MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fc3db47fe48b58c950b7bfd18d8b80e7ffa48035fa0be7e096d7b593c64edbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	2fc3db47fe48b58c950b7bfd18d8b80e7ffa48035fa0be7e096d7b593c64edbc
SHA3-384 hash:	005264666e00d64c358704282ff5871821c4d52fc231dfb27034024502acdeff52c58425b24a2ab5aef90797d2174c23
SHA1 hash:	b0f7ad82057bd0f424aef8d1e53c098bf9297cbd
MD5 hash:	1548a436e221011b220d431f4d6e093f
humanhash:	zulu-jupiter-washington-freddie
File name:	1548a436e221011b220d431f4d6e093f.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	574'464 bytes
First seen:	2022-03-11 17:03:29 UTC
Last seen:	2022-04-20 09:54:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	79308deed746567d711b667ee2d6efa1 (10 x RedLineStealer, 2 x N-W0rm, 2 x RaccoonStealer)
ssdeep	12288:ckZoTp4nHanvZJt7S2DX0WSrl/vn7XnZUp1PRbjjT7j9RRD:isHuvDEWSZ/jXnyJPZD
Threatray	5'956 similar samples on MalwareBazaar
TLSH	T127C4D010BA90D03AF5F715F81676D36C762E7EE16B2110CF62E22AEA56345E0EC3174B
File icon (PE):
dhash icon	25ac1378399b9b91 (28 x Smoke Loader, 24 x Amadey, 21 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

Intelligence

File Origin

# of uploads :

# of downloads :

193

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/249533/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Sending an HTTP GET request

Sending an HTTP POST request

Launching the default Windows debugger (dwwin.exe)

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/8882/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/622b81090cd58dbd927f9578/reports/80de3f0d-898e-42ac-984f-26bb295c7d1a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a8fd61b2-a2b3-49ad-91b0-dfa034633b80

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/955240

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2fc3db47fe48b58c950b7bfd18d8b80e7ffa48035fa0be7e096d7b593c64edbc/

Threat name:

Win32.Infostealer.Racealer

Status:

Malicious

First seen:

2022-03-11 02:52:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 27 (92.59%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=f7b5wr76jc2yzfilpp6rrwfybz77usadl6ql47qjnv5vspde5w6a._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

14dcd571e701b73003a6b79191e2487d796749b2926e7a8c4758d904b44d5877

RaccoonStealer

2d892b56e76a69ef962a15c7a1ef782d985f67647df2042ae61b6711b3376fbf

RaccoonStealer

3a85d02695c8ec33750b5754a1beb81276ab9cd6afd91f38af67444a8a4509de

RaccoonStealer

46692149c30597743951c8cd2ff5201897bc42c6a7ff20d9d8127e86d4484450

RaccoonStealer

70e8ad5e62ee2b742b069521615bfaa6ac61833dc927e8ab42bafff9d7952ac0

RaccoonStealer

a35f87212af6714fc468f21e32b7f9e599fd00d27ae5920344a9d3ab15e54ecd

RaccoonStealer

ebcd0c7de9878d9c83848e8adf3b135c34ede61cf39caede45ea3f2855c77e43

RaccoonStealer

ed347572e6965885ebf46d5edfdeabf8cc72689d34a5348abf90fb0adad979a8

RaccoonStealer

+ 5'946 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:d7ce4d2837ba5349afb5f48e90638edf69cc105c stealer

Link:

https://tria.ge/reports/220311-vlflnaadd5/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Raccoon

Unpacked files

SH256 hash:

9346737e021e33ce3e26ee78d0f0b81d1953df796a8cfb7e72462904e7d77a41

MD5 hash:

050da13d3ffd1b40b9015b91e78eb000

SHA1 hash:

d1e38ac0a4dd405d05c9e2bfdb4265d99e0732bc

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/aa380b3d-adfc-4dae-8d49-67e4ef860129/

Parent samples :

70e8ad5e62ee2b742b069521615bfaa6ac61833dc927e8ab42bafff9d7952ac0
2d892b56e76a69ef962a15c7a1ef782d985f67647df2042ae61b6711b3376fbf
ccae525e68a279ad432d07a3e1ea6f2d89bb68bd73de544d6c44b3689a185d15
2fc3db47fe48b58c950b7bfd18d8b80e7ffa48035fa0be7e096d7b593c64edbc
06fbcededd23e7e7661fa0f39f696c26e9cd0115794c643571e28392a80502a2
5814d20dbc9b644dfa95a37e4420cb24571d0a50901fa5d4efff5ed02a695dff
a07c5c4122a2dff00a982499b7670fb48e63ba7fb70513f558c7190433c3da92
deb97bc395ff6094d13bc755490be6623079b20e0bffe9f9f616235adc9a7058
eb0939480d699a6648c4ac4155ed712520c6189f4fc6ef12e96b4aef333709f3
45445917d028a58b822aae22e260fb94d2d5bee3ec98431fcda50d845cff3f78
15d7ae1cabcdd1d0c95557bd19005062c116f43e6d3240bbd99829b65993ae2e
a47a73867e96ecc583bd089b8b352d0c0ed7e85c2ca9dccf5627b7d1bee1e416
95ff9f24e1ea61cff965288ab817e57d8ea0a18a6669606828f503df8fd39fe8
3812779d7e6bfcedc29e53edcb53c94a9770171f05b6f1a11146cc4e82f77e56
5e2c211900e145c9aad6d6970858eebbadf07ea9cfb517deae7e5edc66e41cb4
2ff1b440f954bf8779f8c0ddfc88bb6fc0e095bd176ad4606f81d006a8634d3f
9eb980a3a65d550661eea3c2de5c763af6993f4da16ffc0aa80202a48748d231
50a1e08f353094c0a19b84ea61f13d39e7c3e9731269c35fd05844cff198071f
27493ca87c0d633bb9b3aace9664110c1a54cb56fd11d9fceae21f2b370de9cc
2eef8577617e660b457890db4c6c8b914508725fd7dba90a47708ae9629fd51c
00f6bff1ff217479f31a0f7e95079e836d5db24e06dfeb10eb907019e80d52a1
804cc9e39d3a85a238d99b929bb7a3b00bca29b9945e2909aaa7f2941dff10b4
7f7f3c52fd2bf69c352bf106234604ab15c17ffb950b52fef6c8037ef6510ebf
e7562731506bfbb2d6dfbe57d290cbda3b5497aab0c16a6a405e23f7b23f43de

SH256 hash:

2fc3db47fe48b58c950b7bfd18d8b80e7ffa48035fa0be7e096d7b593c64edbc

MD5 hash:

1548a436e221011b220d431f4d6e093f

SHA1 hash:

b0f7ad82057bd0f424aef8d1e53c098bf9297cbd

Link:

https://www.unpac.me/results/aa380b3d-adfc-4dae-8d49-67e4ef860129/

Malware family:

Raccoon v1.7.2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/2fc3db47fe48/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2fc3db47fe48b58c950b7bfd18d8b80e7ffa48035fa0be7e096d7b593c64edbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Raccoon stealer payload

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/249533/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample