MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 2747dc1a2ed271dd23c179accd64de2857e671c01a1860c84acedda146355210. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RaccoonStealer
Vendor detections: 12
| SHA256 hash: | 2747dc1a2ed271dd23c179accd64de2857e671c01a1860c84acedda146355210 |
|---|---|
| SHA3-384 hash: | 2b7db921c54513a711c0727d98645a4cdeeabf0eddae2d02de3d2b60fa9fb5133dc28a1fcfca7fcd9ee4ff8f29e47fce |
| SHA1 hash: | 80a16361c11b0e626f725b15fd8a46c0f501168e |
| MD5 hash: | a37f21ffacd3e21d83022c26f2b8d6cf |
| humanhash: | winner-item-oxygen-sixteen |
| File name: | a37f21ffacd3e21d83022c26f2b8d6cf.exe |
| Download: | download sample |
| Signature | RaccoonStealer |
| File size: | 538'112 bytes |
| First seen: | 2021-06-12 00:25:58 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 34c0759936727f40e2263d833b40ae4a (2 x RaccoonStealer) |
| ssdeep | 12288:S2IOD3Jvu6lr9/di/4Lw0WU/Ezy2tZssl5015RWAhWCoQY:SCD5/lHi/4Lw01ky2tw15Rhhl |
| TLSH | 59B4E000B7E0C035F4B776F4593A8274A86A7DB16B2584CF62D52AEF5A746F4AC30363 |
| Reporter |  abuse_ch |
| Tags: | exe RaccoonStealer |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| http://34.76.8.115/ | https://threatfox.abuse.ch/ioc/98907/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a37f21ffacd3e21d83022c26f2b8d6cf.exe
Verdict:
Malicious activity
Analysis date:
2021-06-12 00:29:36 UTC
Tags:
trojan stealer raccoon
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Detection(s):
Win.Packed.Filerepmalware-9869115-0
Win.Packed.Filerepmalware-9869146-0
Win.Packed.Ransomx-9869238-0
Win.Malware.Filerepmetagen-9869269-0
Win.Malware.Generic-9869276-0
Win.Malware.Generic-9869302-0
Win.Packed.Pwsx-9869364-0
Win.Malware.Ransomx-9869408-0
Win.Packed.Redline-9869230-1
Win.Packed.SmokeLoader-9869383-1
Win.Packed.Pwsx-9870269-0
Win.Packed.Filerepmalware-9869146-0
Win.Packed.Ransomx-9869238-0
Win.Malware.Filerepmetagen-9869269-0
Win.Malware.Generic-9869276-0
Win.Malware.Generic-9869302-0
Win.Packed.Pwsx-9869364-0
Win.Malware.Ransomx-9869408-0
Win.Packed.Redline-9869230-1
Win.Packed.SmokeLoader-9869383-1
Win.Packed.Pwsx-9870269-0
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Connection attempt
Sending an HTTP POST request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Verdict:
Malicious
Result
Threat name:
Raccoon
Detection:
malicious
Classification:
troj.spyw
Score:
76 / 100
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Infostealer.Racealer
Status:
Malicious
First seen:
2021-06-10 03:37:00 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
raccoon
Score:
10/10
Tags:
family:raccoon botnet:08fc12e059eb829321eb7be0fa05e7b307d107e4 stealer
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
e6c379eda74bb8b69f1f2a9997289c04186fe29f1128ff4239f913bad1b9d063
MD5 hash:
b3c99730a5507022a233b48c94eec8c4
SHA1 hash:
bbc6737bea550b557cda4db3d2a14cfe60b831a8
Detections:
win_raccoon_auto
SH256 hash:
2747dc1a2ed271dd23c179accd64de2857e671c01a1860c84acedda146355210
MD5 hash:
a37f21ffacd3e21d83022c26f2b8d6cf
SHA1 hash:
80a16361c11b0e626f725b15fd8a46c0f501168e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Email_stealer_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Email in files like avemaria |
| Rule name: | INDICATOR_SUSPICIOUS_Binary_References_Browsers |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many email and collaboration clients. Observed in information stealers |
| Rule name: | MALWARE_Win_Raccoon |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Raccoon/Racealer infostealer |
| Rule name: | win_raccoon_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | autogenerated rule brought to you by yara-signator |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.