MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41f7c3c7629edb120c0856664f339049131f858650548ed419002459ef464852. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41f7c3c7629edb120c0856664f339049131f858650548ed419002459ef464852
SHA3-384 hash: 13416615c79ac7a4b7179a91b67cea6ad4dfb9b16c4e20229258c37908cf87e7b5b39027aea2593d2f1dee82a3c1255e
SHA1 hash: 5859a0b6b8969c3cd6c75b9cc6173fc710dfba46
MD5 hash: f8367a8bd71732e3e32deed42826b8ff
humanhash: may-monkey-fruit-sweet
File name:f8367a8bd71732e3e32deed42826b8ff
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'725'968 bytes
First seen:2022-01-19 12:58:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 050a754dac0eec17196f7f46982f97c9 (1 x RaccoonStealer)
ssdeep 49152:EXgp2FkH79iPVz6sA0jCCVa3+EBQu60l/qFww:EXgp2SH79iPV+oCCVa3+EW/6Hw
Threatray 8'750 similar samples on MalwareBazaar
TLSH T15785331B3944FD65CCC8B93608C5A80B0B2638BA6E680AD5B5DD3FC92BB04F67359717
File icon (PE):PE icon
dhash icon bc58bcb8f870f0ec (1 x RaccoonStealer)
Reporter zbetcheckin
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220617/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.1943.1730.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
Sending an HTTP GET request
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61e80b1bd32385db63086d17/reports/c4eeaa01-0c9e-4dca-b490-ae9410158724/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ryuk
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12dd5dd3-0c65-4c6b-86c0-7d33a0be117c
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923451
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41f7c3c7629edb120c0856664f339049131f858650548ed419002459ef464852/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 12:59:11 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0ffddfa0d703b8dbfcbdfeda5c1645cc796863710dbd1383fc1062046429d317
RaccoonStealer
36cfc93885d821899c8cc38879ee915553ff45e68ce8aa8653a6f52495639992
RaccoonStealer
40f4f7b3233351e4885a1758cd4eb0981dc5361aa7a354a981ed3ed6363f53ae
RaccoonStealer
486658750c2204bf7924086f67e9228d7d604deae84dfc5caaa66ea7d2222179
RaccoonStealer
79e74116d9b6641a89f62b78d9b51450612c33cb346d1c86521ce5a8313d24c6
RaccoonStealer
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
RaccoonStealer
cb2aff101fb0bdb70d2a113910feee36d63fb65fd9bcee5016b2338d318df67e
RaccoonStealer
cf2520dcf0df45be39612ab801dd1bb9923c83b21fc781be782e89e3a48e27a5
RaccoonStealer
+ 8'740 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:3bd285792a3da047c4a7b1896528d161de0eb5e5 evasion stealer trojan
Link:
https://tria.ge/reports/220119-p73qeshhd4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Unpacked files
SH256 hash:
ecfcf2bbbd9abccfc33e6b1e168ececb1a8df5bb9545d38e2c446d96fe09466c
MD5 hash:
9ac6f7b03fe0f5ec25141baf58bd9a5d
SHA1 hash:
a3e5b30ac3de3c8c58a00ac3979398e05e8422dc
Link:
https://www.unpac.me/results/7503f07f-d9b9-4791-9aeb-f8acf6b8e047/
SH256 hash:
41f7c3c7629edb120c0856664f339049131f858650548ed419002459ef464852
MD5 hash:
f8367a8bd71732e3e32deed42826b8ff
SHA1 hash:
5859a0b6b8969c3cd6c75b9cc6173fc710dfba46
Link:
https://www.unpac.me/results/7503f07f-d9b9-4791-9aeb-f8acf6b8e047/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/41f7c3c7629e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.83
Link:
https://yomi.yoroi.company/submissions/41f7c3c7629edb120c0856664f339049131f858650548ed419002459ef464852

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 41f7c3c7629edb120c0856664f339049131f858650548ed419002459ef464852

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/220617/
  
URLhaus
https://urlhaus.abuse.ch/url/1989461/

Comments


Avatar
zbet commented on 2022-01-19 12:58:40 UTC

url : hxxp://coin-coin-file-9.com/files/4762_1642531476_5504.exe