MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35fc76dd32ea2678866d7aa9dcacd71093c79ef2578e413162a75615ade5e4dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35fc76dd32ea2678866d7aa9dcacd71093c79ef2578e413162a75615ade5e4dd
SHA3-384 hash: 0795f3cb5f7156d3fda6e5255b2dd3f7d3807baa0f9081c04ad7672cc56ff676277a53f1cb808b7c074a219e164d0f61
SHA1 hash: bc13f06b925338cc351ba1f44d1b27de10360ba1
MD5 hash: d0a8cb42c4e0709d80697689921ed8ab
humanhash: two-mobile-monkey-winter
File name:d0a8cb42c4e0709d80697689921ed8ab
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:649'888 bytes
First seen:2021-08-08 04:27:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:8IQ4XNM31bJIAbG4gDSghtId8GXPQSxT3k5h6r/kjPIwGAZkj:8teNM3IAbG4gD5h6yGXPLl0ireIwRZkj
Threatray 1'702 similar samples on MalwareBazaar
TLSH T1C1D4E044B2A58003C68E52B074C55181AAB47DE7797ADAF22CB773DE9AB97C53C0D20F
dhash icon 0012160616161616 (1 x RaccoonStealer)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d0a8cb42c4e0709d80697689921ed8ab
Verdict:
Malicious activity
Analysis date:
2021-08-08 04:30:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/99fab86e-6ab6-4262-9745-e12afcd155f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177206/
Detection(s):
SecuriteInfo.com.Variant.Adware.BrowseFox.62.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/555ba937-1819-4652-b179-e62fd9d525c5
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/828716
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/35fc76dd32ea2678866d7aa9dcacd71093c79ef2578e413162a75615ade5e4dd/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 13:32:00 UTC
AV detection:
24 of 47 (51.06%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gx6hnxjs5ithrbtnpku5zlgxccj4phxsk6hecmlcu5lbllpf4toq._file
Verdict:
malicious
Similar samples:
0942b0bd255b0ec2b3ee637482262a7cd9116701853c96d662019a192cbf34a6
RaccoonStealer
18d0024251d5fab936f344a0d05785f40d3f18f2ea78fb8139f941b0d36a1f7b
RaccoonStealer
1d7c32fbb0d4f6fa794e0dfd1e50396e0e90d5a6d776110037084908c721a835
RaccoonStealer
4afb5969afd2c92b331d1fef3412103b6fa4d1ab3f386b9cf505b694038790bc
RaccoonStealer
730144805e2ef1f9c421b9ecf049fcd11985715a7119bad37214cf7bd5281aef
RaccoonStealer
74ce135948ae4d7c53c90befa412fad2e458fffd74df281d2f3525745a025a18
RaccoonStealer
9eac1828152c86d73ece95e636fdf83d54b8658a8f7175aac48e96127e13f064
RaccoonStealer
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d
RaccoonStealer
c3271923866c3b970f171da75cb02a490ce5f5e1fda207e9efcc3c507d82a0be
RaccoonStealer
f5ce1abb61275e3402f49f48e8094bd2aa038f03845c41e2b7f570c66666794a
RaccoonStealer
+ 1'692 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1ff78aeef2c0f62b7e4dc0223a6b2d818b6965e5 stealer
Link:
https://tria.ge/reports/210808-5csrhna7ya/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Raccoon
Raccoon Stealer Payload
Unpacked files
SH256 hash:
ac5846f228d705152b5a336da9dfcbe93faceb48dd3884b43b639897ca2e9bbf
MD5 hash:
4bc31338991098f1591db972f035eef1
SHA1 hash:
ff8f23c66d75b02c15e79f6128f98d4bbd9b6a77
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/6a976fff-e283-43cf-84f7-7815ccbbb816/
SH256 hash:
c17ec5409c448e6af51aa56e3030e207ff47097c469c1912db5980a6dd70f1b4
MD5 hash:
ed25e9cae4ce1bcad5e8921f61cabc98
SHA1 hash:
6299f28318c249eff94d38b42742624587750ba1
Link:
https://www.unpac.me/results/6a976fff-e283-43cf-84f7-7815ccbbb816/
SH256 hash:
35fc76dd32ea2678866d7aa9dcacd71093c79ef2578e413162a75615ade5e4dd
MD5 hash:
d0a8cb42c4e0709d80697689921ed8ab
SHA1 hash:
bc13f06b925338cc351ba1f44d1b27de10360ba1
Link:
https://www.unpac.me/results/6a976fff-e283-43cf-84f7-7815ccbbb816/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/35fc76dd32ea2678866d7aa9dcacd71093c79ef2578e413162a75615ade5e4dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 35fc76dd32ea2678866d7aa9dcacd71093c79ef2578e413162a75615ade5e4dd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1515425/
Cape
Cape
https://www.capesandbox.com/analysis/177206/

Comments


Avatar
zbet commented on 2021-08-08 04:28:01 UTC

url : hxxp://152.89.247.174/blog/files/fb0868812af93479b206e5487e1343597b2634de.exe