MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06dcc8ec05a3ec53b0066ce702d40993f9862644a37ddce050e03b23ba65a746. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 3 File information Comments

SHA256 hash:	06dcc8ec05a3ec53b0066ce702d40993f9862644a37ddce050e03b23ba65a746
SHA3-384 hash:	619982e46731bd5dedb92b5e5466bfd1c7af98ad0f62db8501ac5ce1bde09685092e0e3fcb045d05dda89f92e6df5471
SHA1 hash:	7bc36922bb282fb37ae76ca0ab584937a32555b4
MD5 hash:	dc0ad30780b013edc6d44f42873cca6f
humanhash:	uniform-kilo-zulu-music
File name:	06DCC8EC05A3EC53B0066CE702D40993F9862644A37DD.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	1'690'112 bytes
First seen:	2022-02-06 08:31:43 UTC
Last seen:	2022-02-06 10:34:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	49152:19uNl7LY1SdbexwgacTLvcEVVd0bYxMFc:Kloi+wsH7F0kxM
Threatray	3'136 similar samples on MalwareBazaar
TLSH	T11C751256B7D5A26DC66D1033C4A7000043FAAD8DA773EA0B25CC72AD9EF375D64292EC
File icon (PE):
dhash icon	8633657071b1b36a (1 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://91.219.236.18/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://91.219.236.18/	https://threatfox.abuse.ch/ioc/378337/

Intelligence

File Origin

# of uploads :

# of downloads :

280

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

06DCC8EC05A3EC53B0066CE702D40993F9862644A37DD.exe

Verdict:

Malicious activity

Analysis date:

2022-02-06 09:37:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/44b58abf-d75f-4d0a-b91f-d343dad388a5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/233747/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.48179352.20554.23495.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Sending an HTTP GET request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/63a12550-4215-462e-9093-12539dc96bef

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/934691

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Found evasive API chain (may stop execution after checking mutex)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/06dcc8ec05a3ec53b0066ce702d40993f9862644a37ddce050e03b23ba65a746/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-01 20:24:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

29 of 43 (67.44%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=a3omr3afupwfhmagnttqfvajsp4ymjseun65zycq4a5shotfu5da._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

47f55d901f3a0fcc649afa6e44bd4307fffd877ac92a33fde21992a93e54b27d

RaccoonStealer

70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536

RaccoonStealer

9a693191c99ec28e49e610cd89af5137fb077ad8b4d7452828dbabd055e65384

RaccoonStealer

9b21ddd12ab442996f40e9eaa498cd1a3c17c9f157ca3f173ab742f94bbca33b

RaccoonStealer

d06bb4bb779e1175084fd603194b2f1a6f50ccf4e817ae5310d17eb5521e484f

RaccoonStealer

d5b7786eb44e7f7d99fbfde46c472abe576fbb67f19554cdd65bf45a428aa175

RaccoonStealer

faabfe5dfc64dc288ba532a14ad6416afc8c81418ccbf2411760bf25f91d6939

RaccoonStealer

+ 3'126 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:efc20640b4b1564934471e6297b87d8657db774a stealer

Link:

https://tria.ge/reports/220206-kfcbyahabm/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

.NET Reactor proctector

Raccoon

Unpacked files

SH256 hash:

10514347f49f0ba9576de1f65fcf93db7159b81fed2d81ee620875ad11d7b318

MD5 hash:

9a7c48a10a84568cdfedfbb7f9e2697d

SHA1 hash:

d5c59564a483e2fa6cb7555d14337c0aa3a99f26

Link:

https://www.unpac.me/results/24c92beb-6f13-41e6-bd00-e4d30661e188/

SH256 hash:

002a0f38b0148330a7f6f1513a9466c2b0af931efb14e2378402871e665324e3

MD5 hash:

1d82fe679207a81742206bd5ed11c729

SHA1 hash:

c96e22596e8fbe4a9d1d41192c197b57bd4a5cf0

Link:

https://www.unpac.me/results/24c92beb-6f13-41e6-bd00-e4d30661e188/

SH256 hash:

e79196a498f1a7703639bb0daeccd3fb827a45d14cbf602ab4002a492f844ae0

MD5 hash:

76c11964a9cdd3eb38e24493bcef5ec2

SHA1 hash:

9f5d67397d1303c97dfbd463c2ff8c540fea48f9

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/24c92beb-6f13-41e6-bd00-e4d30661e188/

Parent samples :

a7ae2843ba9ab452c9588cb8a3cd0a1dc4d66d72d23416238af3e256ac269a89
981b90f1d189a21e3b3cc5363f369aa6534614cb63dc76de811aacd583a43b30
94566da96be8685e33c7e21e6b215c53aff7aca4ae105271792e3dcd9e631c63
8f2fe9050989fa67b5075ca8f19c993eac27095da963de63ccbb42e3dc212008
334c12ac95110f2424793e8cb268220e4b89dd622c62849e203481a5ef493c9b
6d7553b09093dc8ff76acdb351b4cef88aebaa05ee58c1ecab5339d03c68a10a
3a3cf64b3e5945a491befc240c35b0d12a4e6c42af37a9d6df6cf457c49c53b1
236dad58970dbb32df7df1c6e317cf5c2a4cba4ec44e872542d926c709026f6c
e282ef9e1d23c80f8ef68d929b2a45352d7932e4f115d662774044b349fe7857
665d4b7c4bec54b430a47f22608d377f3a96775cf5edfee297265e385461266e
0f31fcaa49855c3a40398e2e85604dc062bb4f51e538d689dad2851ea18760ab
2a9103251afe0c1ef6438869cd7f2ab6a9cd3ba724d527bd41dc58834a800256
73e25ced557e8008074958707573a4d6ad68e3861d04a98a22cfdaed57fab84f
1d18c3c86d70c5371e761ba77c60c9361183edc26368e56b5c0d1c3ea8d150ea
c082990403156e860fc5397a9d28d44325bcb24d24a97ad048f1d311a5109451
0b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051
06dcc8ec05a3ec53b0066ce702d40993f9862644a37ddce050e03b23ba65a746

SH256 hash:

9cd82dba6c55d901ac7d7007b7a04a30146ad7c297400d44f9d96b90c5ca25d4

MD5 hash:

d9477c36da677507cd33c6eef325d694

SHA1 hash:

330dc88b5041ca9edf57542f5a30c37eef6f11b1

Link:

https://www.unpac.me/results/24c92beb-6f13-41e6-bd00-e4d30661e188/

SH256 hash:

06dcc8ec05a3ec53b0066ce702d40993f9862644a37ddce050e03b23ba65a746

MD5 hash:

dc0ad30780b013edc6d44f42873cca6f

SHA1 hash:

7bc36922bb282fb37ae76ca0ab584937a32555b4

Link:

https://www.unpac.me/results/24c92beb-6f13-41e6-bd00-e4d30661e188/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_DotNetReactor Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with unregistered version of .NET Reactor

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/233747/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample