MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4731e3513e054f55bbaeff16aab89bea6e7ae675a5607e38bf2f883d4ab657a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4731e3513e054f55bbaeff16aab89bea6e7ae675a5607e38bf2f883d4ab657a
SHA3-384 hash: 923b9397d2aec120d6ad6e4301e9634301773071f9bfe9556b85be08b0137bfef09957ad159bc1fa650f24a3457bf569
SHA1 hash: 7428fad5ba9490e09faf56eeae4b77f9f0d24873
MD5 hash: 06de2e0ace55ea7d2851585de90b3145
humanhash: zebra-arkansas-hydrogen-illinois
File name:06de2e0ace55ea7d2851585de90b3145.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:655'872 bytes
First seen:2021-10-14 06:09:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6914b510638d71b110829c8d3f3435fd (3 x RaccoonStealer, 1 x ArkeiStealer)
ssdeep 12288:Sy3eZASqYaIWxk1rveLVV0qYqA8Hj4SXnUmHFCQejTw/+:z3eZASqmYk4ptFA8Hj4LmsQh
Threatray 3'783 similar samples on MalwareBazaar
TLSH T1BAD4E100A7A0C039F5F722F44A7A9368B93E7EA16B2894CF52C51BDE46349E1ED30357
File icon (PE):PE icon
dhash icon ead8ac9cc6a68ee0 (93 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GPS.Time.and.Test.v1.03.00.keygen.exe
Verdict:
Malicious activity
Analysis date:
2021-10-13 11:56:58 UTC
Tags:
evasion trojan rat azorult stealer fareit pony loader opendir redline vidar danabot
Link:
https://app.any.run/tasks/ab3fa179-1041-4ed6-9159-15c36c7f60a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197422/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed racealer stop
Link:
https://www.filescan.io/uploads/6167c9befd35fe780c3f3af3/reports/bced5d5f-da05-4e54-b72f-a63dd5a5e719/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60dff7a1-e6a2-40d8-81f3-71343b93ed9c
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/870217
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502645 Sample: 6GKjXSaJ8E.exe Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 33 clientconfig.passport.net 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 5 other signatures 2->47 9 6GKjXSaJ8E.exe 2->9         started        signatures3 process4 signatures5 49 Detected unpacking (changes PE section rights) 9->49 51 Detected unpacking (overwrites its own PE header) 9->51 53 Self deletion via cmd delete 9->53 55 4 other signatures 9->55 12 6GKjXSaJ8E.exe 80 9->12         started        17 backgroundTaskHost.exe 35 22 9->17         started        process6 dnsIp7 35 5.181.156.229, 49686, 80 MIVOCLOUDMD Moldova Republic of 12->35 37 teletop.top 12->37 39 2 other IPs or domains 12->39 25 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 12->25 dropped 27 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->27 dropped 29 C:\Users\user\AppData\...\ucrtbase.dll, PE32 12->29 dropped 31 56 other files (none is malicious) 12->31 dropped 57 Tries to steal Mail credentials (via file access) 12->57 59 Self deletion via cmd delete 12->59 61 Tries to harvest and steal browser information (history, passwords, etc) 12->61 19 cmd.exe 1 12->19         started        file8 signatures9 process10 process11 21 conhost.exe 19->21         started        23 timeout.exe 1 19->23         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f4731e3513e054f55bbaeff16aab89bea6e7ae675a5607e38bf2f883d4ab657a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-13 10:15:45 UTC
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6rzr4nit4bkpkw5257ywvk4jx2toplthljlapy4l6l4ihvflmv5a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
354efc97e4a680e6b6fceb03d31ead926205efda8d5e0f28abe1c3381aa1991a
RaccoonStealer
7cd0e04ae6cb26444707130e0d56860e56345c9a2153078621eb7bd511ed1f29
RaccoonStealer
89b3ed9d4b3daa09b18db0ee62d8c7b652f3101299a6fc9ca0245bb6a6ded9b9
RaccoonStealer
9fbc2a32b58c53043d6697e93642837cd2b6ab5571794149736741a4ed208a9f
RaccoonStealer
ad7a43d349196fcd55f26cafda2ed1907288aff6200e0348718cdc94373d84b9
RaccoonStealer
af37877133e6e656c670126e562f53e50be8867239e7e0b2beb88072ec6ea76e
RaccoonStealer
e55b2c5d2e4903c916a6b6982b7f0030ad4a4a3e0c1d3f8969e6646dafbb3c35
RaccoonStealer
f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5
RaccoonStealer
fcd4fec8c6c38b2ddcf5d018d8ae08a80a495477f2618b825d70820354fcbfd1
RaccoonStealer
+ 3'773 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:8b1cccc4d9c4808469e507e47787671255de6bf2 stealer
Link:
https://tria.ge/reports/211014-gw2pzsgbfp/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Raccoon
Unpacked files
SH256 hash:
5fb2ccb5eb80b63b8c4f4a164fdbb5cf1c87371392f57db2bcd869234f1d7d3f
MD5 hash:
cda6f6568278d720e0aa3cb2dd46345a
SHA1 hash:
4ec489e22b4d46d74448e5e2205d14f6370b7b83
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/2f37397f-7703-48f2-a21e-ba0c1c10fc9c/
Parent samples :
63d9d211e1fae3e169ecd91e81e7ce5f10c43c35a2194340cbd85341dc323c4f
f4731e3513e054f55bbaeff16aab89bea6e7ae675a5607e38bf2f883d4ab657a
SH256 hash:
f4731e3513e054f55bbaeff16aab89bea6e7ae675a5607e38bf2f883d4ab657a
MD5 hash:
06de2e0ace55ea7d2851585de90b3145
SHA1 hash:
7428fad5ba9490e09faf56eeae4b77f9f0d24873
Link:
https://www.unpac.me/results/2f37397f-7703-48f2-a21e-ba0c1c10fc9c/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f4731e3513e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4731e3513e054f55bbaeff16aab89bea6e7ae675a5607e38bf2f883d4ab657a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/197422/

Comments