MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fb3db4c15de9f7e366c868bb805275d0d94a8ea8c1566ac7819044023ae5c34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fb3db4c15de9f7e366c868bb805275d0d94a8ea8c1566ac7819044023ae5c34
SHA3-384 hash: 9a74b2f611f6cfd86dab235cddf1a859d48d3174a78b601cc8e44bf6fec11ee6d620e14c876fe77be3c0e91d52d60e26
SHA1 hash: a56155c14698877c4e7b2fc0be0e1029c526f0ea
MD5 hash: beb1cb1485bb76422cab050e1775911e
humanhash: idaho-mockingbird-mexico-saturn
File name:beb1cb1485bb76422cab050e1775911e
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:574'976 bytes
First seen:2021-10-14 01:53:00 UTC
Last seen:2021-10-14 03:09:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6914b510638d71b110829c8d3f3435fd (3 x RaccoonStealer, 1 x ArkeiStealer)
ssdeep 12288:DETe1Cz5tDMUE6kAvo8JR6DV3wLmpv36PmSOt:DNubDNWJ8aDymt6s
Threatray 3'778 similar samples on MalwareBazaar
TLSH T1F2C4D000B7A0C035F5F312F84ABA9768A93E79A16B3494CF62D515EE4734AE1EC31357
File icon (PE):PE icon
dhash icon aad8ac9cc6a68ee0 (34 x RedLineStealer, 14 x RaccoonStealer, 11 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
beb1cb1485bb76422cab050e1775911e
Verdict:
Malicious activity
Analysis date:
2021-10-14 01:55:58 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/4989abd5-2012-4bad-b8be-0c07171719ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197390/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.11577.31848.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed stop
Link:
https://www.filescan.io/uploads/61678d801c2d58ba7405a4b8/reports/50f291b9-228b-409c-aa9f-a5e1f8da7d18/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4e7f7aa-fb18-4409-9f47-1869f5cfd4d0
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/870128
Signature
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6fb3db4c15de9f7e366c868bb805275d0d94a8ea8c1566ac7819044023ae5c34/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-14 01:53:04 UTC
AV detection:
22 of 45 (48.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6z5wtav32px4ntmq2f3qbjhlugzjkhkrqkwnldydeceai5olq2a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
678f03e1574817fdf555ebe8701534034315d008addfb0dd7aac8fd35d17e855
RaccoonStealer
8795a656616316101fcc0ccdc8c6a014dbbcb143882dd39c1e4d4dc61c6293b6
RaccoonStealer
8969003beb2ed864e1cb6d3518bec42cd1c7fe68f7990f629547b9c1f817f4b9
RaccoonStealer
8e0bf87628ea9c37fd9a0ca40fbbac0bf8d219f2f514efad2f63e0ba90cf7dd4
RaccoonStealer
afa506dea7e88d3aa2ff4c2f58a21a91cf5d6ae5a00dea2cf482832d1613e37b
RaccoonStealer
c0612b6bbada59f17891c503ed8c50b09933e7a2c37ffb05bf8de5003e3457ce
RaccoonStealer
ca30cae9fee835a2a12b111864d52a15f92a5a8b0e6fa7ae189833654bff712e
RaccoonStealer
d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a
RaccoonStealer
fd29fc8abeb5886c00e418e3c08f0d0047d10a8511c233bd5c9027813e5c5327
RaccoonStealer
+ 3'768 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:d5409ff0a6e1879c131d0538d4a7343de16665ce stealer
Link:
https://tria.ge/reports/211014-cazlaafden/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
4cfa61712bd241d59736cb4d832188336888319af650480daa4e68047761cb6a
MD5 hash:
9a1bf8e77355573d3d9656c681d43307
SHA1 hash:
ad6d65494330bb0ee497635bd0f63518692c6440
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/8f51cc61-be95-48b1-be9d-b56518973dda/
SH256 hash:
6fb3db4c15de9f7e366c868bb805275d0d94a8ea8c1566ac7819044023ae5c34
MD5 hash:
beb1cb1485bb76422cab050e1775911e
SHA1 hash:
a56155c14698877c4e7b2fc0be0e1029c526f0ea
Link:
https://www.unpac.me/results/8f51cc61-be95-48b1-be9d-b56518973dda/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6fb3db4c15de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fb3db4c15de9f7e366c868bb805275d0d94a8ea8c1566ac7819044023ae5c34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 6fb3db4c15de9f7e366c868bb805275d0d94a8ea8c1566ac7819044023ae5c34

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1675905/
Cape
Cape
https://www.capesandbox.com/analysis/197390/

Comments


Avatar
zbet commented on 2021-10-14 01:53:01 UTC

url : hxxps://xrpevent.help/123.exe