MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 254c28cd968abd1048e5baa80c9aff405e32de2d840d5b0e5882515ad6d47be2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 4 File information Comments

SHA256 hash:	254c28cd968abd1048e5baa80c9aff405e32de2d840d5b0e5882515ad6d47be2
SHA3-384 hash:	98733e23a3b424e66b5a63cc6faaaa766c167b4dbcea2051d7ad4bcd5e1a4c7970cde3db10f446ef3f9d44fd08eedaa5
SHA1 hash:	bc8f1ad4fb372d8ae17be2f20cfa9fad3a2679f8
MD5 hash:	bdb8002a5c5d8880ba2133d765d44193
humanhash:	eleven-music-fifteen-florida
File name:	BDB8002A5C5D8880BA2133D765D44193.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	617'472 bytes
First seen:	2021-08-13 07:56:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3808cf5755aac20ce0592be1a9bc0f0d (2 x RaccoonStealer, 1 x ArkeiStealer, 1 x DanaBot)
ssdeep	12288:sMyXcpXC3XphQAFoveV21dpA/zIE7L65qF/0uCz/sHqHfhLi0q:AMpXGtfadpW1W5OZ4o8E
Threatray	1'928 similar samples on MalwareBazaar
TLSH	T1E2D4D030A7A0C034F6F716F445B583B8B93D7EA1673450CBA2E55AEA57346E8AC31387
dhash icon	a8e8e8e8aa66a499 (4 x RaccoonStealer, 1 x DanaBot)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://45.67.231.40/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://45.67.231.40/	https://threatfox.abuse.ch/ioc/184315/

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

BDB8002A5C5D8880BA2133D765D44193.exe

Verdict:

Malicious activity

Analysis date:

2021-08-13 08:20:30 UTC

Tags:

trojan stealer raccoon

Link:

https://app.any.run/tasks/faa9ec26-68e9-4bec-81a6-5f2bb77c7f31

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/178899/

Detection(s):

Win.Dropper.Generickdz-9885122-0

Win.Packed.Fragtor-9885389-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt to an infection source

Connection attempt

Sending an HTTP POST request

Sending a UDP request

Query of malicious DNS domain

Sending a TCP request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/249c9796-1ac2-47b1-8f57-320b519f7ae4

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/832304

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Infostealer behavior detected

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/254c28cd968abd1048e5baa80c9aff405e32de2d840d5b0e5882515ad6d47be2/

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2021-08-10 07:38:37 UTC

AV detection:

16 of 27 (59.26%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=evgcrtmwrk6rashfxkuazgx7ibpdfxrnqqgvwdsyqjivvvwuppra._file

Verdict:

malicious

RaccoonStealer

21391fc51c85957fb1bf530fbdd01b9cc6b855445c5ae6e46d9be51441ee62f5

RaccoonStealer

32635b6aa5bcbdd18166e5a9b9469104ccc57a19bfe72dc3e3caca761ebc311a

RaccoonStealer

371827d3309f0b2bff933583e4b4ab2150c6e40c6396e66b3e029a1ec97c99de

RaccoonStealer

40b64bbdb68d008b482daf0459702e6f9f81603a65ca47db258714e445106c9e

RaccoonStealer

66cebd1b0a87df2ddcd805723d15e8094c23dfe1d4a2108348579995a102c994

RaccoonStealer

8bb0c75f554647d27173b3d8b2e63abba3670fb7972b6856cbca89f1eda96c6d

RaccoonStealer

bf96ed8aa602b7611ef90657e75b9612d2a49e57acdfaf4c3f8b40ef562651cc

RaccoonStealer

ce1c2e089ab14ef543b6604bd4fd82213708b89372fd63d414ff6e694ddce4ad

RaccoonStealer

fe5254468c8a6c7a17dc11f3e85b00db1b5b2b3c26919bdefb8d917ce35cb4d5

RaccoonStealer

+ 1'918 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:fa93985ba268e1dd8b72ef392332edcba95ddd45 stealer

Link:

https://tria.ge/reports/210813-ql4wfjm8js/

Behaviour

Modifies system certificate store

Raccoon

Raccoon Stealer Payload

Unpacked files

SH256 hash:

7a03037449dfe687b024899b1b5c8a04a0a4a787c3909f3d9bd5a72e5dac049e

MD5 hash:

dec745e2b7589c60a75ca8429cca33b8

SHA1 hash:

39bd20a3166581fced0efe240afc6994257c6140

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/c6b99583-7781-4105-afe2-c86f604a6d08/

Parent samples :

98a7e96cfbf4701c29c85de103f6145e9bab2b9d710651805e1a6c3165c26ee5
cb5f581a0b72fbdc1a926ef42cad1664abe69fd1feca0b4f3dce3a71d7e0365d
226f748b118a324625f1f4b4ed3221320cc3d41d3901eb7e79e04c0e50f743b6
254c28cd968abd1048e5baa80c9aff405e32de2d840d5b0e5882515ad6d47be2
f2bf403d1e035c29dbc57e7fd83d3b3cbd3ad45b0eb57d80e858f2cc68d4cfe9

SH256 hash:

254c28cd968abd1048e5baa80c9aff405e32de2d840d5b0e5882515ad6d47be2

MD5 hash:

bdb8002a5c5d8880ba2133d765d44193

SHA1 hash:

bc8f1ad4fb372d8ae17be2f20cfa9fad3a2679f8

Link:

https://www.unpac.me/results/c6b99583-7781-4105-afe2-c86f604a6d08/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/254c28cd968abd1048e5baa80c9aff405e32de2d840d5b0e5882515ad6d47be2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon/Racealer infostealer

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/178899/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample