MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78436634a8f469fc338c271932840f9e2555050324c432b3398104784768d61b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78436634a8f469fc338c271932840f9e2555050324c432b3398104784768d61b
SHA3-384 hash: 3e282b26ca9727230971320e49c9697c5d396ee60245dddca59e529af66564f0e2e18a207136032eff81dc4979077ea4
SHA1 hash: 10d85131030b8f877611ced86f43aa6c76d56ee8
MD5 hash: 76c57e31eba482ee443cc7c797ea3f15
humanhash: nuts-oranges-blossom-chicken
File name:Neue Bestellung 09001.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:429'568 bytes
First seen:2021-09-27 12:23:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c35a586724819b3ee29e3eb7a1df83e7 (5 x ArkeiStealer, 3 x Smoke Loader, 1 x RedLineStealer)
ssdeep 6144:YpG5dPE88SRJgH0z1eQrt728rIizmE4a0Sd1LlyYKH9HDX+mhOlMfjmWYwOc:64PE8ZRO1UJ7zmoL7hxSSW9
Threatray 3'307 similar samples on MalwareBazaar
TLSH T1199412AEB940C1B5D0479D3489298651A13AB8E63D6DDF47FF903BEB2D322C1582B347
File icon (PE):PE icon
dhash icon a790b8fa9ada98b1 (1 x RaccoonStealer)
Reporter ffforward
Tags:exe Raccoon RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
822
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Neue Bestellung 09001.exe
Verdict:
Malicious activity
Analysis date:
2021-09-27 12:26:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1e1c969c-e8b0-49bc-b24e-d45a3203fc86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192065/
Detection(s):
Win.Packed.Generic-9897127-0
Create hunting rule

Win.Packed.Generic-9897302-0
Create hunting rule

Win.Packed.Generic-9897371-0
Create hunting rule

Win.Packed.Generic-9897384-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0fe260c-a259-4691-9d98-d110beebd07e
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858946
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/78436634a8f469fc338c271932840f9e2555050324c432b3398104784768d61b/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-27 10:58:30 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbbwmnfi6ru7ym4me4mtfbaptysvkbidetcdfmzzqechqr3i2ynq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
237c6adb7012050c271ed33932bbd6a18a86dc18ace5841b5c0d52f3fe79dcc1
RaccoonStealer
28a1d5fa2dc4e99192f634223cd08d146980534b6f51b36842a2d7c471868fd8
RaccoonStealer
2a410380d53c1470b12627d31896ba071df1ddbccfb23bf6875016db92e13689
RaccoonStealer
4a1a1c30c4af89809f10fee23f239f2c591efd4fbd80e55a016c4cc88b762c71
RaccoonStealer
4a6434d66a30ccd95a6c269ba54133d0cade8eb565cd7fd6582abeff8a02a3fc
RaccoonStealer
726b323eb5c1c2ae7928f60d7002b3b63b4a69158347686d17789eb0e86fd768
RaccoonStealer
7cfa34e7f6ea3ee53ef9911983581f2c8865363d1e8de9d40ea42775de0f9e7e
RaccoonStealer
93ba1d3d5ea0f821f84ee02b34b65c3768098b5dfc84022a92f79db5a18f2411
RaccoonStealer
97c45c628bfc648cbde5dec7a4386c3222434516caedad7e34272188156dd879
RaccoonStealer
e206cdfadd769d8506f7dde22b1a3277075506810b455f491ff08fd42707a0a0
RaccoonStealer
+ 3'297 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1ea547c0a567138950af900718b7747d9f51d0cb discovery spyware stealer
Link:
https://tria.ge/reports/210927-pk2vlsghg8/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Unpacked files
SH256 hash:
34f59f9e637e7b4cd7354402c127fa06a9b363da8aa44fd8eac77b1251d1a068
MD5 hash:
5e18f789dc606adf5de9be92fb74296b
SHA1 hash:
a7937de9a889890564da83bc5d3c18aad47c8299
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/df917913-3b54-46f2-91a1-4b299c454e7e/
Parent samples :
78436634a8f469fc338c271932840f9e2555050324c432b3398104784768d61b
b66ffdb7174f4c240e016033010d29a21ef2e083a62afe6275bf6bf9027b28c7
a5766e6a48c9e60e922ab01339ef69544f1677759d2c4970a42641eda36ed04a
694db8e54fde33867d2633b82199a3fd4a312a60988abe9dd7f24172f24b23ab
04e0c80f6ace3e8e01913bf43cce4d4ee8f01f42566fbac36b3e07fa8f8239ee
f8db29c84a111b0b48a7e4592aa1769db2ac25d069533392133d44f3906e7730
SH256 hash:
78436634a8f469fc338c271932840f9e2555050324c432b3398104784768d61b
MD5 hash:
76c57e31eba482ee443cc7c797ea3f15
SHA1 hash:
10d85131030b8f877611ced86f43aa6c76d56ee8
Link:
https://www.unpac.me/results/df917913-3b54-46f2-91a1-4b299c454e7e/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/78436634a8f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78436634a8f469fc338c271932840f9e2555050324c432b3398104784768d61b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RaccoonStealer

Executable exe 78436634a8f469fc338c271932840f9e2555050324c432b3398104784768d61b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/192065/

Comments