MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b66ffdb7174f4c240e016033010d29a21ef2e083a62afe6275bf6bf9027b28c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments

SHA256 hash: b66ffdb7174f4c240e016033010d29a21ef2e083a62afe6275bf6bf9027b28c7
SHA3-384 hash: d61976d266106133575f499c3b7857300403da5c43c23cab368e8642f65deb6bddee87f40ebcddcedee61c0d320e180f
SHA1 hash: 46a78db9a6faa353855cd1d409fd2c83626a844c
MD5 hash: 5c06eccf9ec74274380b45219b0d813e
humanhash: oklahoma-tennessee-november-solar
File name:??? ?? 9?.exe
Download: download sample
Signature RaccoonStealer
File size:553'984 bytes
First seen:2021-09-28 06:43:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b3447c394869d3e708c4373cd10a2b6b (5 x RaccoonStealer, 3 x ArkeiStealer, 2 x Smoke Loader)
ssdeep 12288:HnfWHKEh2GEprwDIXy9vzeex9oM1ZFvJ/7CtQW9C:H4KEJurWj96Y9oM1nvJzOQWc
Threatray 3'314 similar samples on MalwareBazaar
TLSH T15AC4F120A3E0C034F1B712B949BA9274A53DBEB2677C40CF92D526E652746F4EC31787
File icon (PE):PE icon
dhash icon 23b0f0b0b4f430a3 (1 x RaccoonStealer)
Reporter @abuse_ch
Tags:exe RaccoonStealer


Twitter
@abuse_ch
RaccoonStealer C2:
http://185.138.164.150/

Intelligence


File Origin
# of uploads :
1
# of downloads :
107
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
dd6be4ca-5f04-436a-8ba1-cb0e006ddb18
Verdict:
Malicious activity
Analysis date:
2021-09-28 06:46:11 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:
Malware family:
Raccoon Stealer
Verdict:
Malicious
Result
Threat name:
Raccoon
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Ulise
Status:
Malicious
First seen:
2021-09-28 06:44:12 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Result
Malware family:
raccoon
Score:
  10/10
Tags:
family:raccoon botnet:1ea547c0a567138950af900718b7747d9f51d0cb discovery spyware stealer
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Unpacked files
SH256 hash:
b66ffdb7174f4c240e016033010d29a21ef2e083a62afe6275bf6bf9027b28c7
MD5 hash:
5c06eccf9ec74274380b45219b0d813e
SHA1 hash:
46a78db9a6faa353855cd1d409fd2c83626a844c
Malware family:
Raccoon v1.7.2
Verdict:
Malicious

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.138.164.150/ https://threatfox.abuse.ch/ioc/227268

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments