MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30a41d35fbdbb0e5807ed057926d59b895358e0f2fe39df4acc6cf56cb704f20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30a41d35fbdbb0e5807ed057926d59b895358e0f2fe39df4acc6cf56cb704f20
SHA3-384 hash: 0ffa969b3656789c8383a93b1dabc1d48a431b4e136b4b8e678fedbf1e9cd6fdd1d016c680add80463750c4e77ed1dfb
SHA1 hash: 6042b7f954932e481e3f56b983d739ca44322d74
MD5 hash: a3bc914544e8e14e370fb06036b9a20c
humanhash: sixteen-island-mars-coffee
File name:30A41D35FBDBB0E5807ED057926D59B895358E0F2FE39.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'009'184 bytes
First seen:2022-03-08 21:15:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dc7afbf99bd7de9aad612a3ecea602f7 (1 x RaccoonStealer)
ssdeep 49152:dnuYJNY19jGkpv3h122WBCnP1C/95OsGi:ddJNmj7PZne95D
Threatray 4'814 similar samples on MalwareBazaar
TLSH T12D9523C2A7D5A88AFC091B7B4142C4B17FB2BC639D77DAD16FE4F42E5A24FD12681201
File icon (PE):PE icon
dhash icon a25dacaca8c20d80 (1 x RedLineStealer, 1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://101.99.95.5/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://101.99.95.5/ https://threatfox.abuse.ch/ioc/393044/

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Setup_x32_x64.exe
Verdict:
Malicious activity
Analysis date:
2022-01-21 21:29:20 UTC
Tags:
evasion trojan rat redline loader opendir stealer vidar tofsee miner sinkhole asyncrat raccoon
Link:
https://app.any.run/tasks/13e57015-d1ca-40f0-b1f8-7b294edb3d5f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248503/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.48045242.27741.24030.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6227c795dfdfa8501c7c3b6a/reports/0547fb8a-7ed6-4035-9136-36c6a3f7bad8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6332959-9216-4553-bec7-d23aa68ce871
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/953006
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30a41d35fbdbb0e5807ed057926d59b895358e0f2fe39df4acc6cf56cb704f20/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-01-22 06:42:54 UTC
File Type:
PE (Exe)
Extracted files:
123
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gcsb2np33oyolad62blze3kzxcktldqpf7rz35fmy3hvns3qj4qa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
30250e1ddf5dd38e88f12ce6bc70b497c953172e79378cc86b46f358c6f562c5
RaccoonStealer
360f2daa601a407296f2a123346526c790bc1a03f974bad4379e0c534056182e
RaccoonStealer
7b40863ec74aadb8aa7f38657302a39c1699f3e49dfc35ad63f32a0d37c19933
RaccoonStealer
8f0ce948ee3b5f284eed19d5065de393931e6979eac0d177464d55e2e470c3e7
RaccoonStealer
94b6f442982377412659b219dffc88f6d171b044c66583cc025335de2f8e6aa4
RaccoonStealer
c4ffe6c2f699fd77bdf6b7b7f49e3ba3691275585292eae1c600d997d6a9c0ee
RaccoonStealer
e41b64675f161f9a4c044cb7b4d97d3c023a24793c04d503949147e4368bac41
RaccoonStealer
+ 4'804 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1bc6116182dfd33bce1052fe9bb0415968161030 stealer suricata
Link:
https://tria.ge/reports/220308-z4jhgsecbm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Raccoon
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
Unpacked files
SH256 hash:
770ce9c4feb6247a2bd7ce2d8ef43d3f233878fc4ecb01be12da87e4af8ff309
MD5 hash:
9ade7022e7657702a7df7b64e21e867e
SHA1 hash:
72562b3130147ed503c1961f17cc9ba5814134a9
Link:
https://www.unpac.me/results/131f856d-2404-4e34-a35e-d323ae452569/
SH256 hash:
30a41d35fbdbb0e5807ed057926d59b895358e0f2fe39df4acc6cf56cb704f20
MD5 hash:
a3bc914544e8e14e370fb06036b9a20c
SHA1 hash:
6042b7f954932e481e3f56b983d739ca44322d74
Link:
https://www.unpac.me/results/131f856d-2404-4e34-a35e-d323ae452569/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/30a41d35fbdbb0e5807ed057926d59b895358e0f2fe39df4acc6cf56cb704f20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/248503/

Comments