MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 647ff6bf6f905c771a13ed6b0d5fdfe0b7c418559b7e59d27bfdc9935ef3e056. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 647ff6bf6f905c771a13ed6b0d5fdfe0b7c418559b7e59d27bfdc9935ef3e056
SHA3-384 hash: 6bee5b73219c0bf90853bd2d9d87ea49e7d49f7fa3b53dba9017385c6b8dbb8ce2f57890266cacd5a0702bff48e4b15d
SHA1 hash: 169842fb7a123873f42c4e107d272fe65611d775
MD5 hash: fe375f70f5291985dbd2824649a36875
humanhash: massachusetts-twelve-friend-sink
File name:fe375f70f5291985dbd2824649a36875
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:510'976 bytes
First seen:2021-09-07 02:51:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a2b61ec335a437915fc26e9e5178da86 (5 x RaccoonStealer, 4 x Stop, 2 x ArkeiStealer)
ssdeep 6144:8H7DFLh1Z1+O5JqOaW9ton0BTsbQbw9wpe7FgwFRJOIPm7Anmxt91IrbP5gs0ZrC:of1qO5JgW9tSwIL+OgStoNxYjYrHDe
Threatray 3'457 similar samples on MalwareBazaar
TLSH T16AB4E020B6D0C036F5B715F589B993B8A93ABEB15F2440CF62D42BEE16356E09D3074B
dhash icon 68e8c8e8aa66a499 (3 x RaccoonStealer, 1 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.237/ https://threatfox.abuse.ch/ioc/216755/

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fe375f70f5291985dbd2824649a36875
Verdict:
Malicious activity
Analysis date:
2021-09-07 02:54:45 UTC
Tags:
installer trojan stealer raccoon loader
Link:
https://app.any.run/tasks/1696e55c-218d-4fd6-ba47-3fc2ffd5924d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185784/
Detection(s):
SecuriteInfo.com.Variant.Jaik.47576.19768.9165.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Creating a window
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Running batch commands
Launching a process
Sending a UDP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afd62ff7-4ff5-4153-bfbe-e2a14c9f05be
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846209
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/647ff6bf6f905c771a13ed6b0d5fdfe0b7c418559b7e59d27bfdc9935ef3e056/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 02:52:09 UTC
AV detection:
19 of 43 (44.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mr77np3psbohogqt5vvq2x674c34igcvtn7ftut37xezgxxt4bla._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
3de468b9b2a109de4431405cc72d375c7521ae4c9de6d72f00dba315cfdf264d
RaccoonStealer
62dc6d106cefc8277867d471d1345ce176b7670e464104f74cda40f15a3a5515
RaccoonStealer
6d9f28b4085f6c72d6ce1d99fa7fc08d0187a5ca68dfb3aa362c49e53467bfdd
RaccoonStealer
9cbaafcc5fabe81105cbe09a869c1576dcb8c09c53386a6426ebead635502a67
RaccoonStealer
c7c414abbdf984e9b783dc88e68bb97f6f7c3cb16765ca5cbee4284b6950e565
RaccoonStealer
cc7e09f135b6cb09c0a32d54beb24789a94a5ccec038a038ad2ddaeedb697ef0
RaccoonStealer
e0939b426b36e4600f0118fc651ade00694d6e27ccb93c8178fc9fe681fb7cce
RaccoonStealer
+ 3'447 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:a5e6fb9af2769e673628419200a7a664d9bbd674 discovery spyware stealer
Link:
https://tria.ge/reports/210907-dcq8csehck/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Unpacked files
SH256 hash:
75af7e02548ac9294f7b5347217aaa69929a09fb686799773f2f351a6bed40a0
MD5 hash:
d7e90eb53a58a90466df7ebe10effa7c
SHA1 hash:
db397a56d2ba3cbf636c00918f5f00a9e39948de
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/316d268b-9502-499c-b0eb-e9c7628fc8ed/
Parent samples :
79b7e7782e42b5f430376e19030734b7deb49e0f63518ead529ca44baa4a1dbb
3ac907666cd098c57466e50c72a24fa6b09456b3a52f19ede8b72d183f41e74e
647ff6bf6f905c771a13ed6b0d5fdfe0b7c418559b7e59d27bfdc9935ef3e056
fe6b9287daf0ad404a6084e26f793f9ec4187acfc414710a0ed5c9f562e8588e
SH256 hash:
647ff6bf6f905c771a13ed6b0d5fdfe0b7c418559b7e59d27bfdc9935ef3e056
MD5 hash:
fe375f70f5291985dbd2824649a36875
SHA1 hash:
169842fb7a123873f42c4e107d272fe65611d775
Link:
https://www.unpac.me/results/316d268b-9502-499c-b0eb-e9c7628fc8ed/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/647ff6bf6f90/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/647ff6bf6f905c771a13ed6b0d5fdfe0b7c418559b7e59d27bfdc9935ef3e056

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 647ff6bf6f905c771a13ed6b0d5fdfe0b7c418559b7e59d27bfdc9935ef3e056

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1598406/
Cape
Cape
https://www.capesandbox.com/analysis/185784/

Comments


Avatar
zbet commented on 2021-09-07 02:51:52 UTC

url : hxxp://185.212.47.137/blog/upload/nbfile.exe