MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8795a656616316101fcc0ccdc8c6a014dbbcb143882dd39c1e4d4dc61c6293b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8795a656616316101fcc0ccdc8c6a014dbbcb143882dd39c1e4d4dc61c6293b6
SHA3-384 hash: c13fb26645e329d0d666a59b0ad28b19391627d9a14a4c0b21f884184b7015787447aa4da9054dddb9dae084de33bd4a
SHA1 hash: 43eea26d29d73cdb3738ab7638cecd541cf66f33
MD5 hash: 8868027f8fd74497aed4e368e30b8969
humanhash: undress-oscar-magazine-march
File name:gzQ1.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:574'464 bytes
First seen:2021-10-13 17:51:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9d1f1739ab48fbfe7c7128688524302 (3 x RaccoonStealer, 2 x Smoke Loader, 2 x DanaBot)
ssdeep 12288:+Kxiy4uxtgq4fegTMWkSWqCUfFpFzqcMh1p1BOruaXu:Ay4uxo2gwBUpFzqccer
Threatray 3'773 similar samples on MalwareBazaar
TLSH T107C4D110A7E0C035F1F726F84DBA9769A92E3EA06B2494CF63D516ED4634AE1EC30357
File icon (PE):PE icon
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter Anonymous
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gzQ1.exe
Verdict:
Malicious activity
Analysis date:
2021-10-13 17:49:10 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/30872228-ecad-46c6-9c1e-d3c5707d9812

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197339/
Detection(s):
SecuriteInfo.com.Packed-GDT8868027F8FD7.24838.24806.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61671c8c9fb4d8593d63e0ac/reports/2c6aceb1-b0c2-4510-9203-4341adb5909b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0dcca8da-6988-4536-bdb5-138442bc9611
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/869954
Signature
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8795a656616316101fcc0ccdc8c6a014dbbcb143882dd39c1e4d4dc61c6293b6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-13 17:55:05 UTC
AV detection:
18 of 34 (52.94%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6k2mvtbmmlbah6mbtg4rrvactn3zmkdraw5hha6jvg4mhdcso3a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
35cd41eed1dcc9629dbf360fbea09f8406ec25061fa73643d0c7f6d82bf3ffc3
RaccoonStealer
58012e1bc38619a3a83b1b3742b066a7bc1ad2bceb622ed5603d7a0175489e54
RaccoonStealer
678f03e1574817fdf555ebe8701534034315d008addfb0dd7aac8fd35d17e855
RaccoonStealer
7c21b1b5f71348d4cf42b5ea75b24ea009e86dfae75f8c65d0b62f069863e130
RaccoonStealer
8969003beb2ed864e1cb6d3518bec42cd1c7fe68f7990f629547b9c1f817f4b9
RaccoonStealer
8e0bf87628ea9c37fd9a0ca40fbbac0bf8d219f2f514efad2f63e0ba90cf7dd4
RaccoonStealer
ab9a992f805bce47b17d65b705612b2c88d55beafd9714c5a278be7ee09e1d58
RaccoonStealer
c0612b6bbada59f17891c503ed8c50b09933e7a2c37ffb05bf8de5003e3457ce
RaccoonStealer
fd29fc8abeb5886c00e418e3c08f0d0047d10a8511c233bd5c9027813e5c5327
RaccoonStealer
+ 3'763 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:9cade3d47cb2ad80ea2cf3f79ef2e146289fc8fd stealer
Link:
https://tria.ge/reports/211013-we7bgaehd4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
d2cb8e11b32a7a0a85fba342da46dab8a44512e3879b3bb5e52cf09d30e64042
MD5 hash:
1eb6d0d84a00181ee63316d15c6746da
SHA1 hash:
7346b38261bdf43e166be1944e547f297aa4ebcc
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/023e8646-ec2c-4673-88c8-b5c83e9d265f/
SH256 hash:
8795a656616316101fcc0ccdc8c6a014dbbcb143882dd39c1e4d4dc61c6293b6
MD5 hash:
8868027f8fd74497aed4e368e30b8969
SHA1 hash:
43eea26d29d73cdb3738ab7638cecd541cf66f33
Link:
https://www.unpac.me/results/023e8646-ec2c-4673-88c8-b5c83e9d265f/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8795a6566163/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8795a656616316101fcc0ccdc8c6a014dbbcb143882dd39c1e4d4dc61c6293b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 8795a656616316101fcc0ccdc8c6a014dbbcb143882dd39c1e4d4dc61c6293b6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197339/

Comments