MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb347f1dbbd110cf5a15d429a59efd312a7a70e686dbcde9ddc433f536e02fe1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb347f1dbbd110cf5a15d429a59efd312a7a70e686dbcde9ddc433f536e02fe1
SHA3-384 hash: 7ac410c4e57d690994e7967a4e6c2cf83a46399c925907cd924b08eaddaf179be5e84ee3a47ee8fc68c593d65d4218de
SHA1 hash: 92246c4d42d86a49d96a1e583f1869ed211519f7
MD5 hash: e5d85e0a5d207455389c6a3766d48df1
humanhash: blue-finch-salami-sink
File name:fb347f1dbbd110cf5a15d429a59efd312a7a70e686dbcde9ddc433f536e02fe1
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'861'960 bytes
First seen:2022-02-11 07:49:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 68d90b0c6df86b2df365a4d43986b4fb (1 x RaccoonStealer)
ssdeep 49152:5CwDrAK2WqfCXaS01ZtLooL5cgx5/U+Hdtg/kKgo2Mk88CeLN:5C8AJ9fyaZtLv1c6jd6EMk88x
Threatray 9'204 similar samples on MalwareBazaar
TLSH T1258523DEB8A0F127CCC47D38EA9699E5E5A77B1A1760B8877528335B13321DE9C07740
File icon (PE):PE icon
dhash icon caca8aaab2b2a2e0 (1 x RaccoonStealer)
Reporter JAMESWT_WT
Tags:exe PDP Gaming LVL40 Wired Stereo Gaming RaccoonStealer signed

Code Signing Certificate

Organisation:PDP Gaming LVL40 Wired Stereo Gaming
Issuer:PDP Gaming LVL40 Wired Stereo Gaming
Algorithm:sha1WithRSAEncryption
Valid from:2021-12-25T21:35:24Z
Valid to:2031-12-26T21:35:24Z
Serial number: 47b3fb5bd474f69f4e84f5addbb94b93
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 066562ab76fe19c117daa8c234198a4a5d2e0d669048b9e80b3a5beea1dbf6a1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/240861/
Detection(s):
Win.Malware.Generic-9918574-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6206153754047500bb3f5298/reports/5a04e8d7-4631-4ba8-8a32-ffa62e58e992/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3aa226ca-3e7b-4d5b-8dff-9d612fec643e
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/938314
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb347f1dbbd110cf5a15d429a59efd312a7a70e686dbcde9ddc433f536e02fe1/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2021-12-27 15:42:10 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
059afad6c9d4183c5b32b89465732dc6ea7bf7192c0ed7e9f1dabfe65a17da2e
RaccoonStealer
79e74116d9b6641a89f62b78d9b51450612c33cb346d1c86521ce5a8313d24c6
RaccoonStealer
9684510f52cb986f32e2c3c9f9590b8dafb9786ca42d35586d353a7733b77fba
RaccoonStealer
cb2aff101fb0bdb70d2a113910feee36d63fb65fd9bcee5016b2338d318df67e
RaccoonStealer
cd6e802e4d9d8fc24642cb0c5e441fbc2025215c0d99252ff01c40350642937b
RaccoonStealer
cf2520dcf0df45be39612ab801dd1bb9923c83b21fc781be782e89e3a48e27a5
RaccoonStealer
e022f21e50f96a61c49f398c2f8e9e34be36be5d2bdddaa391fec53d992091b5
RaccoonStealer
e271f1c40db30b3cf52dfa09617a34632db3edac155c03dfbfcb9c2f05c1c1cd
RaccoonStealer
e371f0c9caa5fcc9a9698f9de2a40d815e22db19b37454781450633249b84dc4
RaccoonStealer
+ 9'194 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:308a984fe6a7849b770c5be9239335fb556c6e1b evasion stealer trojan
Link:
https://tria.ge/reports/220211-jpctdsccg9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Unpacked files
SH256 hash:
0a85f95bb93117d7cd0ac02385a58e4e9f4270609541b37ff37be832b7d4810b
MD5 hash:
21e0532c4e7ca6990e46941c544655d0
SHA1 hash:
26762f697c1b10fe14f4283e2254f5475a738c43
Link:
https://www.unpac.me/results/f41b0dfc-4f58-4ba3-a434-9747e4530202/
SH256 hash:
fb347f1dbbd110cf5a15d429a59efd312a7a70e686dbcde9ddc433f536e02fe1
MD5 hash:
e5d85e0a5d207455389c6a3766d48df1
SHA1 hash:
92246c4d42d86a49d96a1e583f1869ed211519f7
Link:
https://www.unpac.me/results/f41b0dfc-4f58-4ba3-a434-9747e4530202/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:downloader_macros
Create hunting rule
Author:ddvvmmzz
Description:downloader macros
Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:obfuscate_macros
Create hunting rule
Author:ddvvmmzz
Description:obfuscate macros

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/240861/

Comments