MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa30571b12211c46fc47639a9d4df6fdeacc8ea6ecffd0a3022f82ffe43d50b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa30571b12211c46fc47639a9d4df6fdeacc8ea6ecffd0a3022f82ffe43d50b1
SHA3-384 hash: 9fbc6f3f4da5e46be581553edba8849a22c3eff1213f7d60f7e85836422cab4fab696bc62e4421a11ddab5fe7051c703
SHA1 hash: cf886d1cbabe2c572edd001c0fa55a13d3e191bd
MD5 hash: 9733aef1c8ec194a3198ab8e0130b7d4
humanhash: violet-network-jupiter-item
File name:9733aef1c8ec194a3198ab8e0130b7d4
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:590'336 bytes
First seen:2021-11-17 13:49:59 UTC
Last seen:2021-11-17 15:12:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 10e9ffe6ba2fdafc4ff623a56bf49cc4 (3 x RedLineStealer, 3 x RaccoonStealer, 1 x CryptBot)
ssdeep 12288:FLtm4P03EOk74+O7P0ZEvtRpGI14WWvGaurroIaT:fm483tk74+g0ZsPHzWvGH3
Threatray 4'291 similar samples on MalwareBazaar
TLSH T134C4E010BBE0C035F1F722F84979A268692E79E1AB2095CF63D566EA47346E4FC31317
File icon (PE):PE icon
dhash icon badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9733aef1c8ec194a3198ab8e0130b7d4
Verdict:
Malicious activity
Analysis date:
2021-11-17 18:48:34 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/8c06e488-b875-450a-bb08-4fc0fce845b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.80234.14681.10390.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6195088f2695a62af9f2312c/reports/7336bb08-b5f7-454d-98f3-2f45c57918f1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d09fe68e-0fa6-4cb5-9062-33a22df4f738
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/891175
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa30571b12211c46fc47639a9d4df6fdeacc8ea6ecffd0a3022f82ffe43d50b1/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-17 13:50:07 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7iyfogyseeoen7chmonj2tpw7xvmzdvg5t75biycf6bp7zb5kcyq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
58e55ace1e50d5da54055c0ad559e8b888255a586e363bcf08bb728f9127f318
RaccoonStealer
6de652315ec81355613e5aa698e993cc44e46db0f40ee26e6613aa79aea5cdfd
RaccoonStealer
a6ef4df2da289c7494453df35117b375124fbe5b6dc7d6bc571f4218efc24e8e
RaccoonStealer
cfe0285c92fd3ba73b574809c128333d493a354b509aafbf9d05402f8f82fc93
RaccoonStealer
d09f1f4d1e5cf1ea2c2ffcf037bb2af20315e592f5c7f6d8692c1b60c2713927
RaccoonStealer
f0c6c81477938fcae74fe57391235d9128ef6b155052c78dcd18904ff702da80
RaccoonStealer
+ 4'281 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:ddf183af4241e3172885cf1b2c4c1fb4ee03d05a stealer
Link:
https://tria.ge/reports/211117-q49v1ahgen/
Behaviour
Raccoon
Unpacked files
SH256 hash:
4fd3fb38a76d5ed85d5638f74edc572ff86503ca28e6d68d6e13a5e4e54d8209
MD5 hash:
3ae7bfb6478c0bcd2c0e2f54b97f7ea0
SHA1 hash:
2cff331a8dcddb34d7e30a078ffa772c6c2ef4be
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/1ea12e1c-718b-43f3-bce0-c6d20e3bb880/
Parent samples :
db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5
bf5031c61e39f9dfb379eba03181bfc5bdc63527c25588279fc9e2684e462c11
fa30571b12211c46fc47639a9d4df6fdeacc8ea6ecffd0a3022f82ffe43d50b1
f106e2efb90c57289bbe57b3be618c063c1bc70f3eaabd2afa73e53c2168a54d
SH256 hash:
fa30571b12211c46fc47639a9d4df6fdeacc8ea6ecffd0a3022f82ffe43d50b1
MD5 hash:
9733aef1c8ec194a3198ab8e0130b7d4
SHA1 hash:
cf886d1cbabe2c572edd001c0fa55a13d3e191bd
Link:
https://www.unpac.me/results/1ea12e1c-718b-43f3-bce0-c6d20e3bb880/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fa30571b1221/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa30571b12211c46fc47639a9d4df6fdeacc8ea6ecffd0a3022f82ffe43d50b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe fa30571b12211c46fc47639a9d4df6fdeacc8ea6ecffd0a3022f82ffe43d50b1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/206805/
  
URLhaus
https://urlhaus.abuse.ch/url/1797499/

Comments


Avatar
zbet commented on 2021-11-17 13:50:00 UTC

url : hxxp://host-file-host0.com/files/15_1637082780_2946.exe