MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47bf49b62e959618b4fe917fc30a72577a120ef199ec8fcba4dabbb1618f1773. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47bf49b62e959618b4fe917fc30a72577a120ef199ec8fcba4dabbb1618f1773
SHA3-384 hash: 40ea564c48f20fdee4fbb7c51e7e336def1dc0c706496a8fbd9a133a94323ee9304ff55e7f3c19314819668c8461b597
SHA1 hash: 340f952b34e73be774b1b30d6c2e2a5778fc8abb
MD5 hash: 65d1bbe4cdf555063fb1c14993727548
humanhash: delta-fix-oranges-zebra
File name:SecuriteInfo.com.Trojan.GenericKD.39062394.12645.6177
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'919'504 bytes
First seen:2022-03-09 21:51:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c0adfe1e9d3803618765228287306305 (1 x RaccoonStealer)
ssdeep 49152:2pi3KDPCxHtui8uCZOyXe9xZdizmhlMZuC3ipBpAEMclkONvc:0inPuDZOyu9xZ+3GBpicl5
Threatray 4'908 similar samples on MalwareBazaar
TLSH T158D523E0E754DD42D4BE00B26CA5D03176E5FCADA9D8078CD7E8E725A574932320CFAA
File icon (PE):PE icon
dhash icon 86067c3737345daf (1 x RaccoonStealer)
Reporter SecuriteInfoCom
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248927/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39062394.12645.6177.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP POST request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/62292189b94fb38cb44b47f8/reports/0704220a-8d66-4b2c-be2b-ad7ffd36489b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2420b009-6d22-4f18-acb0-2d88bd1c2878
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/953755
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47bf49b62e959618b4fe917fc30a72577a120ef199ec8fcba4dabbb1618f1773/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-23 16:48:54 UTC
File Type:
PE (Exe)
Extracted files:
59
AV detection:
29 of 42 (69.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i67utnroswlbrnh6sf74gctsk55bedxrthwi7s5e3k53cympc5zq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
360f2daa601a407296f2a123346526c790bc1a03f974bad4379e0c534056182e
RaccoonStealer
451f3d1b5f2823224e244d06c52423f0e68df54937a8cff948f28f307afe9cfe
RaccoonStealer
5030200d666e1f843a020f4dc2751fa2e91a9e52f929b8a7410ad6fc57d7f768
RaccoonStealer
7b40863ec74aadb8aa7f38657302a39c1699f3e49dfc35ad63f32a0d37c19933
RaccoonStealer
c0c3b3d28a7d7234cce6996c70cf235a20869c5d0f6b430b6a5bcf3b6a7434d2
RaccoonStealer
c4ffe6c2f699fd77bdf6b7b7f49e3ba3691275585292eae1c600d997d6a9c0ee
RaccoonStealer
db2e87c99798d5a30cf5d0c31c589a0f9e07e4f4412e55dcb0bdb858578882d9
RaccoonStealer
e41b64675f161f9a4c044cb7b4d97d3c023a24793c04d503949147e4368bac41
RaccoonStealer
+ 4'898 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1fec994fdf458e08e7c388d642a88fc401b54f24 stealer
Link:
https://tria.ge/reports/220309-1q36eabgf2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Raccoon
Unpacked files
SH256 hash:
2b3d0be3899eae1c2834a01b36b810ab51bced5fb3f59a48005568da869fb500
MD5 hash:
2c7735e2b62f55c9c65d262c99bfd024
SHA1 hash:
116a1e4322ea0e3cf3de09d3790307fab0fe9559
Link:
https://www.unpac.me/results/4ddda627-9c6d-4d53-b713-d8c9f729eeb3/
SH256 hash:
47bf49b62e959618b4fe917fc30a72577a120ef199ec8fcba4dabbb1618f1773
MD5 hash:
65d1bbe4cdf555063fb1c14993727548
SHA1 hash:
340f952b34e73be774b1b30d6c2e2a5778fc8abb
Link:
https://www.unpac.me/results/4ddda627-9c6d-4d53-b713-d8c9f729eeb3/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/47bf49b62e95/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/47bf49b62e959618b4fe917fc30a72577a120ef199ec8fcba4dabbb1618f1773

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 47bf49b62e959618b4fe917fc30a72577a120ef199ec8fcba4dabbb1618f1773

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2086562/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/248927/

Comments