MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cbfc499e8f27bf6e4dbc0533febeac5deb0f24c6ce83aa6d60b17433ae3cb40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 4 File information Comments

SHA256 hash:	2cbfc499e8f27bf6e4dbc0533febeac5deb0f24c6ce83aa6d60b17433ae3cb40
SHA3-384 hash:	3a23c9bf8c59c2665e50da8eac1ce293bebf788b916119c3f4ac13333892335655ef812c087a85c673094d6ba9c98047
SHA1 hash:	200615c74091e9cc11b66ffbebde2cadd7479422
MD5 hash:	66a30d61f8432d35bfc039f30d23aa04
humanhash:	happy-grey-six-tennessee
File name:	2CBFC499E8F27BF6E4DBC0533FEBEAC5DEB0F24C6CE83.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	570'880 bytes
First seen:	2021-07-21 01:11:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cb971fcf399235e4e9a69622d3809fcc (6 x RaccoonStealer, 3 x Stop, 1 x CryptBot)
ssdeep	12288:WZB/oqYL8EhfucNQOG+LrIHBqpZekJchnabO1ljzIPyfdWfhYVzZQ:WZBHYLqp+/FgkJchnabuMPyd2yzC
Threatray	1'024 similar samples on MalwareBazaar
TLSH	T198C4D03166A1F036E0F312B448B69279AD3A7DB1A73C94CBA2D03AEA56345F4DC30757
dhash icon	d212f0ece8696c46 (2 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://34.88.33.218/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://34.88.33.218/	https://threatfox.abuse.ch/ioc/161793/

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2CBFC499E8F27BF6E4DBC0533FEBEAC5DEB0F24C6CE83.exe

Verdict:

Malicious activity

Analysis date:

2021-07-21 01:12:47 UTC

Tags:

trojan stealer raccoon

Link:

https://app.any.run/tasks/b63c071c-c71c-4dff-9dac-79a02baf8769

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/172910/

Detection(s):

Win.Malware.Filerepmalware-9865622-0

Win.Packed.Filerepmalware-9865758-0

Win.Dropper.Stop-9865782-0

Win.Packed.Generic-9865913-0

Win.Packed.Generic-9865979-0

Win.Malware.Generic-9866706-0

Win.Malware.Fier-9868037-0

Win.Malware.Fier-9868038-0

Win.Malware.Generic-9869276-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/71a5146b-736c-4adf-ae96-ca7906595dec

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/819275

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2cbfc499e8f27bf6e4dbc0533febeac5deb0f24c6ce83aa6d60b17433ae3cb40/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-05-28 12:22:45 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fs74jgpi6j57nzg3ybjt727kyxplb4smntudvjwwbmlugoxdznaa._file

Verdict:

malicious

RaccoonStealer

3d7c4746930fbadf4537612d2a50b95a6a442517ede98e97c7a1d67d334c5393

RaccoonStealer

653d9d0ae06efd8ebb84a079bb7024cd5d2faa497c780ecc2b642f4c3b782cd3

RaccoonStealer

713b5945d12292a726db22b9b96c5affa7278ad4a11a473ba217444fac7443d4

RaccoonStealer

728147c5bff90b21c7aa0b213108ac3a1dbd8a059c129103b35a206ff9be56bb

RaccoonStealer

75bc5234ba652f847e14755352f4b39c26ffcfb5cec2b48d34e066b0581772dd

RaccoonStealer

8e98d227ab95b2d3e727ed670d1faa260157f6a595aa1026035606424f4509c9

RaccoonStealer

bff76665fd4f574a2a8481b085f40148d95272a1cda7332566433e93e1a3b498

RaccoonStealer

c50339202bebf620f50f539aa41632031d42ed3e640bbc210e50502bdb403856

RaccoonStealer

fe12a8772f3bb4fc8eb97e4a4a5470cbdaf44178281318a73a052eb43078bafb

RaccoonStealer

+ 1'014 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:00e1fa5eb2814e916295b624cf5038be739fd828 stealer

Link:

https://tria.ge/reports/210721-nqfk8kmhk2/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Raccoon

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

a429990bb7370fff46e2a7d1eb744da8c27a41e787fd07e5ef1cc20b89649bd0

MD5 hash:

d7c2140f20c91b479765d75cada2b15b

SHA1 hash:

35953099c3e6c26f80ee3e95918863b2573cb7be

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/4adcf719-cf35-4e04-9c07-cb0028820e2b/

SH256 hash:

2cbfc499e8f27bf6e4dbc0533febeac5deb0f24c6ce83aa6d60b17433ae3cb40

MD5 hash:

66a30d61f8432d35bfc039f30d23aa04

SHA1 hash:

200615c74091e9cc11b66ffbebde2cadd7479422

Link:

https://www.unpac.me/results/4adcf719-cf35-4e04-9c07-cb0028820e2b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2cbfc499e8f27bf6e4dbc0533febeac5deb0f24c6ce83aa6d60b17433ae3cb40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon/Racealer infostealer

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/172910/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample