MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a40278bafab6c6b46844d465d86a2a901c8b447c35478f49b2e87a784d72bef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a40278bafab6c6b46844d465d86a2a901c8b447c35478f49b2e87a784d72bef
SHA3-384 hash: 2dd65a66a6874ea02c6fb8ef7129ed0a0aed815f525b90c053d65caa225ffc974fc1f9a8f329d0511b0d15c367f3f9b1
SHA1 hash: a1e16b67a1078ebbc918472b36982cbcd3c9328f
MD5 hash: feacf8e20fc889df23f6cc2f8f6d3116
humanhash: quebec-bluebird-carolina-alanine
File name:feacf8e20fc889df23f6cc2f8f6d3116.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:606'720 bytes
First seen:2021-11-05 07:16:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f328df869bbb6ffcb0b5674378a112d8 (4 x RedLineStealer, 4 x RaccoonStealer, 1 x Smoke Loader)
ssdeep 12288:NMGVsptLmprScLXz9Mm9FjE5yV9AOM1SwTl5nfpuARMbZXu5ka0UkB49C6O:CGVAhmprdDGmDE5I8025nBuARMb1u5kv
Threatray 4'099 similar samples on MalwareBazaar
TLSH T120D4D010B6A1C039F4B216B879769278F53E7DA1A72480CF13D62BEE56706E0ECB1717
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
feacf8e20fc889df23f6cc2f8f6d3116.exe
Verdict:
Malicious activity
Analysis date:
2021-11-05 07:17:29 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/61447e26-8c43-41b0-b58f-72ab92b8fd1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/202556/
Detection(s):
SecuriteInfo.com.Variant.Jaik.49059.22396.10009.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6184da71c03a81a50241cfac/reports/d3796716-0b89-4809-bb4f-d2f86dce9b70/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05e8da49-baaf-4c11-b364-2ac6574aadf8
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/883755
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5a40278bafab6c6b46844d465d86a2a901c8b447c35478f49b2e87a784d72bef/
Threat name:
Win32.Trojan.Krypter
Create hunting rule
Status:
Malicious
First seen:
2021-11-05 07:17:05 UTC
AV detection:
21 of 44 (47.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ljacpc5pvnwgwruejvdf3bvcvea4rnchynkhr5e3f2d2pbgxfpxq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
6fb3db4c15de9f7e366c868bb805275d0d94a8ea8c1566ac7819044023ae5c34
RaccoonStealer
8795a656616316101fcc0ccdc8c6a014dbbcb143882dd39c1e4d4dc61c6293b6
RaccoonStealer
afa506dea7e88d3aa2ff4c2f58a21a91cf5d6ae5a00dea2cf482832d1613e37b
RaccoonStealer
ca30cae9fee835a2a12b111864d52a15f92a5a8b0e6fa7ae189833654bff712e
RaccoonStealer
d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a
RaccoonStealer
fd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
RaccoonStealer
+ 4'089 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:8f84893fac8025c5bfbe688da7bcaf1820b04ead stealer
Link:
https://tria.ge/reports/211105-h4dhssfhhl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
91f594068575ecfe9f73c5c49f0e5e8da585f598a3f5841d2ceb506769247b5c
MD5 hash:
e6ce0d236a18878432d5ca53881ddf6a
SHA1 hash:
9e02543e2d1ef98e975548fe1988e307b599155d
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/5c11b565-d7c2-460a-90d1-187497cbd024/
SH256 hash:
5a40278bafab6c6b46844d465d86a2a901c8b447c35478f49b2e87a784d72bef
MD5 hash:
feacf8e20fc889df23f6cc2f8f6d3116
SHA1 hash:
a1e16b67a1078ebbc918472b36982cbcd3c9328f
Link:
https://www.unpac.me/results/5c11b565-d7c2-460a-90d1-187497cbd024/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5a40278bafab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a40278bafab6c6b46844d465d86a2a901c8b447c35478f49b2e87a784d72bef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 5a40278bafab6c6b46844d465d86a2a901c8b447c35478f49b2e87a784d72bef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1738451/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/202556/

Comments