MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d6dc41241fe3784d89b8dadddc0297750ebb0602ebed8e1736230d2ae15cfb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d6dc41241fe3784d89b8dadddc0297750ebb0602ebed8e1736230d2ae15cfb5
SHA3-384 hash: 5164b0b45e4f590e5a41aa8d5cb45b7be76e4a13be8e5ea544495af520caa907db7678823b07cf05972ab5f1522469a3
SHA1 hash: b21f24db04d6bbd1fc9a072ea418d29573a034c4
MD5 hash: 495f2bb84e62852f2bcb4f6b13f25b55
humanhash: mike-cardinal-seven-delta
File name:495f2bb84e62852f2bcb4f6b13f25b55.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:590'336 bytes
First seen:2021-10-27 12:30:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 307c6b23c6d1248012a24f70e3561841 (1 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 12288:zJgrZGOMyYAv8BxGbHmkaE47QaFe9TQ9C4jTB3TcN:9aGTOeGyzFe+hTk
Threatray 3'852 similar samples on MalwareBazaar
TLSH T1AFC4E000A7A0C034F4F612F8497A9368F92E7D919B7854CF53D526FA46B8AE1EC31397
File icon (PE):PE icon
dhash icon b2dacaaecee6baa6 (23 x RedLineStealer, 22 x Stop, 13 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200530/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61794688db358dd15edfb748/reports/ba04d110-bff7-44d7-9b89-fcafe47581f6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e8d05d4-c98f-4031-b270-9a78afa5f374
Result
Threat name:
SERVHELPER Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877771
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Contains functionality to steal Internet Explorer form passwords
Detected SERVHELPER
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Wscript starts Powershell (via cmd or directly)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510203 Sample: bvklKx9rBs.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Antivirus detection for URL or domain 2->51 53 7 other signatures 2->53 10 bvklKx9rBs.exe 81 2->10         started        process3 dnsIp4 41 91.219.236.49, 49756, 80 SERVERASTRA-ASHU Hungary 10->41 43 telegin.top 10->43 45 2 other IPs or domains 10->45 31 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 10->31 dropped 33 C:\Users\user\AppData\...\vcruntime140.dll, PE32 10->33 dropped 35 C:\Users\user\AppData\...\ucrtbase.dll, PE32 10->35 dropped 37 56 other files (none is malicious) 10->37 dropped 63 Detected unpacking (changes PE section rights) 10->63 65 Detected unpacking (overwrites its own PE header) 10->65 67 Tries to steal Mail credentials (via file access) 10->67 69 2 other signatures 10->69 15 cmd.exe 1 10->15         started        file5 signatures6 process7 signatures8 71 Wscript starts Powershell (via cmd or directly) 15->71 73 Encrypted powershell cmdline option found 15->73 18 powershell.exe 15 23 15->18         started        21 conhost.exe 15->21         started        process9 dnsIp10 39 194.180.174.166, 49803, 80 MIVOCLOUDMD unknown 18->39 23 wscript.exe 1 18->23         started        process11 signatures12 55 Wscript starts Powershell (via cmd or directly) 23->55 57 Bypasses PowerShell execution policy 23->57 59 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 23->59 26 powershell.exe 8 23->26         started        process13 signatures14 61 Detected SERVHELPER 26->61 29 conhost.exe 26->29         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d6dc41241fe3784d89b8dadddc0297750ebb0602ebed8e1736230d2ae15cfb5/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 12:31:10 UTC
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hvw4iesb7y3yjwe3rww53qbjo5ioxmdaf27nryltmiynflqvz62q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
4cebb5a9492f91192a5def3c8345b217718a8223a9b845c3eec1e1eeaa8c6060
RaccoonStealer
678f03e1574817fdf555ebe8701534034315d008addfb0dd7aac8fd35d17e855
RaccoonStealer
7c21b1b5f71348d4cf42b5ea75b24ea009e86dfae75f8c65d0b62f069863e130
RaccoonStealer
8795a656616316101fcc0ccdc8c6a014dbbcb143882dd39c1e4d4dc61c6293b6
RaccoonStealer
9e05d26ca31990960ecb59a804c99db6c1b07ae9d5afc4a835f04a0aceaea75e
RaccoonStealer
afa506dea7e88d3aa2ff4c2f58a21a91cf5d6ae5a00dea2cf482832d1613e37b
RaccoonStealer
d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a
RaccoonStealer
+ 3'842 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/211027-pp2qeaegb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
c50103b45414bbf89e3e94f78276e6d6aff1a2e63b9e1ae1c2e385688b18214e
MD5 hash:
d190f77efbd8f25bd8911fbf4571653b
SHA1 hash:
2e92b5879eef75ec7b2d280820c75dd4854bbc85
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/c6dc8977-5ee8-4d2c-8303-96eea548981a/
Parent samples :
0abca757a21c853f04a42d9198e1d165cba434e5602609a0783e3e04131bd29e
3d6dc41241fe3784d89b8dadddc0297750ebb0602ebed8e1736230d2ae15cfb5
e207d845291c3dfb68393d2e2b610f1b8f59a91cd01df89f8eb848b4c9c62100
a5bd0490ebf884b314ba02c3550eea48859fb5b564abedfd95c8ea86efadf8fe
SH256 hash:
3d6dc41241fe3784d89b8dadddc0297750ebb0602ebed8e1736230d2ae15cfb5
MD5 hash:
495f2bb84e62852f2bcb4f6b13f25b55
SHA1 hash:
b21f24db04d6bbd1fc9a072ea418d29573a034c4
Link:
https://www.unpac.me/results/c6dc8977-5ee8-4d2c-8303-96eea548981a/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3d6dc41241fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d6dc41241fe3784d89b8dadddc0297750ebb0602ebed8e1736230d2ae15cfb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 3d6dc41241fe3784d89b8dadddc0297750ebb0602ebed8e1736230d2ae15cfb5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1584973/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/200530/

Comments