MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2389fec9a46650f8bb5b5da588e32636b8725fa6e6bca5a962110a834a2383df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 4 File information Comments

SHA256 hash:	2389fec9a46650f8bb5b5da588e32636b8725fa6e6bca5a962110a834a2383df
SHA3-384 hash:	9141f9cf91d1cc504240b0376baf6396957c7361c0f868fd8b18e739ee3aff24fcb18ddbc12f43f70040de0be1ffc8e1
SHA1 hash:	c489cd5cd9e1751c607b12fabb1d21b356c9d8d2
MD5 hash:	5f105f49a19638195ab9c660454d86d7
humanhash:	winter-india-ink-south
File name:	2389FEC9A46650F8BB5B5DA588E32636B8725FA6E6BCA.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	618'496 bytes
First seen:	2021-08-05 01:40:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	762eb19010c0700eaa21fe941afb9920 (1 x RedLineStealer, 1 x ArkeiStealer, 1 x CryptBot)
ssdeep	12288:acCDFrUUPuDZYX9niKSIQM5jO2fqamw4SiqHhP/5:IDFrUhssBL2f1mw4Sia/5
Threatray	1'527 similar samples on MalwareBazaar
TLSH	T1DBD4DF00A6A1C035F5F632F89A7A9368697A79F19B3040CB52D5EBEE16341F5ED31323
dhash icon	ead8a89cc6e68ee0 (43 x RaccoonStealer, 31 x RedLineStealer, 20 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://5.252.179.21/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://5.252.179.21/	https://threatfox.abuse.ch/ioc/165702/

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2389FEC9A46650F8BB5B5DA588E32636B8725FA6E6BCA.exe

Verdict:

Malicious activity

Analysis date:

2021-08-05 01:42:45 UTC

Tags:

trojan stealer raccoon

Link:

https://app.any.run/tasks/5a929d9a-114f-4721-a9e8-2d49115f4f38

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/176482/

Detection(s):

Win.Packed.Generic-9874443-0

Win.Packed.Generic-9874490-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP POST request

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ff9c11c5-c73a-4dc3-8a84-912e1e2488ae

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/827919

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Infostealer behavior detected

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2389fec9a46650f8bb5b5da588e32636b8725fa6e6bca5a962110a834a2383df/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-06-24 21:14:44 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eoe75snemzipro23lwsyryzgg24hex5g426klklccefigsrdqppq._file

Verdict:

malicious

RaccoonStealer

7d488eb1040f11cfdf31e5cc017f253bc9050bae1cfd474492018c314504c9bd

RaccoonStealer

7f74f36952503e1686edd46a2987fd0a540f18cccc9732e9814620983b2df7b8

RaccoonStealer

7fa8300652f1b8c48e6ac25203994e388acb14ffc29393da5175de05ec1614d8

RaccoonStealer

9e3f4bfcfd053c0f6288c87e76ab616feaa8beb7039c4dc3539cfcfea11652e7

RaccoonStealer

9edd2b570127b6af299d9325d46ec63944de11ed3ae177a8a82d8fc7572d4980

RaccoonStealer

ab4554366f37456ac0115a7df3b4114711fb8310ccc5754bfa10c474a0453210

RaccoonStealer

d61aa30773692c8573e9f1fa776ba99eeb89800bde45663582ee2d3bec5ceb70

RaccoonStealer

+ 1'517 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:8cd03818c38af9ec9c2c4e0742fcd49b7ae986ab stealer

Link:

https://tria.ge/reports/210805-tfa2c67m2x/

Behaviour

Modifies system certificate store

Raccoon

Raccoon Stealer Payload

Unpacked files

SH256 hash:

76f88a1b376295789ff05776fe3d038d2736d6f9992571146cd8f3164ff7a5f6

MD5 hash:

bb29b8afb6a11bbea1ef281fe8b7a1e6

SHA1 hash:

1338a4cb6e24c8aee942e28e2e1d61a5cf41b85c

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/b8ccbf26-e92f-4666-8013-8b96c15d26e8/

Parent samples :

137026a259166724d41d797fc3a5fd8ba40c30e9eab4e71db7ab8ad54747a77a
31aaf1ea33e7e5b1f08771d516b1cdd94e5205b2b3ddeedd5643414683e26ce7
098b845a6729ed490fc61e679a4d85bdf35cd71b463fdad56e08a60714a84e50
9222fdec61d1a3c43985439deb73066998f0941c5e68d82147b71aee8f9b66d1
2389fec9a46650f8bb5b5da588e32636b8725fa6e6bca5a962110a834a2383df

SH256 hash:

2389fec9a46650f8bb5b5da588e32636b8725fa6e6bca5a962110a834a2383df

MD5 hash:

5f105f49a19638195ab9c660454d86d7

SHA1 hash:

c489cd5cd9e1751c607b12fabb1d21b356c9d8d2

Link:

https://www.unpac.me/results/b8ccbf26-e92f-4666-8013-8b96c15d26e8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2389fec9a46650f8bb5b5da588e32636b8725fa6e6bca5a962110a834a2383df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon/Racealer infostealer

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/176482/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample