MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7beacccd4af720832723442f9afae77c52095ff5990de1352bb3a8ae1059304e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7beacccd4af720832723442f9afae77c52095ff5990de1352bb3a8ae1059304e
SHA3-384 hash: b9cc0265f942f5856358c85ea2c40dc6b51e051036f06222a666bc94355c921475a5f54fd2bad4f5f390d0071a0d8c43
SHA1 hash: 38b6cb2df02bc5f30ffba196e8193c9e64d51b34
MD5 hash: 52c2647b81e20a75e6c6fb99c81ca6f8
humanhash: missouri-mountain-pluto-oven
File name:52c2647b81e20a75e6c6fb99c81ca6f8.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:541'696 bytes
First seen:2021-04-15 16:23:26 UTC
Last seen:2021-04-15 17:00:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e05089ebdc79f6153676cb08f724c74b (4 x RaccoonStealer, 1 x RedLineStealer)
ssdeep 12288:kRv06W2GfVZNz9eq55254AKDQkrCsFrcI/mIVHdfOqHK:MvO26VZNzoovAK8hs1gIJfq
Threatray 718 similar samples on MalwareBazaar
TLSH 79B4F11136D0C0B3C493287A9129CBB45DBEB4315A69194F7BC81FFD2F297E2A72534A
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
52c2647b81e20a75e6c6fb99c81ca6f8.exe
Verdict:
Malicious activity
Analysis date:
2021-04-15 16:26:10 UTC
Tags:
trojan stealer raccoon evasion loader
Link:
https://app.any.run/tasks/12b113e3-2710-4902-841b-22cc3cd9cd8c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/135289/
Detection(s):
PUA.Win.Adware.Strictor-6840778-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Moving a file to the %AppData% subdirectory
Creating a file in the %AppData% subdirectories
Creating a service
Launching a service
Loading a system driver
Enabling the 'hidden' option for recently created files
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Enabling autorun for a service
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/679284
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7beacccd4af720832723442f9afae77c52095ff5990de1352bb3a8ae1059304e/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-04-15 16:24:09 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ppvmztkk64qigjzdiqxzv6xhprjasx7vteg6cnjlwouk4eczgbha._file
Verdict:
malicious
Similar samples:
1cf375fc2caa68f520a626542f6b285bcd8ad66f93cac008bd9d2226e5641fcf
RaccoonStealer
2aab7a13f9d2f77601b7a8228b976e02fe1960b1eaf6669f12e646e10ced6ca3
RaccoonStealer
362911dc126bfc3bf0edde07ab4dcf66e79830f1da312942b1731b6f45ac9da5
RaccoonStealer
599393e258d8ba7b8f8633e20c651868258827d3a43a4d0712125bc487eabf92
RaccoonStealer
5f3507cbeaeda2b6fa6b1144782f45f17c274d30fba40fa1ee9b302496242265
RaccoonStealer
ae9f21e994994c7d538df1032eb81cba7c3cbff6a76e8c15d91c8fe6f78dfa28
RaccoonStealer
c7f6ad7d3e040d26e8103885756e2f720a97a16f12ef44bf6707676d26680586
RaccoonStealer
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
RaccoonStealer
d4e27b8e7e1fd965522468bdc3eaf06513dd3a3e7402d9b441ab002dfc892adc
RaccoonStealer
f213aa18c565dfcb1b7637901b57b6baa6f0d3515b3c601797b418d3d8ff5e2e
RaccoonStealer
+ 708 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:xmrig botnet:72e93d05320823f6fd0af18c9cd86188d0bd144a discovery miner spyware stealer
Link:
https://tria.ge/reports/210415-edhv7lt6xa/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
XMRig Miner Payload
Raccoon
xmrig
Unpacked files
SH256 hash:
4f0a07f2dd383171707bf4234a151c99fea73121432f04306bfb32cd6ed89f26
MD5 hash:
63ddedb3a84c32628e118bf1f63f8b7f
SHA1 hash:
e3ea3980141b8d1a39b9d22c7ba273ec70943562
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/18dbe77c-cb0c-4fa7-b5c2-8492463ebc80/
Parent samples :
1cf375fc2caa68f520a626542f6b285bcd8ad66f93cac008bd9d2226e5641fcf
7beacccd4af720832723442f9afae77c52095ff5990de1352bb3a8ae1059304e
SH256 hash:
7beacccd4af720832723442f9afae77c52095ff5990de1352bb3a8ae1059304e
MD5 hash:
52c2647b81e20a75e6c6fb99c81ca6f8
SHA1 hash:
38b6cb2df02bc5f30ffba196e8193c9e64d51b34
Link:
https://www.unpac.me/results/18dbe77c-cb0c-4fa7-b5c2-8492463ebc80/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7beacccd4af720832723442f9afae77c52095ff5990de1352bb3a8ae1059304e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:susp_winsvc_upx
Create hunting rule
Author:SBousseaden
Description:broad hunt for any PE exporting ServiceMain API and upx packed
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_servhelper_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 7beacccd4af720832723442f9afae77c52095ff5990de1352bb3a8ae1059304e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1121005/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/135289/

Comments