MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c2dc9d041a919e8367ee723c5a9b8ebcdc41c9e9495b333242d14ce3bb4a2a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c2dc9d041a919e8367ee723c5a9b8ebcdc41c9e9495b333242d14ce3bb4a2a4
SHA3-384 hash: ee70def47503cf21268873ca70a016b43ea9674b206e92fe094d82ac3197a73887bd0c1596d2bff69b21752c053c190f
SHA1 hash: 22d720a23c2002905f95e8b0163aac39b5ffb900
MD5 hash: a82621c5160b9104d26c55f86766c5b8
humanhash: idaho-princess-artist-harry
File name:SecuriteInfo.com.W32.AIDetect.malware1.5648.2494
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:457'728 bytes
First seen:2021-03-27 19:31:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9ec7890328fa1c84baa92bc755450f45 (1 x RaccoonStealer)
ssdeep 12288:TCzHIHyI+TaQMCRzxJ1ZthYdgrssNxoB5NJ4H3R:TCzoX++8RzxJ1ZnZPoG3R
Threatray 708 similar samples on MalwareBazaar
TLSH B0A4F10576B6C033F5A2A5F45972C2B4593AFCB4AB2499C73B84366C7E312E2CA71713
Reporter SecuriteInfoCom
Tags:RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware1.5648.2494
Verdict:
Malicious activity
Analysis date:
2021-03-27 19:33:15 UTC
Tags:
trojan stealer raccoon
Link:
https://app.any.run/tasks/a574ed2d-bccc-43f9-9e2e-aa9640d9e305

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127280/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.5648.2494.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Running batch commands
Launching a process
Creating a window
Sending a TCP request to an infection source
Stealing user critical data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f13ce6a3-1650-443d-8cca-fdc252b2cd6c
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655919
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c2dc9d041a919e8367ee723c5a9b8ebcdc41c9e9495b333242d14ce3bb4a2a4/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2021-03-27 19:31:05 UTC
AV detection:
17 of 47 (36.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqw4tucbvem6qnt644r4lkny5pg4ihe6ssk3gmzefukm4o5uuksa._file
Verdict:
malicious
Similar samples:
27614f810715e1ac5987d10abdac7e101227f1ff49e470cd0fee680c604d672d
RaccoonStealer
451f91c53fae29fef9d405b9b0125ea1bd561c20f2b90b26f609a0adb4aea9a8
RaccoonStealer
58813f984233cfb9eef1c9abefa7f58e96989dd9d6ebd903d40dc2cf3d56c5e8
RaccoonStealer
6c6ab740e7d1e69bb05349e3b27b1a52a4e0bad10ef8b019147c9d87755f95cb
RaccoonStealer
924dd7da4bccf24de55307c9754c1e8e44f4706bdaebf80e8f9c60ebdb330635
RaccoonStealer
9ba06643629d95201f9064dfeefcf6fb17a490d5b8fd86b59f3638311a356dd4
RaccoonStealer
a9d0121ba9783e14f8ac72cce2cbce7e330d0b7f29e5311f497b86d286f2d5d1
RaccoonStealer
b2f42e0c46898da53cb52d2d1a7f7ea2a090b08491c8b89a4e155cf77b6ab9ed
RaccoonStealer
e80db3924627a7961f6bbb34a4d6849546d544620ea77f12b1b3dd8ed024ef4d
RaccoonStealer
f8bf48e34c4002e07e7c57dc4eee52abe141b8a9cfb693325229f56cca507d40
RaccoonStealer
+ 698 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:16992cd33145ccbb6feeacb4e84400a56448fa14 discovery spyware stealer
Link:
https://tria.ge/reports/210327-7lwgq8rsqe/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Raccoon
Unpacked files
SH256 hash:
2aa7107ab7731ff792f8bc07c71d43a31db0ad465ddc6d6a842dc21c085e1e0a
MD5 hash:
23734ca6306da19e6c15a5138b927ee5
SHA1 hash:
f1d932518887f87e034bedc3ae80fb8690dc1755
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/994529bf-887e-4b83-b466-fcabdd73e6bf/
Parent samples :
4c2dc9d041a919e8367ee723c5a9b8ebcdc41c9e9495b333242d14ce3bb4a2a4
a7b93c2fbb727ed832ef535e78fa66ad027e0ca8c9507ca5001112be967b0fe7
fd6ba9b7188a0b11c92287c273eea76f688576dc07eb73b4b42bb0bf061fb393
0bae510b7238c821877790333b381f4ddd42034c5b799a3d7c1e0bff3fdcb940
68e7b4aa89f3f204e8e2d158c4a0892ff43980870e1907d4ed1dc1b57295bd7f
651adbad4b2e863da82c38b9014479348492d0e370fd928a797589873a45cb63
f72a2fd77ccffec0e2c9bf4570895a48942135778325d52ca2996f54d26a45c3
313c10bb9543e370b3017177671899b850975eef576f643ca6648ecef512e114
d5c5e40afe4cda3f04420bd271612e8eedd17d2239f1f08f34b96911aad028b0
9285a4e08b654a24a9e3f7f6d46b27203a48ae623ebfd1a4b1fc1e18ad9a1503
063599342888ca8db39fbfa1a514614781beae26ef228c4c6a5a3f99b67b6a63
3f7631475db3c73d38a22ebdad553d0b0a430f7f570f6878aec9d69742c3e349
a7bc9073cc389bccaa5d3f35cfd21554e7c9ccb52b1f10da67bcacb2177dccfa
dffc13d1cfcc907792273c3a9423844a659ef1ca31ea5bed0d09c1d4f5f58984
6a3449edd66599b768a57c56bca1cd880fd5099d465cc435c0579083c059e943
aed1d7b22349500d64437ab8051253675b4dfc84e24f42fe2c4b180f5dde13a2
e4b7cf0c007f13c5fe3f305a74fef72e87309958e89420503102902d198436cc
96e0358360461b108acd27bcf09eb6cadb6dbcff1d0c46dd13225d58189800ff
806239b652ede8148ff6e178d832830aa6563dc67a4d0d4d35a5ddefaf878568
8d4108636588686bd91c938e7e4b320db2a70e18614b92911400b89d7ca1f1c2
ceed28fedc15a2189b20a8667db52344ef0b65c6414f03c33237a20fba19543f
c002108c5acc520f9afa5423b73934dca1a813e6020752859f0639a9b2f12cd1
693353c431f2ba4f4ca0333c13962db98f9094c0f9d902c1302e5ef1d43a5576
e4e480b258663b2d168c836922136e292348d3f977e97e003ef06388a7693891
b2b8d24633abf976441e73febe9ca099157b1aa5011cc990cb045c5efd9ded0b
82bd63a7a749e86241fb9113bf40fd27d9a3db36c9971ee14ff54825fa631ad2
b7462d93582f61ae4d54bca04359eed4da1804772df8bcebe6723594b3dab2af
08c430e1f712b8538ac261b7998af6c00f89bb75d273183dc563c54389a2fba4
c609c257eaa84273642b03d2b12337f5e64c16ce6bdd0abfd25a557aa94d06b0
13333d8111107cce84e50c0264e4b3ffa7af34802de26de7d229ca86782db674
SH256 hash:
4c2dc9d041a919e8367ee723c5a9b8ebcdc41c9e9495b333242d14ce3bb4a2a4
MD5 hash:
a82621c5160b9104d26c55f86766c5b8
SHA1 hash:
22d720a23c2002905f95e8b0163aac39b5ffb900
Link:
https://www.unpac.me/results/994529bf-887e-4b83-b466-fcabdd73e6bf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c2dc9d041a919e8367ee723c5a9b8ebcdc41c9e9495b333242d14ce3bb4a2a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 4c2dc9d041a919e8367ee723c5a9b8ebcdc41c9e9495b333242d14ce3bb4a2a4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1095246/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127280/

Comments