MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 574a56656b6cf687d912baeedeeb176f0a7e58ad15ad4ab43c3cd630d9cceab2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 574a56656b6cf687d912baeedeeb176f0a7e58ad15ad4ab43c3cd630d9cceab2
SHA3-384 hash: 992ac3c9d2bea4ed262a7f2d434acf7e0fc921bbdae637b592894d0693826d3af2395b65501310504607f750a8084a9a
SHA1 hash: bc9a3ef4d659dfe910cc84dceec9ef77aa802f5d
MD5 hash: c3fd47cc40f05a5dca7394fc6b8d4b16
humanhash: hamper-spring-sink-papa
File name:c3fd47cc40f05a5dca7394fc6b8d4b16.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:445'952 bytes
First seen:2021-11-02 05:53:58 UTC
Last seen:2021-11-02 08:16:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 38efc42584ffe235e8d11c10897bfaf8 (3 x Smoke Loader, 2 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 12288:uAu3JGYHtCoFjN/vGPwejnFlGmfyRrZe:P6CofupoY
Threatray 4'088 similar samples on MalwareBazaar
TLSH T1CE9402117692E472D0A216B15C39C7B60E3AB872167101BB77987F2E3EB03D09A79377
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c8 (18 x RedLineStealer, 10 x RaccoonStealer, 5 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c3fd47cc40f05a5dca7394fc6b8d4b16.exe
Verdict:
Malicious activity
Analysis date:
2021-11-02 05:54:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4a728178-53ef-45ee-b43a-0e5d3214ec04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201238/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Spy.21580.15313.19004.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6180d27dbf51178dbe47b6fb/reports/1b0c3ced-87e3-495e-ba60-6ef698c925ae/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86520ba2-eecb-4b1e-9ba7-e6a13ecf38c2
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/880931
Signature
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/574a56656b6cf687d912baeedeeb176f0a7e58ad15ad4ab43c3cd630d9cceab2/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-11-01 19:33:15 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5ffmzllnt3ipwisxlxn52yxn4fh4wfncwwuvnb4htldbwom5kza._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
087162444ac358da7ad10b5b9ac9ca7254a7e3fc23bed63133a34819e7a7e7f4
RaccoonStealer
67f7aae503b7676b78ee59c2949d4ab1cf3eadc216fc1f0f3f7a9df5e6bd57aa
RaccoonStealer
77bfa7e30693d2f33340f085d00d3bc51b4cbe978b6f3398137036452e85b269
RaccoonStealer
789a80269564acd3bb1caa10c87bf7376b3194ae28006451f7a6413a5aec93f0
RaccoonStealer
78e78f19e3c8ff370f2656bf606c18503e0a6d8c596ff9fab36d8145aff8ef81
RaccoonStealer
894c3251918bb2269a6ff3b157f64d65bf8696e930b13146234a43e07e46b02a
RaccoonStealer
+ 4'078 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:68e2d75238f7c69859792d206401b6bde2b2515c stealer
Link:
https://tria.ge/reports/211102-glwqzsbgb5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
35af3628c195c79bdd6a9e6b76b1c0cb5021035f248a8ed5f249f29b98ec15ff
MD5 hash:
fc4210b8d69615b449407f5aa1401b8b
SHA1 hash:
bbccbb86817dc3b30df63f466a203c1ceb07f738
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/63cf79b5-accc-419f-8900-2fcd0b2b5cce/
Parent samples :
be7eee0143b1fe4a45be3bfd6adadd760b9a82319054a2f6c3d7809aa5e5ebca
74816f56b7e8ada613ca8151c4d904e0e603019502382493d70138d7c6cda410
63e51949e556d4e3ce9f6d72c8a7b53e2a75b5f5926658ed65ac1a92b786f727
aede380a58d25d6e615abe110a8e9cf7d55d557a78e8e39a088592d852f4270c
5af0731c44d5185c6525978688ebde8107c54ad9c2d81195dc0ae19787cc9772
e7f0807d4e77d424c1b2a2d0dde3e70478e5a03b327dbff26b78ca43310bd10c
66c4274b0a8ffa59ff6ec223d48c16d1345da2a18dfd2886706162f9cd2b0f7a
b13da4ae4b27bcab31fb81bcae4ea2c3ef94d64a0cb154401a6db3b58c65a062
970c8955fa0b87bc2f8d0b2233bfd7b3c734b117c7970668a69501b64adc135b
522389faddd26ccb3652f3d00a3ee7bf7ca2f17d1e66399054dae9b2a7dd9e6c
0ce7a21034827c590af16177ab69fe8f0549ba80d765572cd36eabcbce53dc01
61032cb0c046266ca7b4e1c7bec46361c439d6a3cee475162662be4d2b57e8c2
fc45091d99dbacc2d6d92c6f358fd4886326e092789de5ede12cde6ac8234915
2c17e653adf08ff0f16d005e7525bb48e13e07a5d744650d41bb6e94aa053287
476d59d84e2a25f5fcc3dd2efd952f138ddd5137d7d5aa0c6cdff9a23b95ea95
eed04bcb8ac8720b0f1f1f5238494d58d163631cc63d5de1a1109f66d2409fe8
969038f4beda3d9d7040f8093970ed51e1f65e2e4684fe0d66023f1838f0f582
0a6589e8bec291fcbb9ee4e8341c2bf6506f26a9a8174975e7ea8722f20c7845
7aeb5171e90e813e9f494faf648e9f971fded6700d435972a43389b3ba701d05
d5e1f06165385be3568c0311f6093f29c16805e6264bf127af3b6a83e62c7ed4
32c06152828c3d144b82e6e1f4ef18381be1dfd307105851827e358c64156949
279239c5221fa485655f1963010c98259a4ceaa95a3ffec454d514948fa8dcb7
3563d9f6b7170b84d5fc589df6ff72f754025c8575d3d92c7fee09446beac0c8
35231486153cee388c670fe38e700810cb7f4bb265f42d6d68c1b9494206360d
039694c6d172a624b9ed0e6bd4d3a34441835cc8658f7b4c7db07b659283b0ec
e0f3355a3a3df9f9b64e6cd08e846060cab49b6e73cc27644b84bb4c964afa0a
b4dc9e2e8a50e0f1aa1ab6ec6d55f3835329cd80a85b799dd474242a0897dd2b
30e0ed12460cf6bb4e2fd212e75126aed3e02ff7fabf6a8d5963fe843870748a
7eb03078f08f097b0eebc611ac1b3f6f443fac5abdfb8879175193aedf24d37b
6bca7ca9aacdc3544f61887a7c9ac5f1f6fc53fccaa03fdf27b7c365699bba12
dfc50de58c6339e624b60a7e6d5bccc20297656cd80183379fac54f11b3e6f56
cfa7b4b4fc55791d6fe487f6945550af8b4e76b7642c417498ad519131c70e66
4c28bee4f8fb8af42fa504549bd0f6fcf33064768fc81fd7cf0fce5db38673d0
a78b0179e39e58f6b2a8470e17ced2491eff99f3776be3c83a0679132c3c81e4
b0dd5858056c0f3b57748faeadbb2d64cc104c5e7139a79f5413c8b161fa73a1
5951ad0c4ceb22f67645e5fc7e45aeef476cc7f092c82f53a0ea10912eaa82a4
054d065a043de44f5e5630f3714057e58ac6350f68257170edf505388b30886f
77bfa7e30693d2f33340f085d00d3bc51b4cbe978b6f3398137036452e85b269
b4d7eaf0f1d8e41010b0f31130fc977b88852d1a31243296b122acc6a255d027
789a80269564acd3bb1caa10c87bf7376b3194ae28006451f7a6413a5aec93f0
67f7aae503b7676b78ee59c2949d4ab1cf3eadc216fc1f0f3f7a9df5e6bd57aa
894c3251918bb2269a6ff3b157f64d65bf8696e930b13146234a43e07e46b02a
087162444ac358da7ad10b5b9ac9ca7254a7e3fc23bed63133a34819e7a7e7f4
6669170c33aed7b0a684979cae8351ff4c630593e739111672f4c816bfb633f6
d248e7f03207b79d0761c7a1a9f8f3ee656183ef0b79f50bbf8ee52ed1be9bbb
b9685348b71cc1925750a94445a759e710dd240bb739fe7c8883a03c04a361bf
26fc68557d09664515ae49bffa931495b57befc73925e33950836189b54bf895
42aea1078a93a0a96e3ea42382f683e853b90901347c1d3628c1ae2b2598c7f4
3b3ed014278f3a386d0f1918032ec6017597d3a8cfe934f8c86dc79ee58fa747
7c242b2c02aa876bed48238ca62a764198e48815de9554d6f7d341a9ca28c9e7
e706999f8ee1816e90456012deec979de66a1b95d37e8fc9f24cd52a9fe984e5
49709e439ada57fddea95e1ff4f074004cefb1628e6a1a0b5687270bc0a5fd7a
6ab7268e235f166e80f729c1bc4d3707ba67792685858a5342c1ff0f9fc0d194
e02a7a3afe559ee4d08bec39970a83776e665cf946179d6ee5d98d0dbe32a641
599ba671d59a72887a6fb53345a021e8a6b3ca7c8044ee233d5075f12bb30564
472652363b7b94b0d1da752c5b3c738ae6798f2234cd04311def0c509e5e04e7
6cf46399cad159c9ee2bc033acf896bb794d0cd8d1a1e6f131ce5b6a822f424a
b14c4e3ed75a755c09bb62c155f94caab2aabe8733bc7dc6e6e958cbc901e839
574a56656b6cf687d912baeedeeb176f0a7e58ad15ad4ab43c3cd630d9cceab2
1554ca9d66bbe8672e7a6a6730e5d1f48f85aeace653f04c488b810c3e7f3e81
ea01ba77368829f664b5759c5b41e471b8dc5ad8822bfcaae405ac662756d1ac
422b03c3a614d7db59c9ce93ec53fda6c6ccb6233ebb822c998471a16e1a884e
be4c0e3a5025c1cb1a5a4c17321a8412f2599ea5fa6c942c2339479e74a336af
62620fec283076b6d5ddc4c17802ae073538614321e5cd782d63d28c7de48f47
SH256 hash:
574a56656b6cf687d912baeedeeb176f0a7e58ad15ad4ab43c3cd630d9cceab2
MD5 hash:
c3fd47cc40f05a5dca7394fc6b8d4b16
SHA1 hash:
bc9a3ef4d659dfe910cc84dceec9ef77aa802f5d
Link:
https://www.unpac.me/results/63cf79b5-accc-419f-8900-2fcd0b2b5cce/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/574a56656b6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/574a56656b6cf687d912baeedeeb176f0a7e58ad15ad4ab43c3cd630d9cceab2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/201238/

Comments