MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a7e300acc0cde02597545a11ad1efa8f456dba9df485296180bb8fa176bc739. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a7e300acc0cde02597545a11ad1efa8f456dba9df485296180bb8fa176bc739
SHA3-384 hash: 9992340d41cbc0ee2cf834aeb3b13787c58fc99492237699fa96a4ce15b64aa01b6de51d85613ee067f0ac918bc3c52e
SHA1 hash: c709850930a7f31ec738c9951a1e7b9bc5d3d7e8
MD5 hash: d7e506aa5e8ab5359c9cd943443e2709
humanhash: batman-fillet-march-stairway
File name:SKMC20210610.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:51'128 bytes
First seen:2021-10-06 21:35:36 UTC
Last seen:2021-10-06 23:14:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 768:qXTs8cQGzRLLzG8YMgXJYgjL2kxtdftZdxF20vJUA8/DDFtYcFmVc6KdjhRYm:qQ8cQGVt4JJ3vdly2JctmVcld/
Threatray 3'528 similar samples on MalwareBazaar
TLSH T164336B0467848326DA7E4B362973A9014BF5B21AEF23DA5E7E8C40DD1F13740DB62F66
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.47.232/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.47.232/ https://threatfox.abuse.ch/ioc/231118/

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKMC20210610.exe
Verdict:
Malicious activity
Analysis date:
2021-10-06 21:39:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6579bc0a-031d-43be-b625-046ebfc5953b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195560/
Detection(s):
SecuriteInfo.com.ArtemisD7E506AA5E8A.18372.9954.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/615e16c8e3d213d202b8f173/reports/27e5e8c7-5a0f-4b56-a0a9-2ee2820e2af0/overview
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6fbb11a2-93f0-48fa-bb31-aca06a7cda99
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/865904
Signature
Contains functionality to steal Internet Explorer form passwords
Creates HTML files with .exe extension (expired dropper behavior)
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a7e300acc0cde02597545a11ad1efa8f456dba9df485296180bb8fa176bc739/
Threat name:
ByteCode-MSIL.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 21:36:11 UTC
AV detection:
7 of 28 (25.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jj7dacwmbtpaewlviwqrvuppvd2fnw5j35efffqybo4puf3ly44q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
58012e1bc38619a3a83b1b3742b066a7bc1ad2bceb622ed5603d7a0175489e54
RaccoonStealer
71c8ba3bff2028ae1586c04850560d0d11711f166b4713604c65bb68db07e03a
RaccoonStealer
7383c5e9d047eff7d5a91139c0f5c1c80c1cae7fdf5ebb59a0db20a05abb58a2
RaccoonStealer
ab9a992f805bce47b17d65b705612b2c88d55beafd9714c5a278be7ee09e1d58
RaccoonStealer
b7b037355cc6e9dc7f9c665f1ea987bafed82a4825409a5d05cde15c6d243dff
RaccoonStealer
c37589d196b538bdbe783c81ba966e7a3689f9867cf5d22d207a602c86ebdf7e
RaccoonStealer
c67646ba071947726cb2420a03887901a79a762844862eeb61f2fa8349ea355f
RaccoonStealer
dcff0727ff7809cddf9d0ca02725f70ead9eff5799cdef37b2b05fee166bc5e8
RaccoonStealer
dded956a99823dc3d87aafa2764e9a561eb9df6b571251f118468052143d76cc
RaccoonStealer
dedecac051c66649d617a251056138a2e59e530a0c172b7c851b6a10d8c45222
RaccoonStealer
+ 3'518 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:27c9b6ae257af0ad6f3f3330ea633fc782fa4daf discovery spyware stealer
Link:
https://tria.ge/reports/211006-1fx7eabfa8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
4a7e300acc0cde02597545a11ad1efa8f456dba9df485296180bb8fa176bc739
MD5 hash:
d7e506aa5e8ab5359c9cd943443e2709
SHA1 hash:
c709850930a7f31ec738c9951a1e7b9bc5d3d7e8
Link:
https://www.unpac.me/results/dcdcb592-689a-4df0-bf73-818df7eefcec/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4a7e300acc0c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4a7e300acc0cde02597545a11ad1efa8f456dba9df485296180bb8fa176bc739

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/195560/

Comments