MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25128763bec88f9e6b4a99d05f4aa46fd3694452851fda8b1b5cbc0eb0474fa6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25128763bec88f9e6b4a99d05f4aa46fd3694452851fda8b1b5cbc0eb0474fa6
SHA3-384 hash: 8467645afe7552ea49dfea58e6865710050359d65afc85383b3c4b1ddf5c8c526e13ff42c10f64ea61a5bae970a62313
SHA1 hash: 3886e5aef519a9a8526dcfd2487393c4f32cc077
MD5 hash: b01eb876b50bb103ecd0131707672fdc
humanhash: purple-queen-island-venus
File name:SecuriteInfo.com.Trojan.PWS.Stealer.31726.5500.5044
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:556'544 bytes
First seen:2021-12-06 03:13:44 UTC
Last seen:2021-12-06 04:31:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1b81e8f7d77881f7dbd36488c7ba26dc (17 x RedLineStealer, 5 x RaccoonStealer, 2 x CryptBot)
ssdeep 6144:L0ilB0piZGzYDI6vv13qdu+NwqnsmmWNNbRihtUgM89vcu6zhFzAyE4Npjs7C33i:L0YZZG01CtBnsmmWCI890xJrE4Dn
Threatray 4'416 similar samples on MalwareBazaar
TLSH T152C4F11232D0C072D0A621B58525C7B55A7EB87507369BCF7BC506BD1F287E1AF3A32A
File icon (PE):PE icon
dhash icon d2b1e4d4ecb987f9 (38 x RedLineStealer, 18 x RaccoonStealer, 15 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PWS.Stealer.31726.5500.5044
Verdict:
Malicious activity
Analysis date:
2021-12-06 03:17:09 UTC
Tags:
stealer trojan raccoon
Link:
https://app.any.run/tasks/9170c3a8-aeee-46a5-a950-1f6eb62581a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211580/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31726.5500.5044.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/994/overview
Behaviour
MeasuringTime
CPUID_Instruction
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61ad8007fa72c81b5b0db000/reports/3bd91ea7-4050-4128-ac84-98e87177de8b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d00b2a5-29be-4af5-9a12-62e00fa44811
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901913
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious PowerShell Invocations - Generic
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25128763bec88f9e6b4a99d05f4aa46fd3694452851fda8b1b5cbc0eb0474fa6/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-12-05 11:17:12 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eujioy56zchz422kthif6sven7jwsrcsqup5vcy3ls6a5mchj6ta._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
2f895a09ae635487eb6b767e6a95d90efa8d58a9d356229f5ee24f9963ab9e23
RaccoonStealer
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1
RaccoonStealer
a68f787d330808769f87c48f03f9da428bba40595757cd045535b20c7d66d53e
RaccoonStealer
c6e1d668609e9c3d688d02bdab949ca4ed660f42b09bae1fc1c1ba9a04e1b98c
RaccoonStealer
e0dc9892401f354cc3ca63c1e6e66b2fd93a804b3ea09bd348d8f55859847022
RaccoonStealer
+ 4'406 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:b2ef6df07cefd70742a1d2de874b0494a6c0af23 stealer
Link:
https://tria.ge/reports/211206-drb2zsgae3/
Behaviour
Raccoon
Unpacked files
SH256 hash:
5d422099757fabe6b6a26a32c15adf8e2e28f5d21616b37210d3a4ae489dd591
MD5 hash:
825992f765591f7badcc17a68c162346
SHA1 hash:
e47ea23756d012716731cf3407bd7b767a3dacd4
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/fadd7f05-b86b-4d8f-acf6-bec48097eae8/
SH256 hash:
25128763bec88f9e6b4a99d05f4aa46fd3694452851fda8b1b5cbc0eb0474fa6
MD5 hash:
b01eb876b50bb103ecd0131707672fdc
SHA1 hash:
3886e5aef519a9a8526dcfd2487393c4f32cc077
Link:
https://www.unpac.me/results/fadd7f05-b86b-4d8f-acf6-bec48097eae8/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/25128763bec8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25128763bec88f9e6b4a99d05f4aa46fd3694452851fda8b1b5cbc0eb0474fa6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 25128763bec88f9e6b4a99d05f4aa46fd3694452851fda8b1b5cbc0eb0474fa6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1856811/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/211580/

Comments