MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d8f04bd64b81ed3367def9f74a8a98e9a868f30db9433a9ef37b481394c9046. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments

SHA256 hash: 9d8f04bd64b81ed3367def9f74a8a98e9a868f30db9433a9ef37b481394c9046
SHA3-384 hash: 6b52a578547409c43ef409b86e0e26db5b5d64ec01f54bb853c02bf83344d35c2953620a8e8162007a1901424b77afc8
SHA1 hash: 80db9b3c72f88b3cacb40362ee21baa2390de38c
MD5 hash: 82f7734fef8ee0789cf270f292651cbe
humanhash: robert-saturn-lamp-foxtrot
File name:82f7734fef8ee0789cf270f292651cbe.exe
Download: download sample
Signature RaccoonStealer
File size:4'704'768 bytes
First seen:2021-09-28 06:38:16 UTC
Last seen:2021-09-28 10:16:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cd827b8586176b67403fab26f5e0d605 (1 x RaccoonStealer)
ssdeep 98304:62RwWMe+Sml+unSwywZ+741ksvzTciQoS9BTdrlv9z/8nltrM0C:S6+t3SpjsvzTJrSvz9Uf6
Threatray 130 similar samples on MalwareBazaar
TLSH T1B42612137A404199C0DA4E35842BBE8171F25F994962943F7BEDFDCE3F3E1A39606A42
File icon (PE):PE icon
dhash icon 8c8cf0e8e8b24280 (1 x RaccoonStealer)
Reporter @abuse_ch
Tags:exe RaccoonStealer


Twitter
@abuse_ch
RaccoonStealer C2:
http://185.138.164.150/

Intelligence


File Origin
# of uploads :
2
# of downloads :
104
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
82f7734fef8ee0789cf270f292651cbe.exe
Verdict:
Malicious activity
Analysis date:
2021-09-28 06:39:21 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:
Result
Threat name:
Raccoon
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Contains functionality to steal Internet Explorer form passwords
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Result
Malware family:
raccoon
Score:
  10/10
Tags:
family:raccoon botnet:c1728bc068ff13c9172ac566c717a997b9a7b1dc discovery spyware stealer suricata
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
Unpacked files
SH256 hash:
3ddc1496cad568993b4f7a6b06094c0ddbc2804d74a70471fff3f1ec2cb065f2
MD5 hash:
9bf7559f8f746ec86bd414763b7261cb
SHA1 hash:
738bb319f1e97761c49e606fe34925a5e70ad1c3
SH256 hash:
9d8f04bd64b81ed3367def9f74a8a98e9a868f30db9433a9ef37b481394c9046
MD5 hash:
82f7734fef8ee0789cf270f292651cbe
SHA1 hash:
80db9b3c72f88b3cacb40362ee21baa2390de38c

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.138.164.150/ https://threatfox.abuse.ch/ioc/227268

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 9d8f04bd64b81ed3367def9f74a8a98e9a868f30db9433a9ef37b481394c9046

(this sample)

  
Delivery method
Distributed via web download

Comments