MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35076221cd82da4a80f492b3a903b0c340ccc76725570ba41f9995c74c0bb485. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 2 File information Comments

SHA256 hash:	35076221cd82da4a80f492b3a903b0c340ccc76725570ba41f9995c74c0bb485
SHA3-384 hash:	4195f9850c4db242176f3609a733ba68de991dada5d6d7385b793cccdf420e81d6312ba6157ea796b800da9859e179ad
SHA1 hash:	1ce3fbd2917674ac377fa5f86685e47896692178
MD5 hash:	a5a2fc05ae169c31782a7c6f12e9a8c6
humanhash:	pennsylvania-mirror-washington-ohio
File name:	a5a2fc05ae169c31782a7c6f12e9a8c6.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	527'360 bytes
First seen:	2021-09-21 09:45:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	493d9235e00e760cd832c2d6518be9c0 (2 x RaccoonStealer, 1 x DanaBot, 1 x ArkeiStealer)
ssdeep	12288:0lvYa9t8fya1JYT/aKKntm37JCduWCEGkAVd2GGT:0S68fykMQns3FEAyGG
Threatray	3'404 similar samples on MalwareBazaar
TLSH	T139B4E120A6D1C034E5BB12F45AB5C7B8B52E7AB07B3450CB62D52BEE16356F89C30397
File icon (PE):
dhash icon	5012b0e068696c46 (8 x RaccoonStealer, 8 x RedLineStealer, 6 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://185.53.46.105/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.53.46.105/	https://threatfox.abuse.ch/ioc/224184/

Intelligence

File Origin

# of uploads :

# of downloads :

166

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a5a2fc05ae169c31782a7c6f12e9a8c6.exe

Verdict:

Malicious activity

Analysis date:

2021-09-21 09:53:50 UTC

Tags:

trojan stealer raccoon loader

Link:

https://app.any.run/tasks/992c5010-3fc7-40ad-b34c-a1b4a3271efc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/189825/

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8bf19319-72f2-4710-9542-4a2e2adee7a1

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/854740

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/35076221cd82da4a80f492b3a903b0c340ccc76725570ba41f9995c74c0bb485/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2021-09-17 11:20:18 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gudweionqlnevahuskz2sa5qynamzr3hevlqxja7tgk4otalwscq._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

4312195a9bdb25e05a09459c7f93435fbd4351ab906a5de5eac10a5146025a91

RaccoonStealer

45ebc17719513a2edab00d45408de24f10ddf56683009e386f3acb4d766c00f5

RaccoonStealer

4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c

RaccoonStealer

4e1fa85c2c73b975c261d1e26ca1765932dbac790dd5519dc8cc48a869d56d91

RaccoonStealer

88663e1a68a0c23a6b4e3bbdf5a274a374422aed105f52b236e58acd45050677

RaccoonStealer

9a714aed20c17582c161cb8f894c7240824b7d01826da8dbdd4c3664ec151e69

RaccoonStealer

9fa0c0bd4d3ae9ac8268e7d43c81315a55dd9e06fe59b8a0cc0c1b451f1b629a

RaccoonStealer

ada9a5c4e57492c3d26314837a7341b16b3095f2fbc9b390cbc48458c8df8914

RaccoonStealer

c28e190666a5967096f8c8e3ecd3a62e502fe84eb300113faa3fe06575ea118b

RaccoonStealer

+ 3'394 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:a16e26e8e3bbf05aad922e6691134b0795801b32 discovery spyware stealer

Link:

https://tria.ge/reports/210921-lrmgqabfhk/

Behaviour

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Checks installed software on the system

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Downloads MZ/PE file

Raccoon

Unpacked files

SH256 hash:

5f2b3762fb11b82c537ef822b3e138888744c82bb635369499d0045a64c242d5

MD5 hash:

ed546f51d3289061da5ff5fa920f3ad7

SHA1 hash:

1d649f2c11cad1b691e6af7a22d73abd89b1d8b2

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/b4cb44e1-d85a-44e3-8389-d73dbd71d442/

Parent samples :

4312195a9bdb25e05a09459c7f93435fbd4351ab906a5de5eac10a5146025a91
35076221cd82da4a80f492b3a903b0c340ccc76725570ba41f9995c74c0bb485

SH256 hash:

35076221cd82da4a80f492b3a903b0c340ccc76725570ba41f9995c74c0bb485

MD5 hash:

a5a2fc05ae169c31782a7c6f12e9a8c6

SHA1 hash:

1ce3fbd2917674ac377fa5f86685e47896692178

Link:

https://www.unpac.me/results/b4cb44e1-d85a-44e3-8389-d73dbd71d442/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/35076221cd82da4a80f492b3a903b0c340ccc76725570ba41f9995c74c0bb485

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/189825/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample