MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7a9dde08c301151706450934b914bfdbbffe7743847551dcd36fc1e5780652b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7a9dde08c301151706450934b914bfdbbffe7743847551dcd36fc1e5780652b
SHA3-384 hash: 59c538addba913cdadb9fc552fc83fcb57e0e742eb7705672f050848bd51f0179ff8ea62a70f522bbf19ac9486572aea
SHA1 hash: 5aa29b8d053529e1fbb6ec43a56f4462f7e8458f
MD5 hash: f138a83d95414302c7d7c5238c192717
humanhash: three-robin-timing-magnesium
File name:f138a83d95414302c7d7c5238c192717.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:493'568 bytes
First seen:2021-11-08 08:04:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 80ba2861c278646549335a754dc96d41 (1 x RedLineStealer, 1 x Smoke Loader, 1 x RaccoonStealer)
ssdeep 12288:zk1uymgaN79s75it4aRpfQpfg+2KDSunnjZw:4hmRsg2aTopzBD9jZw
Threatray 4'098 similar samples on MalwareBazaar
TLSH T12BA4F17876A9C830D5E34E704938D6A41677FC42A530944AE398B76E3E70F8C49E636F
File icon (PE):PE icon
dhash icon a3bcdcac9cccb48c (4 x RedLineStealer, 3 x RaccoonStealer, 1 x DanaBot)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/203171/
Detection(s):
Win.Trojan.Generic-9906289-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6188da3243a4f7480913040d/reports/eb33ce2b-78d2-4d22-a228-3b40a29eaa7f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d65b8242-0263-4688-a219-0a2cf2a7c0db
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885046
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found detection on Joe Sandbox Cloud Basic with higher score
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7a9dde08c301151706450934b914bfdbbffe7743847551dcd36fc1e5780652b/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-11-06 23:34:51 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w6u53yemgaivc4dekcjuxekl7w577z3uhbdvkhong36b4v4amuvq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
3bd87df107b7f796664419c54716ea4dc9a2c6a4b34efa85eb1eb75f6458b13b
RaccoonStealer
3d3bdfa63f14658e164027af06ac4728891f5025fadddac2f2f6debb4021d531
RaccoonStealer
545e5ac7b0c4568049dd33037de46e8a006845563bda516818ad4e4464d580fe
RaccoonStealer
71c8ba3bff2028ae1586c04850560d0d11711f166b4713604c65bb68db07e03a
RaccoonStealer
8136e992f634fec74c2c923edc4cf43ab8601dd3dc229bb3fde7d798e644beae
RaccoonStealer
8f4d56c333b5b0b743a6dcdc6d6954adfdde2fc5219b8c45987202445ecdfc9c
RaccoonStealer
ab9a992f805bce47b17d65b705612b2c88d55beafd9714c5a278be7ee09e1d58
RaccoonStealer
b7b037355cc6e9dc7f9c665f1ea987bafed82a4825409a5d05cde15c6d243dff
RaccoonStealer
dded956a99823dc3d87aafa2764e9a561eb9df6b571251f118468052143d76cc
RaccoonStealer
fc6b841e6c753eeebf0d7cc8820cd3c6fcbeb40fc4d2c4d9a8bf9d3f0907fb76
RaccoonStealer
+ 4'088 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:243f5e3056753d9f9706258dce4f79e57c3a9c44 stealer
Link:
https://tria.ge/reports/211108-jyvqkaggap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
181bbb28e9335af8d92e0faf0da7ae19ad664f9c855841d6bc89d73f3d125027
MD5 hash:
a5a90453b002438070f319627cfe374e
SHA1 hash:
65adabe7ea17a30c6a701abe3515bd2ca8ff6757
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/dbc0a821-8510-4650-ba98-e18b575b3f91/
Parent samples :
6373657d8707b7051ba7f51ad64cf4f609fa9f3f724767d90c6c925d68b19f5f
406e554133aaa471bbb6fee0d5de06a937a53073d2a97117a768612388bdeefd
51ec139872ee667e1b93e579dec1f76ca58aad1da36e5f4ca331100a34cc1e9d
18766c4e4e8161f71cfcb98a700ad53866a75d29fb67898e866e0bbc0d95bba8
b7a9dde08c301151706450934b914bfdbbffe7743847551dcd36fc1e5780652b
0f2db91b5b581e397e793cbfa45436ea0a13a4cb9aa734cb820208f8bf9a51af
596e838294aa3618fd5a6e8d71ae615f549a9df857745c41515134f748f68ef3
SH256 hash:
b7a9dde08c301151706450934b914bfdbbffe7743847551dcd36fc1e5780652b
MD5 hash:
f138a83d95414302c7d7c5238c192717
SHA1 hash:
5aa29b8d053529e1fbb6ec43a56f4462f7e8458f
Link:
https://www.unpac.me/results/dbc0a821-8510-4650-ba98-e18b575b3f91/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b7a9dde08c30/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7a9dde08c301151706450934b914bfdbbffe7743847551dcd36fc1e5780652b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe b7a9dde08c301151706450934b914bfdbbffe7743847551dcd36fc1e5780652b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/203171/
  
URLhaus
https://urlhaus.abuse.ch/url/1738451/
  
Delivery method
Distributed via web download

Comments