MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22f3b23ee63e47656daa0fcb45c58b9a2665e28f54b56766b6dddc94d8781281. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	22f3b23ee63e47656daa0fcb45c58b9a2665e28f54b56766b6dddc94d8781281
SHA3-384 hash:	901eec0774c3b05dae012642f406d03095df45cd3894fe07d1161da6835d960ae49d09130ab5d0979076849b5ee7b654
SHA1 hash:	3734252222cdbffe367798b97ea3aed2ec1c4e4f
MD5 hash:	0feb35a0a849c2bb40a3076097bfdfd2
humanhash:	oregon-montana-solar-bacon
File name:	3734252222cdbffe367798b97ea3aed2ec1c4e4f.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	486'912 bytes
First seen:	2021-09-19 17:10:49 UTC
Last seen:	2021-09-19 17:51:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b6847043720ac758135cfc4be1dc3a6e (3 x RaccoonStealer, 1 x Smoke Loader)
ssdeep	6144:9nsMONNHIWOB1zVjxEAejIo/nkvUd5XcG1M7O6vd9TP7iMDoMjdz5JHei:5vONNoB1zNo/nksfXcGyd9TP7/oo
Threatray	3'135 similar samples on MalwareBazaar
TLSH	T172A4F10138B1D472D39258B0B423C6A4A93BBDD1526C51AB7798773E3F32EB26A35347
File icon (PE):
dhash icon	327e7c7d727e6e76 (14 x RedLineStealer, 13 x RaccoonStealer, 3 x Stop)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://45.67.231.60/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://45.67.231.60/	https://threatfox.abuse.ch/ioc/223520/

Intelligence

File Origin

# of uploads :

# of downloads :

223

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3734252222cdbffe367798b97ea3aed2ec1c4e4f.exe

Verdict:

Malicious activity

Analysis date:

2021-09-19 17:12:11 UTC

Tags:

trojan stealer raccoon loader

Link:

https://app.any.run/tasks/cc23c13c-26e7-4b4c-980a-64fa9a996965

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/189139/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.37599010.7453.27757.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0df1265e-e909-4517-a404-183b7e9b03fb

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/853590

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/22f3b23ee63e47656daa0fcb45c58b9a2665e28f54b56766b6dddc94d8781281/

Threat name:

Win32.Ransomware.LockbitCrypt

Status:

Malicious

First seen:

2021-09-17 20:39:33 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=elz3epxghzdwk3nkb7fulrmltitglyupks2wozvw3xojjwdyckaq._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

4a6434d66a30ccd95a6c269ba54133d0cade8eb565cd7fd6582abeff8a02a3fc

RaccoonStealer

769e6fac3f7be0c7278bf32ec84b6e96690e06c4ed2c4d06df1f790fc97165e5

RaccoonStealer

78d2e3ffb53da033d7df217d5a67ea52dbac7928cb77d907307a1c77b4453cfe

RaccoonStealer

79353b4beb5c15fb26a1a4e35742da675a5adeff230f9a4d8f3577d47e263e97

RaccoonStealer

7cfa34e7f6ea3ee53ef9911983581f2c8865363d1e8de9d40ea42775de0f9e7e

RaccoonStealer

7dab69ecef0dc000e97634c8bf2840242b9e75038f32c0eac5eb79772309e43c

RaccoonStealer

830de75be32c7b749962b6ba9b8f9bb50db8bb9145653fa9e38f33715732ded4

RaccoonStealer

93ba1d3d5ea0f821f84ee02b34b65c3768098b5dfc84022a92f79db5a18f2411

RaccoonStealer

f0c98f4c47a7f3890884cea6e1e84d19fd63eeed8b05ba9cb367707a0f28aeba

RaccoonStealer

+ 3'125 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon discovery spyware stealer

Link:

https://tria.ge/reports/210919-vp9nxaccc2/

Behaviour

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Raccoon

Unpacked files

SH256 hash:

be45760bc302c3b5bbc429156d3f4aa6d9a6ad31ac6943c2a31df1cde9791593

MD5 hash:

af96742458fcb0c9d1082c92e586ee23

SHA1 hash:

77887d4b449d72d1b9f915a19e9b4b0936932ff9

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/fe14e5d7-b5fc-4df5-b5b1-7e167ab19dd1/

Parent samples :

22f3b23ee63e47656daa0fcb45c58b9a2665e28f54b56766b6dddc94d8781281
c660d57bd98c4b7cecedeaa8405adba7ba4057e6f1ce62636a5d1003fea36e61
a422ed03a4f32c092a5dc53c3d8fbce7e32243f838a45b27a396175b84cab369

SH256 hash:

22f3b23ee63e47656daa0fcb45c58b9a2665e28f54b56766b6dddc94d8781281

MD5 hash:

0feb35a0a849c2bb40a3076097bfdfd2

SHA1 hash:

3734252222cdbffe367798b97ea3aed2ec1c4e4f

Link:

https://www.unpac.me/results/fe14e5d7-b5fc-4df5-b5b1-7e167ab19dd1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/22f3b23ee63e47656daa0fcb45c58b9a2665e28f54b56766b6dddc94d8781281

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/189139/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample