MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42f71f7375ace133817bcdf3ed89a994cba9772fc7d9cb084cd78f4afb379026. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42f71f7375ace133817bcdf3ed89a994cba9772fc7d9cb084cd78f4afb379026
SHA3-384 hash: a3e9c0c4b5f4bc49853c72d109ec18ec148e7fd2e7598b64aa43df010e062df42d64420368077daa282a2a672fc05fb7
SHA1 hash: 8702c3246c3d5077bf48263ba3f135061d33bcb4
MD5 hash: c60ed5077878e0730a01451cb29c9de6
humanhash: spring-nitrogen-uniform-ceiling
File name:c60ed5077878e0730a01451cb29c9de6.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:461'312 bytes
First seen:2021-11-20 09:50:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afd7f49f71a4c196b8327a3d6c1e7f8d (6 x RedLineStealer, 2 x RaccoonStealer, 1 x ArkeiStealer)
ssdeep 6144:54XWDvL+jmV7N8A31QObsPe3pInkudcsy9NcDdsIGRMy0Yo6J:5KWbL/V7N8A3WObsC6nA9Ncpk2P6
Threatray 4'318 similar samples on MalwareBazaar
TLSH T130A4010037B29073E4E362385871D7694A7B3C325F38589BBBAC572D6E702E34A7174A
File icon (PE):PE icon
dhash icon fcfcb4f4d4d4d8c0 (19 x RedLineStealer, 16 x RaccoonStealer, 14 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c60ed5077878e0730a01451cb29c9de6.exe
Verdict:
Malicious activity
Analysis date:
2021-11-20 09:55:41 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/396297e0-32c5-4aa4-ab25-a59460655b4c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6198c508f0309c84a4754747/reports/cd24d22c-88e1-49c9-961e-a0883eb4cf9a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d9c7e56-c7f8-44dd-8cb8-e4118d8d7e97
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/893058
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42f71f7375ace133817bcdf3ed89a994cba9772fc7d9cb084cd78f4afb379026/
Threat name:
Win32.Trojan.StellarStealer
Create hunting rule
Status:
Malicious
First seen:
2021-11-20 05:12:02 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=il3r643vvtqthal3zxz63cnjstf2s5zpy7m4wccm26huv6zxsata._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
30fd5af8455df4fd2846b4460b13dfc13ca93b5b156196fc16f00dd739f8f418
RaccoonStealer
37925a2e7e517718f5f2966786a60e7fbd8bc4045f0394a365abde68483f25a6
RaccoonStealer
5c57f5d5d9d42c5a30f32903119b88500449c275a9d933ba146542a489e990cf
RaccoonStealer
7bd96869acc1bbf4b3fb3f08b853fd22e259d780f0b469e149f94ea0386743e9
RaccoonStealer
9024f6ef5d63c82506ef2a9c0dc109d6d65f1d76ea5f8e2f748e719ab5eb2fab
RaccoonStealer
+ 4'308 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:b78eb5a9f2070a9354e23b67827ba02d1d9e0f17 stealer
Link:
https://tria.ge/reports/211120-lvgqmscfck/
Behaviour
Raccoon
Unpacked files
SH256 hash:
1564c3c132b4a846d89a32a1ac16460cb4e2751e5322e5a9e91b131418811277
MD5 hash:
726fff836dbd57136957155bc969937d
SHA1 hash:
dfa2ca09f3d1f2504a6cd983ae3fc3ba81dc32be
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/0446c123-ce6c-4cc6-8406-f454f075d48a/
Parent samples :
d2667d8a4062bd3dbb04570411a184b6d4a72584f1cd11fb74a145a62c2084b6
37393e775419461d8973fc596cd174cc6ff417e07d19d95aacb02cad3f4367b1
58e55ace1e50d5da54055c0ad559e8b888255a586e363bcf08bb728f9127f318
42f71f7375ace133817bcdf3ed89a994cba9772fc7d9cb084cd78f4afb379026
e4cd6a7b62c12b5afbe9d31ffd4d538d1248e0231cd4af7e1217ce0d7b5bbec3
5826d9d6b454aeb9d4cd3a93fcc821340d6d76e8c9c537dd332cd7fe122bc8e0
d3e12edcfc74eb3d0c54fb626db2d61a82553186504d6fe249bbba792935d425
SH256 hash:
42f71f7375ace133817bcdf3ed89a994cba9772fc7d9cb084cd78f4afb379026
MD5 hash:
c60ed5077878e0730a01451cb29c9de6
SHA1 hash:
8702c3246c3d5077bf48263ba3f135061d33bcb4
Link:
https://www.unpac.me/results/0446c123-ce6c-4cc6-8406-f454f075d48a/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/42f71f7375ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42f71f7375ace133817bcdf3ed89a994cba9772fc7d9cb084cd78f4afb379026

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 42f71f7375ace133817bcdf3ed89a994cba9772fc7d9cb084cd78f4afb379026

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1584973/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/207735/

Comments