MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f7f3c52fd2bf69c352bf106234604ab15c17ffb950b52fef6c8037ef6510ebf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f7f3c52fd2bf69c352bf106234604ab15c17ffb950b52fef6c8037ef6510ebf
SHA3-384 hash: 9afc44601b8b78f6af277e02f909ad32266c2d3d8a046fb818996025dcc4a77bfdc7402d6e61f5f45e55cdead9c13d56
SHA1 hash: d050298780fcd8cf2df8ceda6ff3679d215705fa
MD5 hash: cdc6bab4601759945245a503623d9379
humanhash: spring-cat-illinois-golf
File name:cdc6bab4601759945245a503623d9379.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:521'216 bytes
First seen:2022-03-16 11:00:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ec534fb98de7e8c1f3b452dd02a2ecf7 (1 x RaccoonStealer)
ssdeep 12288:oYtsBXeJiFq8EHHT/Efk0Z433UoNhiqw+G8GHX299r:ZCeJcFqMfvW3liqq
Threatray 6'003 similar samples on MalwareBazaar
TLSH T18BB4E010BAA0D035F4B716FC09B59369693F7EA16B3895CF62D42ADE56346E0EC3130B
File icon (PE):PE icon
dhash icon 2dec1378319b9b91 (22 x Smoke Loader, 16 x RedLineStealer, 7 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://91.219.236.133/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.133/ https://threatfox.abuse.ch/ioc/395444/

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/251362/
Detection(s):
Win.Dropper.Generickdz-9939781-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9441/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6231c3c4b94fb38cb48dc9f9/reports/4be69810-9553-49c3-af18-5d588502daae/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1bed9c9e-d7a8-4494-b88f-e54553aa57a4
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/957873
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f7f3c52fd2bf69c352bf106234604ab15c17ffb950b52fef6c8037ef6510ebf/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-03-16 11:01:11 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p57tyux5fp3jynjl6edcgrqevmk4c773sufvf7xwzabx55srb27q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
00f6bff1ff217479f31a0f7e95079e836d5db24e06dfeb10eb907019e80d52a1
RaccoonStealer
15d7ae1cabcdd1d0c95557bd19005062c116f43e6d3240bbd99829b65993ae2e
RaccoonStealer
27493ca87c0d633bb9b3aace9664110c1a54cb56fd11d9fceae21f2b370de9cc
RaccoonStealer
2eef8577617e660b457890db4c6c8b914508725fd7dba90a47708ae9629fd51c
RaccoonStealer
45445917d028a58b822aae22e260fb94d2d5bee3ec98431fcda50d845cff3f78
RaccoonStealer
9eb980a3a65d550661eea3c2de5c763af6993f4da16ffc0aa80202a48748d231
RaccoonStealer
ccae525e68a279ad432d07a3e1ea6f2d89bb68bd73de544d6c44b3689a185d15
RaccoonStealer
+ 5'993 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:d7ce4d2837ba5349afb5f48e90638edf69cc105c stealer suricata
Link:
https://tria.ge/reports/220316-m4jr2ababl/
Behaviour
Raccoon
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
Unpacked files
SH256 hash:
9346737e021e33ce3e26ee78d0f0b81d1953df796a8cfb7e72462904e7d77a41
MD5 hash:
050da13d3ffd1b40b9015b91e78eb000
SHA1 hash:
d1e38ac0a4dd405d05c9e2bfdb4265d99e0732bc
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/64f4ed99-9b83-4180-b988-1993229b26ec/
Parent samples :
70e8ad5e62ee2b742b069521615bfaa6ac61833dc927e8ab42bafff9d7952ac0
2d892b56e76a69ef962a15c7a1ef782d985f67647df2042ae61b6711b3376fbf
ccae525e68a279ad432d07a3e1ea6f2d89bb68bd73de544d6c44b3689a185d15
2fc3db47fe48b58c950b7bfd18d8b80e7ffa48035fa0be7e096d7b593c64edbc
06fbcededd23e7e7661fa0f39f696c26e9cd0115794c643571e28392a80502a2
5814d20dbc9b644dfa95a37e4420cb24571d0a50901fa5d4efff5ed02a695dff
a07c5c4122a2dff00a982499b7670fb48e63ba7fb70513f558c7190433c3da92
deb97bc395ff6094d13bc755490be6623079b20e0bffe9f9f616235adc9a7058
eb0939480d699a6648c4ac4155ed712520c6189f4fc6ef12e96b4aef333709f3
45445917d028a58b822aae22e260fb94d2d5bee3ec98431fcda50d845cff3f78
15d7ae1cabcdd1d0c95557bd19005062c116f43e6d3240bbd99829b65993ae2e
a47a73867e96ecc583bd089b8b352d0c0ed7e85c2ca9dccf5627b7d1bee1e416
95ff9f24e1ea61cff965288ab817e57d8ea0a18a6669606828f503df8fd39fe8
3812779d7e6bfcedc29e53edcb53c94a9770171f05b6f1a11146cc4e82f77e56
5e2c211900e145c9aad6d6970858eebbadf07ea9cfb517deae7e5edc66e41cb4
2ff1b440f954bf8779f8c0ddfc88bb6fc0e095bd176ad4606f81d006a8634d3f
9eb980a3a65d550661eea3c2de5c763af6993f4da16ffc0aa80202a48748d231
50a1e08f353094c0a19b84ea61f13d39e7c3e9731269c35fd05844cff198071f
27493ca87c0d633bb9b3aace9664110c1a54cb56fd11d9fceae21f2b370de9cc
2eef8577617e660b457890db4c6c8b914508725fd7dba90a47708ae9629fd51c
00f6bff1ff217479f31a0f7e95079e836d5db24e06dfeb10eb907019e80d52a1
804cc9e39d3a85a238d99b929bb7a3b00bca29b9945e2909aaa7f2941dff10b4
7f7f3c52fd2bf69c352bf106234604ab15c17ffb950b52fef6c8037ef6510ebf
e7562731506bfbb2d6dfbe57d290cbda3b5497aab0c16a6a405e23f7b23f43de
SH256 hash:
7f7f3c52fd2bf69c352bf106234604ab15c17ffb950b52fef6c8037ef6510ebf
MD5 hash:
cdc6bab4601759945245a503623d9379
SHA1 hash:
d050298780fcd8cf2df8ceda6ff3679d215705fa
Link:
https://www.unpac.me/results/64f4ed99-9b83-4180-b988-1993229b26ec/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7f7f3c52fd2b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f7f3c52fd2bf69c352bf106234604ab15c17ffb950b52fef6c8037ef6510ebf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 7f7f3c52fd2bf69c352bf106234604ab15c17ffb950b52fef6c8037ef6510ebf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2094617/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/251362/

Comments