:08 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
20 of 23 (86.96%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ywtvqzvuo77a2mnbadw3v73a3eam4diph6pm274c6rf5n3hh7pq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1406293eef687c73d84fff0be7d1a47bc973b79fb4b208dc4a31f311684e2bf8
RaccoonStealer
39c1944344d6709fd7caa9539c0f02577c260ef9cd67ae3ec6551c81d97eb2a0
RaccoonStealer
595aefb01f819eeef533258c04af5487164119bdd92bcd735a26de9f5935832d
RaccoonStealer
981923aeeddd4c6f2b68c6b1c0e80f6b4ca6495e200562f371215e37cb7885ac
RaccoonStealer
abcbbdb2a2eb219a82c3f446f74ac6ef93a3deb11e4c277dee8c106792d7b783
RaccoonStealer
b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f
RaccoonStealer
e5e5abe00e82ad616e13abd1768769dc8d31b4e1a5b79955219cea34c395e9df
RaccoonStealer
fe83636233da5eeb406ddcd43a4beb5ed9629797073fba5415c2b4450aad0647
RaccoonStealer
+ 35 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:9c05379df6f1d02ae49f9ee18aad8c17 stealer
Link:
https://tria.ge/reports/231002-yytwlaee5s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Program crash
Raccoon
Raccoon Stealer payload
Malware Config
C2 Extraction:
http://5.78.80.43:8388/
Unpacked files
SH256 hash:
f78f031d50c388e06bafe028fa1ac9416507f3d7e804b3a67cd02300db2df532
MD5 hash:
4ccc583c6a5cc1dde3917d7c3e2c63b3
SHA1 hash:
7e7eb58434261122af33fcdb084de96bf27fe205
Link:
https://www.unpac.me/results/a426ad88-32fc-4534-85d3-b6d4b86b6e32/
SH256 hash:
f62d3ac335a3bff0698d08076dd7fb06c806706879fcf66bfc17a25eb7673fdf
MD5 hash:
e6cf53ed54800ab07af736446dd66565
SHA1 hash:
6e6f76ee79e649106a4d5bef79742f5418a43502
Link:
https://www.unpac.me/results/a426ad88-32fc-4534-85d3-b6d4b86b6e32/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f62d3ac335a3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f62d3ac335a3bff0698d08076dd7fb06c806706879fcf66bfc17a25eb7673fdf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe f62d3ac335a3bff0698d08076dd7fb06c806706879fcf66bfc17a25eb7673fdf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2715904/

Comments


Avatar
zbet commented on 2023-10-02 20:11:21 UTC

url : hxxp://128.140.101.188/hipe.exe