MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 847a6ee401f8fabccd33c0e7d72e67f26423ae5cc085d6df9ba575720aec784d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 847a6ee401f8fabccd33c0e7d72e67f26423ae5cc085d6df9ba575720aec784d
SHA3-384 hash: c621ce428b59ad4a6ee103ed6003c139ad5a9668027a7a2cfed24372c7bbca5b243e5d2b6edc1f48dc9f4595834f0e5c
SHA1 hash: 0569c7f782da8d6f2ed7a4e16818ab9ea6c432a6
MD5 hash: ee17b850393e1f3cf0704a408378d874
humanhash: snake-quebec-wolfram-vegan
File name:ee17b850393e1f3cf0704a408378d874
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:583'168 bytes
First seen:2021-06-24 02:26:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 924d9a2d7cc05ebebcdeae3f0201835c (9 x RedLineStealer, 2 x DanaBot, 1 x Smoke Loader)
ssdeep 12288:YrE9g/lgChDGRgyQWTLJ8Qb/Zj6vTYnwfuRVdQmwgfo:xg/lXqRj6cnwf0VdQ
Threatray 849 similar samples on MalwareBazaar
TLSH 1EC4D000A690C035F5F632F8967A9369AA2D3EB05B3450CF62D517EE5738AF4AC3171B
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ee17b850393e1f3cf0704a408378d874
Verdict:
Malicious activity
Analysis date:
2021-06-24 02:29:49 UTC
Tags:
trojan stealer raccoon
Link:
https://app.any.run/tasks/5690e81a-88d0-4fcd-b12f-4ddaed23ec5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Mokes-9872775-0
Create hunting rule

Win.Dropper.Ranumbot-9873033-0
Create hunting rule

Win.Malware.Generic-9873122-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/67e7d7e6-7984-4aed-8ee4-82ff7ed1f68f
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807097
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/847a6ee401f8fabccd33c0e7d72e67f26423ae5cc085d6df9ba575720aec784d/
Threat name:
Win32.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 15:43:20 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
40 of 46 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qr5g5zab7d5lztjtydt5olth6jschls4ycc5nx43uv2xecxmpbgq._file
Verdict:
malicious
Similar samples:
08c430e1f712b8538ac261b7998af6c00f89bb75d273183dc563c54389a2fba4
RaccoonStealer
12f0a80b6374b38a3997a7ef4528f26ccbca664b26e48533e7d1f36c78da76f4
RaccoonStealer
313c10bb9543e370b3017177671899b850975eef576f643ca6648ecef512e114
RaccoonStealer
651adbad4b2e863da82c38b9014479348492d0e370fd928a797589873a45cb63
RaccoonStealer
9285a4e08b654a24a9e3f7f6d46b27203a48ae623ebfd1a4b1fc1e18ad9a1503
RaccoonStealer
a7bc9073cc389bccaa5d3f35cfd21554e7c9ccb52b1f10da67bcacb2177dccfa
RaccoonStealer
b7462d93582f61ae4d54bca04359eed4da1804772df8bcebe6723594b3dab2af
RaccoonStealer
d5c5e40afe4cda3f04420bd271612e8eedd17d2239f1f08f34b96911aad028b0
RaccoonStealer
dffc13d1cfcc907792273c3a9423844a659ef1ca31ea5bed0d09c1d4f5f58984
RaccoonStealer
f72a2fd77ccffec0e2c9bf4570895a48942135778325d52ca2996f54d26a45c3
RaccoonStealer
+ 839 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:74452b5cbc58563477e4a9e149f2093398530bbd discovery spyware stealer
Link:
https://tria.ge/reports/210624-44rw5jfvwj/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Unpacked files
SH256 hash:
4ee1f840b20430ca687665fba0e317a55e457af7260095940bd601d424c3c926
MD5 hash:
532a391e608d186ab4521bc929d81027
SHA1 hash:
1e069b0fa31069325ac66d95bcb4f5266be2fd32
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/c0e776e0-f581-43f3-8a94-269c9e6c17a4/
Parent samples :
847a6ee401f8fabccd33c0e7d72e67f26423ae5cc085d6df9ba575720aec784d
aa80ec75a2bb08c54c2ee98f24ee9e7a872c682396cb825d209c3b457bf50bc5
SH256 hash:
847a6ee401f8fabccd33c0e7d72e67f26423ae5cc085d6df9ba575720aec784d
MD5 hash:
ee17b850393e1f3cf0704a408378d874
SHA1 hash:
0569c7f782da8d6f2ed7a4e16818ab9ea6c432a6
Link:
https://www.unpac.me/results/c0e776e0-f581-43f3-8a94-269c9e6c17a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/847a6ee401f8fabccd33c0e7d72e67f26423ae5cc085d6df9ba575720aec784d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 847a6ee401f8fabccd33c0e7d72e67f26423ae5cc085d6df9ba575720aec784d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393334/

Comments