MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f7aa46027a15a329be8297a786d8c9c61f8ae89dcca9a72d88e0cfc08f38ec2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 2 File information Comments

SHA256 hash:	2f7aa46027a15a329be8297a786d8c9c61f8ae89dcca9a72d88e0cfc08f38ec2
SHA3-384 hash:	63a397e55e99b36e8f3f42c060ca1f16b10d1b4af7eaf60e7f65cb6846b7d2a10227612449f74c732626894e688c3874
SHA1 hash:	19e47795deca11f7183ca753cf07bfcbc0da9ddd
MD5 hash:	4f9cba2ba09fb0b3d5bb2048f4c724c8
humanhash:	magazine-charlie-equal-bakerloo
File name:	2f7aa46027a15a329be8297a786d8c9c61f8ae89dcca9.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	512'512 bytes
First seen:	2021-09-17 13:55:52 UTC
Last seen:	2021-09-17 15:03:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4b2f006e9c8103411c7e9e0d41005636 (4 x RaccoonStealer, 2 x Smoke Loader, 1 x RedLineStealer)
ssdeep	6144:NB2n7d85n53c91btS9DALuxBE+HN3uXjcf9H5IEU3WmkEgZW4vtwCewElRCRjzEx:inuFN+bY9ULuW09tU4WkwCe5KaeCP
Threatray	3'072 similar samples on MalwareBazaar
TLSH	T15DB4021235A0C472C3A15EB46423E395D63AFDE2596C628F77647B2E7F313A0673A306
dhash icon	327a7c7d727e6e76 (7 x RaccoonStealer, 4 x RedLineStealer, 1 x DanaBot)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://179.43.175.24/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://179.43.175.24/	https://threatfox.abuse.ch/ioc/222954/

Intelligence

File Origin

# of uploads :

# of downloads :

154

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2f7aa46027a15a329be8297a786d8c9c61f8ae89dcca9.exe

Verdict:

Malicious activity

Analysis date:

2021-09-17 13:57:27 UTC

Tags:

installer trojan stealer raccoon loader

Link:

https://app.any.run/tasks/7a3be4b1-070c-4634-b461-d92ac9055b1f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/188725/

Detection(s):

SecuriteInfo.com.Packed-GDV4F9CBA2BA09F.7019.14722.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61752ca59a5a1e91c5d207ce/reports/0d7e7d5f-f8d7-45b4-a7bd-0d3425767915/overview

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b84ba31b-ca7f-4844-8381-0bc8fde5a7b8

Result

Threat name:

Clipboard Hijacker Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/852768

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Clipboard Hijacker

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/2f7aa46027a15a329be8297a786d8c9c61f8ae89dcca9a72d88e0cfc08f38ec2/

Threat name:

Win32.Trojan.DllCheck

Status:

Malicious

First seen:

2021-09-17 13:56:09 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=f55kiybhufndfg7iff5hq3mmtrq7rluj3tfju4wyrygpychtr3ba._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

4a6434d66a30ccd95a6c269ba54133d0cade8eb565cd7fd6582abeff8a02a3fc

RaccoonStealer

769e6fac3f7be0c7278bf32ec84b6e96690e06c4ed2c4d06df1f790fc97165e5

RaccoonStealer

78d2e3ffb53da033d7df217d5a67ea52dbac7928cb77d907307a1c77b4453cfe

RaccoonStealer

79353b4beb5c15fb26a1a4e35742da675a5adeff230f9a4d8f3577d47e263e97

RaccoonStealer

7dab69ecef0dc000e97634c8bf2840242b9e75038f32c0eac5eb79772309e43c

RaccoonStealer

830de75be32c7b749962b6ba9b8f9bb50db8bb9145653fa9e38f33715732ded4

RaccoonStealer

93ba1d3d5ea0f821f84ee02b34b65c3768098b5dfc84022a92f79db5a18f2411

RaccoonStealer

e8d4fc0be0e5dee8f09fe56397cf7c06146ebe9b426d69bef676bfd08431d16a

RaccoonStealer

f0c98f4c47a7f3890884cea6e1e84d19fd63eeed8b05ba9cb367707a0f28aeba

RaccoonStealer

+ 3'062 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon discovery spyware stealer

Link:

https://tria.ge/reports/210917-q8qmxsfgf5/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Modifies system certificate store

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Raccoon

Unpacked files

SH256 hash:

765d19b4728008c1589f222d1fa49f1cb7310204c7a4574eb9f930d0544bed7b

MD5 hash:

043da3110ddd8f5ac84e7f9c0d2d685e

SHA1 hash:

2d13ecbc31ccf9921cbf6f0b2089fae09d4f4395

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/e5c51ff4-1729-42b9-b85c-347a6ed81b66/

Parent samples :

b8fa5db247142aeb5f090fe861606d46dbcd50cf36249b0e422384a32d1dfc2b
dd32ec7e9a26563e3088286af32a147b95988188302c65024ed97a5a3b6289c6
7ac7316234cbc2894267e99ceca5574f892cb2e49b66cfb2611d73388f0994b3
24d74834868ad2cd944eb3f5a863383e851bee9231c870258dd5ba4bddf58e83
03d23ad7ab07c264aa23794c51236157641a98f8a6b40dc063e3403e831b967b
dba5e6264deed1c0d630810ce0ba5931e442398ab117ab551f05e77d69613bfb
e4a17e7fabd31dca0c8ffa32fdb6ffbe1d4a696e2a6636186787b8259b95eb54
3fa40031fe4c0dda1a5e228221ab8e839333f6219d74e89114067c332b59bf39
675d315e728f48317a23c5f63712f99e82090a2922ecb255f80f2545bfed788a
75c941b968a0da0f653a9e21ec2939d615e49e4ffc3f64bb16e00170a5457b5a
0ddb264e5fcc3d88e1319319d421edb7d12fb66ef73920f8ec45f5e3eddcce07
447ef561d540f7b87bc2c4d822994b35758e8e2fb6e5a37d92b5ed11be769ea6
3c2557c292a2e3a61a85cd44f45f8f3998fd16db3e5e523353eac61a879f726a
561a8533273e9f2b9c5fb33089538d4c70d6b7d6358750ba89dcf3c56417d95d
88bea616209dfb7515186c71ef3555315eae375e4bf1fdff5267aea751323ae6
694c879e26f27610bc40ea419bea615dacb1e3a946a2c843f22af724623d1704
4a6434d66a30ccd95a6c269ba54133d0cade8eb565cd7fd6582abeff8a02a3fc
148c2ff6c877196d1bbdb73f1dc956f5a7dccbab86037648e235c149a3f4eef2
b349af407e596fa823ca28d516ac7ce5481550003d45195e26ea535944cc7f5e
be54f94776405673d2e6d5c453d540dc93c8f4057d4abb0e046b77f926ed9db2
e8d4fc0be0e5dee8f09fe56397cf7c06146ebe9b426d69bef676bfd08431d16a
2f7aa46027a15a329be8297a786d8c9c61f8ae89dcca9a72d88e0cfc08f38ec2
bfb1e4895a98b83a61f405199730fea989dc84ab8acf6e6234e4264db179cc84
fe217c1f1d0ab6e7b287c409a3133a11883ce2832b4f30dce686459751584969
7cfa34e7f6ea3ee53ef9911983581f2c8865363d1e8de9d40ea42775de0f9e7e
51731aae19093da264b42957d2b604f4134a3250aa57a1873c6bfd379c3f4e54
c37ce493533868e32350a7a72a2682092d2e14afaec4c429f6ff1c7d046b3cb4
5f340f1335f9e6a3d4e5c51eb3097e3bdf4d93645b925f537a45477427b87494
e9d0565443dbb2553948e2a89bb580a81470a00ac3108ecb1e67a5a121e9d65c
0ebf095d8bc7029868cd05f7ad20f51c324755881ade188d88ba8ed94d67f788
28a1d5fa2dc4e99192f634223cd08d146980534b6f51b36842a2d7c471868fd8
237c6adb7012050c271ed33932bbd6a18a86dc18ace5841b5c0d52f3fe79dcc1
f6fd32309de31db16489c5aee61ed853407c071488503c27537b82346db81911

SH256 hash:

2f7aa46027a15a329be8297a786d8c9c61f8ae89dcca9a72d88e0cfc08f38ec2

MD5 hash:

4f9cba2ba09fb0b3d5bb2048f4c724c8

SHA1 hash:

19e47795deca11f7183ca753cf07bfcbc0da9ddd

Link:

https://www.unpac.me/results/e5c51ff4-1729-42b9-b85c-347a6ed81b66/

Malware family:

Raccoon v1.7.2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/2f7aa46027a1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2f7aa46027a15a329be8297a786d8c9c61f8ae89dcca9a72d88e0cfc08f38ec2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/188725/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample