MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 227c4d5b4d3975c14e7358e444fd6ba4f918f5ca87cb830c3407ca765336552b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	227c4d5b4d3975c14e7358e444fd6ba4f918f5ca87cb830c3407ca765336552b
SHA3-384 hash:	ca7f863a9766f1cddbaa8c7376251880a911dca0b47c311c2ff1e60ddc9feef5193283d04b571566e19c82b4ddf6c71d
SHA1 hash:	06bdbf304a648aa79ab724056c5160872625ed28
MD5 hash:	2242bd6ead215d66c2b32beb82e97d36
humanhash:	mexico-winter-butter-mountain
File name:	2242bd6ead215d66c2b32beb82e97d36.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	555'520 bytes
First seen:	2021-09-25 01:00:36 UTC
Last seen:	2021-09-25 02:09:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d63272091af7602d3a8fe5b2f0726122 (6 x RaccoonStealer, 4 x RedLineStealer, 1 x DanaBot)
ssdeep	6144:1eSWysjO2llCKU/gb4XfzTqFWKVYC/ctNkLuXBHCrEqmO91ctGc8zGd73W/:1eSW1jO2l5UhvzThsI0AVsbVc8zC3g
Threatray	3'211 similar samples on MalwareBazaar
TLSH	T188C4E12077E0C035F4B302F649B9937979397AB06B2850CFA2D617EA56786E8DD30397
File icon (PE):
dhash icon	ead8ac9cc6a68ee0 (93 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://185.163.204.37/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.163.204.37/	https://threatfox.abuse.ch/ioc/226142/

Intelligence

File Origin

# of uploads :

# of downloads :

168

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2021-09-25 00:45:52 UTC

Tags:

evasion trojan opendir loader rat redline stealer vidar danabot

Link:

https://app.any.run/tasks/1f57e103-187e-415a-8ca4-9978176c21d0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/191301/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.27543.10872.UNOFFICIAL

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cf847b99-3cb5-4e11-b048-218db8639695

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/857716

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/227c4d5b4d3975c14e7358e444fd6ba4f918f5ca87cb830c3407ca765336552b/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-09-24 22:39:46 UTC

AV detection:

17 of 27 (62.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ej6e2w2nhf24ctttldsej7llut4rr5okq7fygdbua7fhmuzwkuvq._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

3155e0baf18b8369f71e1cf4407774a78d13ae881a70c4083c02920354b4137c

RaccoonStealer

3c2557c292a2e3a61a85cd44f45f8f3998fd16db3e5e523353eac61a879f726a

RaccoonStealer

44bc3362221be1888156d1a7d5c29490a2c449d6cabe6766ecb6878500562057

RaccoonStealer

694c879e26f27610bc40ea419bea615dacb1e3a946a2c843f22af724623d1704

RaccoonStealer

88bea616209dfb7515186c71ef3555315eae375e4bf1fdff5267aea751323ae6

RaccoonStealer

dba5e6264deed1c0d630810ce0ba5931e442398ab117ab551f05e77d69613bfb

RaccoonStealer

dd32ec7e9a26563e3088286af32a147b95988188302c65024ed97a5a3b6289c6

RaccoonStealer

e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143

RaccoonStealer

fd0abd76e63bfc430d03202558a055da8df0cde77765824a476491dba86ad2ab

RaccoonStealer

+ 3'201 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:89bdb20fae9c32c8b9e6a3e975b823b9b8296f52 discovery spyware stealer

Link:

https://tria.ge/reports/210925-bc9zcsabg8/

Behaviour

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Raccoon

Unpacked files

SH256 hash:

024c1118e7728ef41a5dd3c05492df2f090fa07f257ca84b2913d529413de1ab

MD5 hash:

840ca8da3a3b11c73729e0a8ea519b74

SHA1 hash:

41475ff7a51ef3082415c41c59b6cf95244be1ff

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/598d5b74-354e-4491-b545-8b789e735d03/

SH256 hash:

227c4d5b4d3975c14e7358e444fd6ba4f918f5ca87cb830c3407ca765336552b

MD5 hash:

2242bd6ead215d66c2b32beb82e97d36

SHA1 hash:

06bdbf304a648aa79ab724056c5160872625ed28

Link:

https://www.unpac.me/results/598d5b74-354e-4491-b545-8b789e735d03/

Malware family:

Raccoon v1.7.2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/227c4d5b4d39/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/227c4d5b4d3975c14e7358e444fd6ba4f918f5ca87cb830c3407ca765336552b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191301/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample