MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd29fc8abeb5886c00e418e3c08f0d0047d10a8511c233bd5c9027813e5c5327. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd29fc8abeb5886c00e418e3c08f0d0047d10a8511c233bd5c9027813e5c5327
SHA3-384 hash: 2d948b985e416f0489841bc5dea5191c132be52936a49b6bdc37195ca0d7ad2f1b08687ee93844454fb8d63983f07e1a
SHA1 hash: 5d975cc83d785924e4d5e4c210ec339787f54917
MD5 hash: 1fee6d04839ae9a0a8646f4fee96a392
humanhash: fourteen-high-fillet-london
File name:1fee6d04839ae9a0a8646f4fee96a392.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:619'520 bytes
First seen:2021-10-09 06:39:51 UTC
Last seen:2021-10-09 07:58:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a29283552656e7323601d9f44dc0a25 (2 x RedLineStealer, 1 x Smoke Loader, 1 x RaccoonStealer)
ssdeep 12288:y40h27ZzsRULo0qir9MKSTePs05Q0oQtmqF82Uf3C:yPhzR0oar5STe00RoQt62
TLSH T142D4C010A660C038F6F762F48ABA9269A52F7EE1672450CB53D52BEE97345E0FD30317
File icon (PE):PE icon
dhash icon e8e8c8e8aa66a489 (4 x RaccoonStealer, 3 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
339
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1fee6d04839ae9a0a8646f4fee96a392.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-09 06:45:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ebdf351f-b4d2-450f-9d05-d49ed0f0bac8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196272/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31160.128.55.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/616139482a37101ae6fe3143/reports/42073492-615b-4ad6-aa39-e16d9d719797/overview
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867375
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fd29fc8abeb5886c00e418e3c08f0d0047d10a8511c233bd5c9027813e5c5327/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 23:57:09 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7uu7zcv6wwegyaheddr4bdynabd5ccufchbdhpk4satycps4kmtq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:8d179b9e611eee525425544ee8c6d77360ab7cd9 collection discovery spyware stealer suricata
Link:
https://tria.ge/reports/211009-he8yeafbdj/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
Unpacked files
SH256 hash:
40601414d78a4bdeff9bcd994b5b5a05305198a64e7fff9979411d22850267dd
MD5 hash:
af07f1a75f269b8b2c4bf2163dda4e01
SHA1 hash:
2d80e36c32078bd1898e57bd88f82b73ecba9655
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/abec24d4-7f34-49fa-98d5-44d082f72e14/
Parent samples :
71c8ba3bff2028ae1586c04850560d0d11711f166b4713604c65bb68db07e03a
ab9a992f805bce47b17d65b705612b2c88d55beafd9714c5a278be7ee09e1d58
58012e1bc38619a3a83b1b3742b066a7bc1ad2bceb622ed5603d7a0175489e54
c67646ba071947726cb2420a03887901a79a762844862eeb61f2fa8349ea355f
dedecac051c66649d617a251056138a2e59e530a0c172b7c851b6a10d8c45222
7383c5e9d047eff7d5a91139c0f5c1c80c1cae7fdf5ebb59a0db20a05abb58a2
dded956a99823dc3d87aafa2764e9a561eb9df6b571251f118468052143d76cc
b7b037355cc6e9dc7f9c665f1ea987bafed82a4825409a5d05cde15c6d243dff
5451dce2ce5d9e6b5f9ed22dd2b535b36557c73511b734134fa8877f064eb8d7
960169e92f38cb227d7b503227d5d4755a76868fbfb04573fe471b1c2cb75f32
945da407242fd3bb99fe5e2980c51b37bb493fae5aeaba96615f214feb612766
c37589d196b538bdbe783c81ba966e7a3689f9867cf5d22d207a602c86ebdf7e
489ba149e160c874437126a526c64707d74e792346b9cf603230ff574a625e07
3bd87df107b7f796664419c54716ea4dc9a2c6a4b34efa85eb1eb75f6458b13b
8136e992f634fec74c2c923edc4cf43ab8601dd3dc229bb3fde7d798e644beae
ca2f932189a0d8318c372fde2bc9d3848844f6b10aae1ff3515c01b8a44f9c17
443091dec2f1c3bd7070f668778ddda8c3d550d9dff0ae075ec6cf1273ee1274
545e5ac7b0c4568049dd33037de46e8a006845563bda516818ad4e4464d580fe
277ec4e34e212b830aaa2318805e282653833002e6f5d95c713b5e724910d442
3d3bdfa63f14658e164027af06ac4728891f5025fadddac2f2f6debb4021d531
3081dd771b70907a5ce4c447c3a8dd6aac2d49030face32d60127d220122fd70
d446ebd0bb5a6a33e8252ffda9084f2eb912bb6c2a461e96dcc3c317b3ef41ce
27fedb8ef3fb428492824755d575ca2f19c7c02e95a5c153edffaea3a7560787
dde7851773f5a3f62b23b919c2403888ae2e876993777a34bc5c74d7d1149fbc
35cd41eed1dcc9629dbf360fbea09f8406ec25061fa73643d0c7f6d82bf3ffc3
948b7be55369e1fc991440d1a6fb52e334288a978582c276b8fa46c6de9a7648
c9a0c77dce1e1f7e570b187e01a8a2e2c0a87e0c24d8b1345389775a42c9b35c
6dfce00750c09d7a9927dab4bed6b81a4043fab36fba5ddf5c5536c3503dfb10
0d9bae8c6ba3fe8d9cace7e0b9a68721f9febcc73730b00d1b103c318ba6f361
eb33bd628ebeb2de4091f36ab518e658bfa7764822fea208e951e0364d711844
65f1c758979396b12aedf025186a9e0f864c08cdb57a63ec1668f58845573895
8b33d101cb310b23e41a526a1a5b8424fffbf10ec753c559350938b161bbf61b
b9edb0ccfa91cbc5f3d0586ccffdb460633b259e623c5f796311fe5675e9b70e
fd9cceca8b8a195da00f864f7d8642a6b4c4c8c9bdae8620d846d81335ef9130
5fe065477abcc7d6be9f05ca9f7ab796bcdc98776fdc7cb4abf5e99043913ac6
9e8023fed30083e6c58d07a72e4282ba98403d000df83ec9430bc4c5bb6db595
c52d24dc24c1cafd05297ae27e27dda206583220b0b5c5e518317043a3f4042d
86a52a844928c72e0e51f369092b44e9924b588d131ae14ff31cee2d0bf94558
d64c1bdf012a8eef91a124ff9fb6dd72a73bd01a0a091b9a035dac1a732643bb
aa91fc9cbcf0c8f03593dc8801dfbc24b35e6ac0317c11c36b93e17fc915a44b
79b2b081a4388f48148f97af8c51024ea9abda0d04ff67e8c0b0ed0a00495594
da18feb770e9425cbcb44f0301051e55b9955c80b15eec5dd73bdd70ea9afcd2
b23bfb360da32c889bc926a4057e1fa1d284e8ecfdde9d04bd70e7590b30cd25
08a423286efaf529700fe4b765df6b91d0643fc8adf3d7e934744bad76ca6ce2
25620d528306a61fca60319a4a166df951d335e016b19b245390a3c5cf514710
da8e8a3674bb74752cc61703310b75756db86196f957dcbb1efb64dec6f45280
d93931a4805f6ba426222b756f48c649fdf28a2ae51b9e4fde0d393ee5b340a0
5dbdce6b20dd0ca2e4d6e328980e222dcebe1ad73f7e5e9c0d8360f06148550e
9b8bafc0d1f12757220e764f6b5a4da42c3f8bfb4fd7c89e10246fda157a7c8c
afe05e1fe7e402cf44ccf592338f9cdbe6975795c9c3247cfad700f6eae88724
e4843efa63e35463c7d1ef4c9a9b9e5375117aca0b20a185321da61ce8650489
abac1d73d13e6decaf8216d4503cf0835a48afa117e9fc9dae92a1fd10f8a89b
1dcf4adf105e5c9f1e61e0120cb639804234addffbcbb320e96931d242d42979
43d1e6e1b9e106f6b06af78762f4c8de58b89ff64934769906230023dba3f1da
f302db2e7293cac08f7c95cb9ffaa0066e85db088747b80c8e42855d8fe29e1a
8f4d56c333b5b0b743a6dcdc6d6954adfdde2fc5219b8c45987202445ecdfc9c
fd29fc8abeb5886c00e418e3c08f0d0047d10a8511c233bd5c9027813e5c5327
8969003beb2ed864e1cb6d3518bec42cd1c7fe68f7990f629547b9c1f817f4b9
000a5351b371aded2fb7194910ee210cb029199eb65a4f755f23a4f904117607
fc6b841e6c753eeebf0d7cc8820cd3c6fcbeb40fc4d2c4d9a8bf9d3f0907fb76
SH256 hash:
fd29fc8abeb5886c00e418e3c08f0d0047d10a8511c233bd5c9027813e5c5327
MD5 hash:
1fee6d04839ae9a0a8646f4fee96a392
SHA1 hash:
5d975cc83d785924e4d5e4c210ec339787f54917
Link:
https://www.unpac.me/results/abec24d4-7f34-49fa-98d5-44d082f72e14/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fd29fc8abeb5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd29fc8abeb5886c00e418e3c08f0d0047d10a8511c233bd5c9027813e5c5327

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe fd29fc8abeb5886c00e418e3c08f0d0047d10a8511c233bd5c9027813e5c5327

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/196272/
  
URLhaus
https://urlhaus.abuse.ch/url/1661083/
  
Delivery method
Distributed via web download

Comments