MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7242d808b6dd1f25322513d2caa725c24c9f644b77cf29147574866aa9877f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7242d808b6dd1f25322513d2caa725c24c9f644b77cf29147574866aa9877f2
SHA3-384 hash: 4eb5100618007e92c584092b205be925b61e7906ce78c370e3488da422e5cc8ff8bc41427378363bab2917828fb380b2
SHA1 hash: 06be0427ad30d0bc8bfc6e37ebd887a6efd5b619
MD5 hash: 23a092fca8b369ae559bf6899f94d64f
humanhash: venus-quebec-winter-michigan
File name:23a092fca8b369ae559bf6899f94d64f.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:535'552 bytes
First seen:2021-08-22 03:40:24 UTC
Last seen:2021-08-22 04:59:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 87931c028561c299d538d462f4889ea0 (7 x RaccoonStealer, 7 x RedLineStealer, 2 x Amadey)
ssdeep 12288:wd9qInAQubF55bePyQVDoeZyAj03eY1vWhPQnx3V1WCqp:snrup4tVdZyc0JRXxSp
Threatray 2'721 similar samples on MalwareBazaar
TLSH T168B4D020B6A0C138E5F711F4897DE3A8692D7DB16B3094CB62CA26ED56372E4DC30797
dhash icon ead8a89cc6e68ee0 (43 x RaccoonStealer, 31 x RedLineStealer, 20 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
194.26.29.184:8888

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.26.29.184:8888 https://threatfox.abuse.ch/ioc/192543/

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
23a092fca8b369ae559bf6899f94d64f.exe
Verdict:
Malicious activity
Analysis date:
2021-08-22 03:43:06 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/c3bafa08-3e4e-4f0f-b630-a1c6bd9905aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181162/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader41.22177.17659.28421.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Sending a UDP request
Running batch commands
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1214efcf-49cd-43f5-b568-170cb011ded3
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836924
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a7242d808b6dd1f25322513d2caa725c24c9f644b77cf29147574866aa9877f2/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-22 01:00:42 UTC
AV detection:
26 of 27 (96.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u4sc3aelnxi7euzcke6szktslqsmt5sew56pfekhk5egnkuyo7za._file
Verdict:
malicious
Similar samples:
14e4824be0683d1089694045fb18bfef2da645ab2c4c8b07158894e9d9ec2a1b
RaccoonStealer
16165ccc830fd684b7ee45b9edc104b22f8a516a0e82c5a6655b464c794b4022
RaccoonStealer
764fde7f31d06b2abf47c6ebe506d0843d6188f8066bba84dd99235d9b3be8fa
RaccoonStealer
a6f0b3c49ac430d8d1e46dc1936c43ca12f90d39327ab157cb04844f9e04d8f2
RaccoonStealer
b0ccf88d4b5ae968794c601fd99c0af9c61d617693cdb9de743ca03a199c1ea2
RaccoonStealer
bf955e96dafd88ef3b4c926108800c1d220cf07fff9e7cc58086f2c70a81f245
RaccoonStealer
e9abbf811d367cf26f493d72ccd96749e534804ac27d36956dce0484b1440f25
RaccoonStealer
f8087ec5ac9908092bf0330cd1605b0ab37f2e29b17afb486a8c734e2ecf2c01
RaccoonStealer
+ 2'711 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:93d3ccba4a3cbd5e268873fc1760b2335272e198 discovery spyware stealer
Link:
https://tria.ge/reports/210822-pfl3qnxrz2/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Unpacked files
SH256 hash:
5dca9ace1e4653b9ecf1230d82ac264a95cedc3cae84293dab0c27aed4bc61ce
MD5 hash:
957f1f62f315614de9ae470d59cdc704
SHA1 hash:
005b508e4cf798e180c7b92c7061ed3f3ead0d42
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/c42aad13-25fb-4f3b-996e-fd8aa354317e/
Parent samples :
da6edc1276fab7bfa04b08b6dfcea00e185aa8cefe53c2b1d11529067871ab44
f5e61fcc4300b16d273ba8e0a957ad8cc89f757d5329409cfed0dea6ae64c322
d0e8d7a631a88b4a1e213be9d37a104469fa2217df5853cc5070ed50a5790c7d
39804d887b31f48334e49bb8c285556c06bca9c9a9dfaec5d9f8fee609648bc6
14e4824be0683d1089694045fb18bfef2da645ab2c4c8b07158894e9d9ec2a1b
d1c619e1afe873b97c09c8068b30efcaafffbfdfb0dce63cad7f1a8394e260a8
5978984d7f8a80cba8b94b3e4e973eeb6218f82535ea8e55aca5deb8830afc2c
64c1dfd4d78c54982f2908ecb8a61479adb6dd75a68c2ace5617d9a8de482298
76c2e3afa7f0a8f45c84517763a838292b92768e88c7c801f2b8e8ef2381e907
e02eee1586a84d7d556d451ae08a9a0fb39d14e5f9dcc51102439e030fec3a70
806ed2c49bd059dced46432ab56ba22b0a79af0933d999ce86ee95507b9009b8
f2d87a0f7c8a4b36703946b849c0468e06005ddd3fcf2a6f8665e5c6447733c1
9dc0631ea1726b49d0e25b634b6e57253951088f4d007b00407118fcd82fa272
764fde7f31d06b2abf47c6ebe506d0843d6188f8066bba84dd99235d9b3be8fa
65a54e89f60b25715ee91d43b0ff2634e643de22a35af6c182b080a33778da85
2d54e0a38b0f02e204233f6a842d765fc7efb0e72f35302493e60bcdfd841a17
adf56d5514f9ff609943983010d3fc67ac0b29d5f92ac9adc25bafba79bad88a
2884983044037369de29a626a68e63b23010e7840bc2af82f9f85510c283b597
bdb12e8227f12fc06392f619e23e9bef8fef74dc637027bfad13b0e4ee02af8a
704ea934e75448ed30e38117fe27b81b6dfdeb0f2a498bd0ae5474ec3d5014d7
acf073ae5f8b4e643367dc746674f1e228ecc8e94e9327a70b176b21a0dda604
a267e0d83b4ece8957283582de37e53a2d0d66938a29ca621592f5ccf0b416a8
0a122a9c5b9ca7f66424aa64cdb7dc9c5d4093583e9afb89a26c6dd0f6587ea3
0eb888bce9b8004afc5ff570dda6538606cc9e76cc16c6b856e10172ac9300e8
dfe17befba0a9abd5a9f8db647be53e6a8dbfc8e2ba9b217088714a5eff7ed70
34033f216c83ba1f02e6e0150ed9d8b1b7322eddeead85da35f212635e389f01
eb521300b6ee49fdaad2d339f8389528bd676124d78b2490a238d8f439574635
89345900ae900c3173451251fd43261dc523c71a11ea8ceb189118274d76328e
8a4fbdcb745421e4126672995940c80e9e391bf10cac6fa29185bef7d38682d4
a7242d808b6dd1f25322513d2caa725c24c9f644b77cf29147574866aa9877f2
20737f14abb4e1ee87c383825e911f8043d285f5f8019609e620bf18a66ca72c
de3c93fe49775276393b43a5e39d71b9ade06756977134f2b7ec0204def6b374
fcbb50a296ee18e6b9faa18e6ccc93294d0068307e1e01d7edea2603d08add81
a154eb237db3b28b5c54b2d61304be223d4290d2a70ccb783578437f72f36dc1
3ef72c722e5a25479588a8f0460eb939dcff7b52e610a0c415bb8b562f421159
6a48934151f7e361955ce4a357042798ef3c12f5686eab6255910992770dad13
90acd1725a515f9f61d6c625dc5d347046f8160a87ec10282435eadffe9d7177
f69c70945360bf5512ffb5ecddf623001764b8218d486793c7daae1e7a0f281d
84dee83ee172871a49fbf587ecf00248690f11a32f9dff57dde1a84c84f2ea36
3de373b84c3ad1a48887e964bd0873b6a4e9f4107730a4d3c9204d87a4e0b5f4
03bd08dfdc557bf5a36855d4b9e5d364117804639e1486784a33e6d32800e368
4200a6c60752a877536a362b4964b66c55b43d8ade0c9e2f746c532968e3e507
SH256 hash:
a7242d808b6dd1f25322513d2caa725c24c9f644b77cf29147574866aa9877f2
MD5 hash:
23a092fca8b369ae559bf6899f94d64f
SHA1 hash:
06be0427ad30d0bc8bfc6e37ebd887a6efd5b619
Link:
https://www.unpac.me/results/c42aad13-25fb-4f3b-996e-fd8aa354317e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a7242d808b6d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7242d808b6dd1f25322513d2caa725c24c9f644b77cf29147574866aa9877f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe a7242d808b6dd1f25322513d2caa725c24c9f644b77cf29147574866aa9877f2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1552590/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1552592/
Cape
Cape
https://www.capesandbox.com/analysis/181162/

Comments