MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e04d8dd8c7f6c370b6effbd47240f762fe35d599eee5715e6e08863a747549e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 2 File information Comments

SHA256 hash:	1e04d8dd8c7f6c370b6effbd47240f762fe35d599eee5715e6e08863a747549e
SHA3-384 hash:	03d832337c7d52e2da6975eeaac842cb1e4bcbeb5adce20861734facd6c058c0af978989803b61c3ef4e0e8e0036cdd6
SHA1 hash:	8a1428c6a2481fb35cdb0e0bd2affeeb87be119e
MD5 hash:	60a0aeb44a40268909323c7b4ca7fc2d
humanhash:	quiet-eleven-wyoming-sink
File name:	60A0AEB44A40268909323C7B4CA7FC2D.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	579'072 bytes
First seen:	2021-09-08 14:15:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	35279f0bcb93fbb246a2ff5f9995bdc1 (6 x RaccoonStealer)
ssdeep	12288:jh/yDN787IPelHo8BM2rMayvaD7Jz52548cRWipfx8BjaMEbG7nU:d28y2rMDaD7j2581kEijU
Threatray	2'984 similar samples on MalwareBazaar
TLSH	T178C4AF7675628077F17200B0AE6CA7A1167DBCB009328E9B73C9063D4FB55D2D722A7B
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://185.163.45.90/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.163.45.90/	https://threatfox.abuse.ch/ioc/218040/

Intelligence

File Origin

# of uploads :

# of downloads :

140

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

60A0AEB44A40268909323C7B4CA7FC2D.exe

Verdict:

Malicious activity

Analysis date:

2021-09-08 14:34:07 UTC

Tags:

trojan stealer raccoon

Link:

https://app.any.run/tasks/c9c33572-06bf-4e6e-8677-34585d78e3d0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/186393/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file

Deleting a recently created file

Reading critical registry keys

Delayed reading of the file

Running batch commands

Launching a process

Query of malicious DNS domain

Connection attempt to an infection source

Sending a TCP request to an infection source

Stealing user critical data

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7677c4d8-719e-4da3-96a4-9345dc97a2b9

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/1e04d8dd8c7f6c370b6effbd47240f762fe35d599eee5715e6e08863a747549e/

Threat name:

Win32.Infostealer.Racealer

Status:

Malicious

First seen:

2021-09-05 11:07:10 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dycnrxmmp5wdoc3o766uojapoyx6gxkzt3xfofpg4ceghj2hkspa._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

4da160dc1a5e5f2f2e0dee7ab9ccd3a522e34bbef2d602f35525b788f3afee2a

RaccoonStealer

70c61a7220e7df5841fded5bafa8340c388440911f8c894b35872188f300f29d

RaccoonStealer

93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c

RaccoonStealer

bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334

RaccoonStealer

ccd5ab291113bf69fcbccee8ab889c9cf5a0d0240feed43b73785497ace3c467

RaccoonStealer

da8777fa1ea919560e5fd0fcad56f265546fa9fa5e061776705da8a79ec1ca7c

RaccoonStealer

ff1ddb96f4984d4ed65016ca7814432d51a08fe090fae4907e85926469e880da

RaccoonStealer

+ 2'974 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:9f29af546c79843cfc6ed1f020e6462f257b30ff discovery spyware stealer

Link:

https://tria.ge/reports/210908-rk7rzahgfn/

Behaviour

Delays execution with timeout.exe

Modifies system certificate store

Suspicious use of WriteProcessMemory

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Unpacked files

SH256 hash:

1e04d8dd8c7f6c370b6effbd47240f762fe35d599eee5715e6e08863a747549e

MD5 hash:

60a0aeb44a40268909323c7b4ca7fc2d

SHA1 hash:

8a1428c6a2481fb35cdb0e0bd2affeeb87be119e

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/adc0ff9d-7c2c-45f2-afb3-b92f050d62dc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1e04d8dd8c7f6c370b6effbd47240f762fe35d599eee5715e6e08863a747549e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/186393/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample