MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4701e82080bbf43bfaf8dee522b66e11ee9029154eca770701e34e3a7822f263. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4701e82080bbf43bfaf8dee522b66e11ee9029154eca770701e34e3a7822f263
SHA3-384 hash: 55943e3b46958fd013e95a57cb6b5697b13d2f0af8fd6d42249cb1bea9e9d0b3f22b877af768c48bf1bdcbb3cd201d28
SHA1 hash: e9008ea9e6da7547fa1d8914d9d2d77cb3977e36
MD5 hash: 50f3588df57df36f71786cb7fd2876fd
humanhash: lion-spring-queen-high
File name:50f3588df57df36f71786cb7fd2876fd.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:574'976 bytes
First seen:2021-10-13 17:07:23 UTC
Last seen:2021-10-13 18:18:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6914b510638d71b110829c8d3f3435fd (3 x RaccoonStealer, 1 x ArkeiStealer)
ssdeep 12288:BcW1HJ+I3MF7H2Jl7XOwIVN5j3vPJxXLT2CQoLm2v0vQGmD:5JpJlAN93vPjn24mhv
Threatray 3'773 similar samples on MalwareBazaar
TLSH T10BC4E010B7A0C035F1F766F8497AA3A8A53E79A1672490CF23C51AEE57346E1EC3135B
File icon (PE):PE icon
dhash icon 9cfcfcf8e8e8e066 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
50f3588df57df36f71786cb7fd2876fd.exe
Verdict:
Malicious activity
Analysis date:
2021-10-13 17:40:25 UTC
Tags:
stealer loader trojan raccoon
Link:
https://app.any.run/tasks/f55667f0-5b3b-442e-89d7-0f17d749c8ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197313/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.3333.22924.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed stop
Link:
https://www.filescan.io/uploads/616712731c2d58ba7405090b/reports/3d32becd-175e-482b-a7af-843250d54d12/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9014e55a-f91f-42dd-aa01-bd6d71d06f16
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/869876
Signature
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4701e82080bbf43bfaf8dee522b66e11ee9029154eca770701e34e3a7822f263/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-13 15:21:50 UTC
AV detection:
22 of 41 (53.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i4a6qieaxp2dx6xy33ssfntochxjakivj3fhobyb4nhdu6bc6jrq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
49ad4fd1bd40286214edaee6edfa7ce8915b6bbd39758a4a93175f48626a478b
RaccoonStealer
58012e1bc38619a3a83b1b3742b066a7bc1ad2bceb622ed5603d7a0175489e54
RaccoonStealer
678f03e1574817fdf555ebe8701534034315d008addfb0dd7aac8fd35d17e855
RaccoonStealer
7c21b1b5f71348d4cf42b5ea75b24ea009e86dfae75f8c65d0b62f069863e130
RaccoonStealer
8969003beb2ed864e1cb6d3518bec42cd1c7fe68f7990f629547b9c1f817f4b9
RaccoonStealer
8e0bf87628ea9c37fd9a0ca40fbbac0bf8d219f2f514efad2f63e0ba90cf7dd4
RaccoonStealer
c0612b6bbada59f17891c503ed8c50b09933e7a2c37ffb05bf8de5003e3457ce
RaccoonStealer
c67646ba071947726cb2420a03887901a79a762844862eeb61f2fa8349ea355f
RaccoonStealer
fd29fc8abeb5886c00e418e3c08f0d0047d10a8511c233bd5c9027813e5c5327
RaccoonStealer
+ 3'763 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:f101b8d36e5dba77385a11565177c9403f6a2964 stealer
Link:
https://tria.ge/reports/211013-vnjfbsefg4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
4c49409a8cfca2ef69ebc5fc912c1f03613750c5df0b5546d9322db8d2b6f79f
MD5 hash:
6674ba89886f07b60acb2bc7bf6e70d1
SHA1 hash:
e5a685124679187d33b317091b7fd26d9931b10f
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/176a1b7f-0332-4d14-972f-9897377a4f64/
SH256 hash:
4701e82080bbf43bfaf8dee522b66e11ee9029154eca770701e34e3a7822f263
MD5 hash:
50f3588df57df36f71786cb7fd2876fd
SHA1 hash:
e9008ea9e6da7547fa1d8914d9d2d77cb3977e36
Link:
https://www.unpac.me/results/176a1b7f-0332-4d14-972f-9897377a4f64/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4701e82080bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4701e82080bbf43bfaf8dee522b66e11ee9029154eca770701e34e3a7822f263

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 4701e82080bbf43bfaf8dee522b66e11ee9029154eca770701e34e3a7822f263

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1652118/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197313/

Comments