MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2f42e0c46898da53cb52d2d1a7f7ea2a090b08491c8b89a4e155cf77b6ab9ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2f42e0c46898da53cb52d2d1a7f7ea2a090b08491c8b89a4e155cf77b6ab9ed
SHA3-384 hash: 3982dab3f10c1b96b9297fd5f613b021165950586e2a5370982a7a2a7c39f031d786eb03631c3043ac0f6312b1c4968c
SHA1 hash: 22cf928095c5ab9f47ab9550bb77bdf5ab02261f
MD5 hash: 3b2e799284987bdd270aed41bdacd4bf
humanhash: march-december-magazine-quebec
File name:3b2e799284987bdd270aed41bdacd4bf.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:449'536 bytes
First seen:2021-03-25 14:49:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f2b79ad44db55e1b164ab787681beb97 (1 x RaccoonStealer, 1 x DanaBot, 1 x FickerStealer)
ssdeep 12288:KG49uPgj0z84xb0F5AgFxYy5BCRUmsm+:KlQgYJ2nFJ58Rl1
Threatray 689 similar samples on MalwareBazaar
TLSH A8A4011075F5C133D12366B644A2D6780A39FD718B2847CB3B902BBA6F376D24B3660B
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
https://adsgjuhsdgubhu4.xyz/

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3b2e799284987bdd270aed41bdacd4bf.exe
Verdict:
Malicious activity
Analysis date:
2021-03-25 16:11:52 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/32f757bc-5ed9-4a91-81ba-0665961e0b5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Raccoon-9846892-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
DNS request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Running batch commands
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/654066
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2f42e0c46898da53cb52d2d1a7f7ea2a090b08491c8b89a4e155cf77b6ab9ed/
Threat name:
Win32.Backdoor.Tofsee
Create hunting rule
Status:
Malicious
First seen:
2021-03-25 14:50:11 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wl2c4dcgrgg2kpfvfuwru736ukqjbmeeshelrgsocvopo63kxhwq._file
Verdict:
malicious
Similar samples:
40aa3ed3056a334717d50933026aace5847a379b8179178d00928ef1faf55f3d
RaccoonStealer
451f91c53fae29fef9d405b9b0125ea1bd561c20f2b90b26f609a0adb4aea9a8
RaccoonStealer
596ab1ddff660a3cd00e14f5e43d5af6a0ad03a41d07a51344b8eb61a594d27f
RaccoonStealer
7ca4eb9602b54dd5a1003cc83c39d0cc07aeb041cf8be6562f656675a40e4ee8
RaccoonStealer
8c9604ea096cd0a680d183f1f9b2a53d2cce276c7d86efdf21d3dd6bffead1f5
RaccoonStealer
a9d0121ba9783e14f8ac72cce2cbce7e330d0b7f29e5311f497b86d286f2d5d1
RaccoonStealer
c8847cb9a99370589fe52fcf91b96bef170990a13fa1eb734c1550c4862537d4
RaccoonStealer
d3e7387c7a11a1f82b133b18bf2e3972617ecb3ea29e7366c93024d1fc4af6ab
RaccoonStealer
dcb02549ffe1d2212dbddc97bf48fc57965ca634ff30665cdeb085e60ae73690
RaccoonStealer
fac9410d22c0e26ebfb6aa70649656a38685924cfb37638f95f35eb46b0cb71a
RaccoonStealer
+ 679 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:4c7c6cf597b5fa028613f8c51bcd2db6414208cb discovery spyware stealer
Link:
https://tria.ge/reports/210325-4yq5r8jar6/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Raccoon
Unpacked files
SH256 hash:
6df2ca3686b4a74c1f5215e56c81fe052a5adec1d19e2025a4abca351114ff63
MD5 hash:
0aec77ac383380d2244f28c36d24ab2d
SHA1 hash:
a9e935c8657c3e3e6e8d9a1d40b378ecfc4b86dd
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/75c01a83-4287-4e2c-ad1a-0d212ad326b0/
Parent samples :
b2f42e0c46898da53cb52d2d1a7f7ea2a090b08491c8b89a4e155cf77b6ab9ed
f8bf48e34c4002e07e7c57dc4eee52abe141b8a9cfb693325229f56cca507d40
27614f810715e1ac5987d10abdac7e101227f1ff49e470cd0fee680c604d672d
ab209ccc810ea02130fb171abe76d01ab1b63db0aa857fc4f769c9c0546a52d1
SH256 hash:
b2f42e0c46898da53cb52d2d1a7f7ea2a090b08491c8b89a4e155cf77b6ab9ed
MD5 hash:
3b2e799284987bdd270aed41bdacd4bf
SHA1 hash:
22cf928095c5ab9f47ab9550bb77bdf5ab02261f
Link:
https://www.unpac.me/results/75c01a83-4287-4e2c-ad1a-0d212ad326b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2f42e0c46898da53cb52d2d1a7f7ea2a090b08491c8b89a4e155cf77b6ab9ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:susp_winsvc_upx
Create hunting rule
Author:SBousseaden
Description:broad hunt for any PE exporting ServiceMain API and upx packed
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_servhelper_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe b2f42e0c46898da53cb52d2d1a7f7ea2a090b08491c8b89a4e155cf77b6ab9ed

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1090511/
  
Delivery method
Distributed via web download

Comments