MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32d8cde15a3e57d033e2bad6e8e0d1a3a16f4934ca4c0df122cbc7d3a0de710a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 5 File information Comments

SHA256 hash:	32d8cde15a3e57d033e2bad6e8e0d1a3a16f4934ca4c0df122cbc7d3a0de710a
SHA3-384 hash:	04df73576f72d7681044fcd8e4e2d7892081798182f2ee5b4d75d6635a9cf637d35ca440f285171f6b854cee7fba66c3
SHA1 hash:	5b3a73c7ab7f223737974e358865158dfd093dba
MD5 hash:	f8896e327cdf85749c94a832107c453f
humanhash:	charlie-sink-sixteen-wisconsin
File name:	f8896e327cdf85749c94a832107c453f.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	1'274'368 bytes
First seen:	2021-09-06 22:07:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:136ugODOSE941wR0mkQ0JDNvSqGkYjasS6oeYKdL4:p6ulOSg41QfkQkJXYeBXKp
Threatray	3'453 similar samples on MalwareBazaar
TLSH	T16545743DAD2626335FA9B17CD4D6194EE79414EB23714DE9D2E2B38C200B917B2DA31C
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://45.142.215.237/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://45.142.215.237/	https://threatfox.abuse.ch/ioc/216755/

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f8896e327cdf85749c94a832107c453f.exe

Verdict:

Malicious activity

Analysis date:

2021-09-06 22:26:01 UTC

Tags:

trojan stealer raccoon loader

Link:

https://app.any.run/tasks/d32c8002-72ff-41af-8fed-e5db86a244ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/185751/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.16176.17090.23957.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Connection attempt to an infection source

Connection attempt

Sending an HTTP POST request

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bbfbfd84-8bf7-480e-9c4c-cb089a7f618c

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/32d8cde15a3e57d033e2bad6e8e0d1a3a16f4934ca4c0df122cbc7d3a0de710a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-03 02:00:55 UTC

AV detection:

27 of 43 (62.79%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=glmm3yk2hzl5am7cxllorygruoqw6sjuzjga34jczpd5hig6oefa._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

445bd1c221cff019e52db89d03e05a8c22509cea0ede28da6d55bff7fd840bae

RaccoonStealer

895100760e67763505b9cad311be16b533db48d1f2cb28424a98495406220a2f

RaccoonStealer

93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c

RaccoonStealer

bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334

RaccoonStealer

d8eb6d3fe02a890173827c242182acd22aa699e4bbd918fd22b95c00aa3a6445

RaccoonStealer

da8777fa1ea919560e5fd0fcad56f265546fa9fa5e061776705da8a79ec1ca7c

RaccoonStealer

fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4

RaccoonStealer

ff1ddb96f4984d4ed65016ca7814432d51a08fe090fae4907e85926469e880da

RaccoonStealer

+ 3'443 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:8d540643cc195ccd3e77766ab1d4b73d68715d8c discovery spyware stealer

Link:

https://tria.ge/reports/210906-1185eaegal/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Raccoon

Unpacked files

SH256 hash:

43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345

MD5 hash:

f62ab5d3528d5a3b9e270ea1f9347868

SHA1 hash:

6a74e87711c615adbd9145f829a33f55b7e42dd6

Link:

https://www.unpac.me/results/373818e1-50b2-4ac7-8e93-72a41dd8dd61/

SH256 hash:

a138b014d8a8c994dc2bc7ed65c6d5966472bd3e6d009f23d47dded81cf8f40b

MD5 hash:

4dab5b2a823722eef7bd8fbc87a42a57

SHA1 hash:

0e840c4709e35399f88a2f684e233a11f7fbb860

Link:

https://www.unpac.me/results/373818e1-50b2-4ac7-8e93-72a41dd8dd61/

SH256 hash:

cc189784666906e8f351d598f4d5e39159893876d81787f7939e06de60b82afe

MD5 hash:

8d7582c067da2d6e82e6d9b1fb025446

SHA1 hash:

0cebfe0f415c92b6dabda26d5593b475a423e2fe

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/373818e1-50b2-4ac7-8e93-72a41dd8dd61/

Parent samples :

3e4c7ea14c7244983b41edf75a23f40800771f02c0aba8afc0f087d6eee25d40
e1c502cf0606d96119b00772bbaf5cd66c0f084a284c2b3b9162de9574f5ee0b
1b4d9981e15438e889193b4272e5bc6d07d0b8984e95741eb36f7cad3dec66e6
32d8cde15a3e57d033e2bad6e8e0d1a3a16f4934ca4c0df122cbc7d3a0de710a

SH256 hash:

32d8cde15a3e57d033e2bad6e8e0d1a3a16f4934ca4c0df122cbc7d3a0de710a

MD5 hash:

f8896e327cdf85749c94a832107c453f

SHA1 hash:

5b3a73c7ab7f223737974e358865158dfd093dba

Link:

https://www.unpac.me/results/373818e1-50b2-4ac7-8e93-72a41dd8dd61/

Malware family:

Raccoon v1.7.2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/32d8cde15a3e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/32d8cde15a3e57d033e2bad6e8e0d1a3a16f4934ca4c0df122cbc7d3a0de710a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/185751/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample