MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17e503aef3804c0513838fb4ae3e00f323b1260bf753d99dbf0ae415ba54de11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17e503aef3804c0513838fb4ae3e00f323b1260bf753d99dbf0ae415ba54de11
SHA3-384 hash: 9c80c9c9b0d21dc221e6991d6d66bd31780b125d531409a6081c7dea0b57a9ed6c4e022a3861745cc79f43e83ecfc55b
SHA1 hash: ab7d122cc736edccd1610fb85d9b1dfb5dcfcb43
MD5 hash: ad47883736d92213536db64880d21e58
humanhash: ink-six-hotel-ink
File name:smoke2.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:525'312 bytes
First seen:2022-03-27 05:24:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 81e0f16a51609ebf094e59cd813ed787 (2 x RaccoonStealer)
ssdeep 12288:f+9KFURIZbfKZXwNkbQkduJqKKFeKTjMAfZsiP:GmjZb4LQUuQ7Fn1RhP
Threatray 6'512 similar samples on MalwareBazaar
TLSH T1F2B4E010B7E0D035E5B712F4497A8369B92E7AA16B2490CF33C867EE56746D0EC3235B
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
smoke2.exe
Verdict:
Suspicious activity
Analysis date:
2022-03-27 05:22:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/31524b5f-cbb0-46af-afbd-5f900d065451

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258123/
Detection(s):
Win.Dropper.Generickdz-9939781-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11571/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed smokeloader
Link:
https://www.filescan.io/uploads/623ff5469253b276b7805c11/reports/b18433df-d2d0-4cdf-b91d-1fd27e0422ce/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37f48a13-776e-4581-ba08-29a9d025f05a
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965210
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17e503aef3804c0513838fb4ae3e00f323b1260bf753d99dbf0ae415ba54de11/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-03-24 03:02:08 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
35 of 42 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7sqhlxtqbgake4dr62k4pqa6mr3cjql65j5thn7blsblosu3yiq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
14eb78c6d9f873f43e453ca56c4d9d1ffbb03ee79fddb87cadeef59626299b6a
RaccoonStealer
2631bb84e6e34dd72aca532864d09e51d161c687ae3f5e495c16a2fded1213aa
RaccoonStealer
329cb82245c769af6159fde26e4bdb1831a0c0a7d16b9be24501fbe973563463
RaccoonStealer
6c58e340f883a4f80f9fb47658671fecfd6bb2db2766326e6e360f8e495896c1
RaccoonStealer
bab33596106fd683cb7190eedfb32a219fffc5691bed72c151893b3270f06c09
RaccoonStealer
bdb06abce0a193e24ecb55cbda52963d6fbeb5b4c9efb8b45d588aef2ba7b943
RaccoonStealer
c9894dc1091f69ddf411b90853eaf2a4447e20b5a3f7dae5a6997c5c03b470fc
RaccoonStealer
+ 6'502 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:4b8853263bfbfde368561fd97dd96c93b6b91e4f stealer
Link:
https://tria.ge/reports/220327-f4g5wadff7/
Behaviour
Raccoon
Unpacked files
SH256 hash:
a35a7bc0683a747b96e34d35346f6357dfcec7fa883a7f3d9c1270a44119400a
MD5 hash:
6f82e26086f750bd745a35601efa6451
SHA1 hash:
404efb41831c48d76bc92e8763a51e4055f4b9ae
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/551c32f7-2425-4e86-9cdd-ae0635c91bdc/
Parent samples :
3c072e8447a090783007f41a0293c619b455742d4d1b35011eb112a1b8cc2e12
2631bb84e6e34dd72aca532864d09e51d161c687ae3f5e495c16a2fded1213aa
e14e3ba37274e5efe932d789e8e24e20c7c21ad852978df80bb9392f5acf238e
0a7dcaf9e64345aeb5abd12728983253beacd114e4dbe2b3f5addfb7f198d854
cdc3c8092da2ff6ac49b6097aea6afb00439eb1638150042f78b561b6fa2d512
dbe977eb38b4307dcadcc923553535f94f762b91dd28eb11d27cdd6b8f9eab4f
84862dd214cf92e7ba589fda632e1a7d1748341da19ed2d4cc56029f8a1bb6ce
65fa28bc56a1b8132aede30afcb70685f90cfccd32f899ffda736b1b4f46144c
c9894dc1091f69ddf411b90853eaf2a4447e20b5a3f7dae5a6997c5c03b470fc
772b0096bf5c9bb9c71a7ea2ba9a631a80b115134f1d480c08af549fb6f90d87
bd0f4b38b5f2edfdaf836e9d4642488de3fe04f3e855826408cbc31f1bda138a
bab33596106fd683cb7190eedfb32a219fffc5691bed72c151893b3270f06c09
dd2db9bfa45002375af028ac00ca1b5e0c1db30a116c21cac2b4c75cb4ff9aec
3816d18b6f051f046a039ee937185509c8c3326f2842ba04de9d81e4e6ca7de5
bdff4c55eb7dd5a7d125a3629189c26ad2a3f1145a1801c4ba871e144a520895
f09393a0c14c0c4560743e75e59a025aff474c1f27eddd08f19d0ecea80b0988
8406f862c281a32094311d40f1cc275666ea3c368b9607db4ebb91b9cf9b5d3b
6c58e340f883a4f80f9fb47658671fecfd6bb2db2766326e6e360f8e495896c1
329cb82245c769af6159fde26e4bdb1831a0c0a7d16b9be24501fbe973563463
bdb06abce0a193e24ecb55cbda52963d6fbeb5b4c9efb8b45d588aef2ba7b943
d381f45d013f6b50a2be84d5d21f4743bf4271b789e3e81d5cf3b6fd3071ea20
353057209b0d75d63612db91a802368735d5954667946584e1ad0f6f84a892d2
17e503aef3804c0513838fb4ae3e00f323b1260bf753d99dbf0ae415ba54de11
90608df647f490150050db8a8cbcc66d15166957f53882a732699f78a939656b
SH256 hash:
17e503aef3804c0513838fb4ae3e00f323b1260bf753d99dbf0ae415ba54de11
MD5 hash:
ad47883736d92213536db64880d21e58
SHA1 hash:
ab7d122cc736edccd1610fb85d9b1dfb5dcfcb43
Link:
https://www.unpac.me/results/551c32f7-2425-4e86-9cdd-ae0635c91bdc/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/17e503aef380/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17e503aef3804c0513838fb4ae3e00f323b1260bf753d99dbf0ae415ba54de11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 17e503aef3804c0513838fb4ae3e00f323b1260bf753d99dbf0ae415ba54de11

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2110505/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/258123/

Comments