MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8db29c84a111b0b48a7e4592aa1769db2ac25d069533392133d44f3906e7730. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8db29c84a111b0b48a7e4592aa1769db2ac25d069533392133d44f3906e7730
SHA3-384 hash: 4ac60d80d1cc6b673bf3781693bc15a3e338207f4417bc2c042b2aeacd777116256f6a23a7547196f2c148b4108f76c1
SHA1 hash: e8aaa0132a7020ada8d127e2418b272ed0fc7288
MD5 hash: 6c906bee2ed5bcc6590e2e7fb204ccea
humanhash: michigan-delta-kentucky-cardinal
File name:Neue Bestellung.scr
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:539'136 bytes
First seen:2021-10-06 19:02:38 UTC
Last seen:2021-10-06 19:44:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b53fbcd1371b756c61ce06a61be781ec (4 x RaccoonStealer, 1 x DanaBot, 1 x ArkeiStealer)
ssdeep 12288:sKCkLlzlvhH3pmkhlPaXwuWzNjcMs5n0B19b:sK7lzH1hlPaXPWzCMdXV
Threatray 3'517 similar samples on MalwareBazaar
TLSH T152B4F11036B38BF6E52356703975D7A48B2AFD1D3931B18B3790766B2E39AE0C762311
File icon (PE):PE icon
dhash icon 4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter abuse_ch
Tags:DEU exe geo RaccoonStealer scr

Intelligence

File Origin
# of uploads :
2
# of downloads :
360
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Neue Bestellung.scr
Verdict:
Malicious activity
Analysis date:
2021-10-06 19:05:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/61ac7c91-eb6d-47f4-acfd-d286ed1269e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195530/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47121431.13339.4654.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/862809be-010a-40fe-b25b-c4865b7b60d2
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865814
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f8db29c84a111b0b48a7e4592aa1769db2ac25d069533392133d44f3906e7730/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 09:57:38 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7dnstsckcenqwsfh4rmsvilwtwzkyjoqnfjtheqthvcphedoo4ya._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
04e0c80f6ace3e8e01913bf43cce4d4ee8f01f42566fbac36b3e07fa8f8239ee
RaccoonStealer
0ebf095d8bc7029868cd05f7ad20f51c324755881ade188d88ba8ed94d67f788
RaccoonStealer
0f3d1f1eafa140c32e246c12a7ccd5b6205526ad08be581e5f55b9179f19be5a
RaccoonStealer
2b2394b8ecbee2ffe037f5eb6912ce33e6a1800a7c2ab772d2136e55dcad5693
RaccoonStealer
3155e0baf18b8369f71e1cf4407774a78d13ae881a70c4083c02920354b4137c
RaccoonStealer
44bc3362221be1888156d1a7d5c29490a2c449d6cabe6766ecb6878500562057
RaccoonStealer
6ca5031ab0efac1fdc6d3b251072ea93e70d911067995cd367778bfffd2b45a9
RaccoonStealer
6f59f808e8e8d2a2d8f6c771ac2270800cd02abbc7ea4274b896e1b72143aab2
RaccoonStealer
8305a87ead1a68264f4d0f691a4314f86c3b2bdd909d01028219e0d480238cfa
RaccoonStealer
e9d0565443dbb2553948e2a89bb580a81470a00ac3108ecb1e67a5a121e9d65c
RaccoonStealer
+ 3'507 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1ea547c0a567138950af900718b7747d9f51d0cb stealer
Link:
https://tria.ge/reports/211006-xqc3fabeb9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
34f59f9e637e7b4cd7354402c127fa06a9b363da8aa44fd8eac77b1251d1a068
MD5 hash:
5e18f789dc606adf5de9be92fb74296b
SHA1 hash:
a7937de9a889890564da83bc5d3c18aad47c8299
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/9c00ce80-4242-4576-8c62-32eeda376b35/
Parent samples :
78436634a8f469fc338c271932840f9e2555050324c432b3398104784768d61b
b66ffdb7174f4c240e016033010d29a21ef2e083a62afe6275bf6bf9027b28c7
a5766e6a48c9e60e922ab01339ef69544f1677759d2c4970a42641eda36ed04a
694db8e54fde33867d2633b82199a3fd4a312a60988abe9dd7f24172f24b23ab
04e0c80f6ace3e8e01913bf43cce4d4ee8f01f42566fbac36b3e07fa8f8239ee
f8db29c84a111b0b48a7e4592aa1769db2ac25d069533392133d44f3906e7730
SH256 hash:
f8db29c84a111b0b48a7e4592aa1769db2ac25d069533392133d44f3906e7730
MD5 hash:
6c906bee2ed5bcc6590e2e7fb204ccea
SHA1 hash:
e8aaa0132a7020ada8d127e2418b272ed0fc7288
Link:
https://www.unpac.me/results/9c00ce80-4242-4576-8c62-32eeda376b35/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f8db29c84a11/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8db29c84a111b0b48a7e4592aa1769db2ac25d069533392133d44f3906e7730

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RaccoonStealer

Executable exe f8db29c84a111b0b48a7e4592aa1769db2ac25d069533392133d44f3906e7730

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/195530/

Comments