MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3963cd89bb2d8ab3b3cf093cd70c5bebb9d1a10404c2c6414566b1ec86691e55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3963cd89bb2d8ab3b3cf093cd70c5bebb9d1a10404c2c6414566b1ec86691e55
SHA3-384 hash: 25aeebd1974a766f86facfc76109a49ddd026db62ec3ae262e2485fee15a5afdf7bce49e85304d7105906ba44ee7b6f9
SHA1 hash: e2e1291a2541677cf9bddc475a2bf62594b18abb
MD5 hash: 84d6b5947ebfef649dd4f81f21ccf3a1
humanhash: pluto-carpet-mirror-ten
File name:84d6b5947ebfef649dd4f81f21ccf3a1.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:529'920 bytes
First seen:2022-03-12 00:11:13 UTC
Last seen:2022-03-12 01:36:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 08d6e3c6816e346693eca17698671629 (8 x RaccoonStealer, 2 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 6144:vKgTE7oltDc/jiVNMgEnZh1pfWtrr0MczTKGE3jM+CdsJFl8FORczMJyRtTmNO+Q:vKgw7Dj9PHnE3jdCmFn6MJyjm
Threatray 5'929 similar samples on MalwareBazaar
TLSH T130B41232B7D0C0B3D9E767B15824C2A15B3F3A319972C88677A406BD1F323D0AA79756
File icon (PE):PE icon
dhash icon 4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://194.180.158.174/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.158.174/ https://threatfox.abuse.ch/ioc/393789/

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/249763/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.8989.22162.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP POST request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8963/overview
Behaviour
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/622be5550cd58dbd9281f7ba/reports/fadfd4e2-be17-4a25-8df4-e6e8bf5c99c7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/944f5ba9-0dc4-46eb-8dab-c5db31edd53f
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955351
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3963cd89bb2d8ab3b3cf093cd70c5bebb9d1a10404c2c6414566b1ec86691e55/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-03-11 23:52:23 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfr43cn3fwflhm6pbe6nodc35o45diieatbmmqkfm2y6zbtjdzkq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
2d892b56e76a69ef962a15c7a1ef782d985f67647df2042ae61b6711b3376fbf
RaccoonStealer
46692149c30597743951c8cd2ff5201897bc42c6a7ff20d9d8127e86d4484450
RaccoonStealer
70e8ad5e62ee2b742b069521615bfaa6ac61833dc927e8ab42bafff9d7952ac0
RaccoonStealer
7fcc48b2b40ebd39192948c22ee86521efa5214b39902ba7700908031d294afd
RaccoonStealer
a07c5c4122a2dff00a982499b7670fb48e63ba7fb70513f558c7190433c3da92
RaccoonStealer
dacb3244a7ab72f942a4f9f18b8f559ef88082e62e88cd147907f452a29f2a2c
RaccoonStealer
ec642b740a50f40817b916be127f134645b403ddb31c014bd1e85b4ce785d9a7
RaccoonStealer
ed347572e6965885ebf46d5edfdeabf8cc72689d34a5348abf90fb0adad979a8
RaccoonStealer
fd27b423af903ced7fb330011ba124b59b60cbdbc64b533132a22ecf983a437d
RaccoonStealer
+ 5'919 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1c0fad6805a0f65d7b597130eb9f089ffbe9857d stealer suricata
Link:
https://tria.ge/reports/220312-ag7jcsgahk/
Behaviour
Program crash
Raccoon
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
Unpacked files
SH256 hash:
57d8722b81f3422d9e11479df8cdb6d060a88a9a19d5830081b6e438359bfffd
MD5 hash:
99a2d926038a79ae9fb71464b9bbc446
SHA1 hash:
c8bbe2953a8f56e738c961c496d84b616fa22fa7
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/cf276722-a4fa-48d6-b8d8-c5e83a895256/
Parent samples :
58a1c32643b0852076d2ef9a0c2a1cea7a518bc90719e0253d13f17201d0067e
2d2a03a2eb59a64eef9f15d160a2919707c5dee2844144d8ec9fdaae724a4162
15f994bbaf8a66f84e627fbb55798e7691afdccdf893f8af63b38cd2c4a7f09b
e7a411cdeff8c26a8d746d912e165f60699c01bb3d6fa433bb8475c59ef487a9
7637d1c0f03248e2cec84bbe9af2d0bb1413aa0840a8ef33b8bb13996e29f910
d7ba6f9e3f8bfcea94b789db587d80d23288b2ab8bab2a10321416e8733b0b1a
e7b464b3d4f9857ebe6ed7caa3074b629b448c0eb8f66f8a0d580a6d558e8649
451f3d1b5f2823224e244d06c52423f0e68df54937a8cff948f28f307afe9cfe
a29d7107c47447f6f030cad72f57a019491736220db72eaeb6218455bf3b9c84
e755f359ac97981ff8ff47f1494b03e2869e42e95f2bbc3d90daf401fbb139bb
66aa75b6ff30878da162d4d3de032a34bf5a9b6cf69bdd203e3a35d7ad34722d
7ff5e231698ca21b5b8f2e74354411db5e25fc41884fbf5f12b06df9c36455bb
9fda1aafd986513ea5f5948a72b132a4d2666ed46a7126aae8e431663f703994
548ba1f0793f18ad70fa7efaf7295d97c68e44094de7c1cd20d850fe968401a0
6ca6b7b7a221701518cd240a938af6cfa7dd8257333f03ba0ab3dabeeddb5d04
bcba37ea39dbe60b1dd38557aaccf5aca3d6e2d754fa6e6d81e07e18ff3d7e58
ce6f0ae83b8633dca1eb926b922c1f95b0cfb6f7701705c5032e025434f20dc6
4e44bb177a3084e4475796d79a2f0c356a29953bd4f4ce8385e6098502d5ea31
5d9e7a9e96e1c2f8310fd9b4198029b6ea0c63dd46a694eace7ca16e936b613e
d40788efcdad214c3e3e280d956c1fb0af25dec1502e64f4a0cbe5e6c8676d83
52fcacd0a3ab4a6106aaebf4edc3397bb36e08c0f48ac6eab6460ab9cb1ede6e
ff7f9819fae56695cb050049e7d19bedc070975f499d52735218085c7f3291d1
dacb3244a7ab72f942a4f9f18b8f559ef88082e62e88cd147907f452a29f2a2c
1f7b4f7177a601ba168f0aea91ea7f3e517cde434fbd30e6417a757e85d16663
fd27b423af903ced7fb330011ba124b59b60cbdbc64b533132a22ecf983a437d
ec642b740a50f40817b916be127f134645b403ddb31c014bd1e85b4ce785d9a7
c9ac2f3d59f78f95bfc4c7276a58d4be9382f5646f191d407212c279b7a85656
7fcc48b2b40ebd39192948c22ee86521efa5214b39902ba7700908031d294afd
22bded9e774d255a377f74b6f565b0d5df8e23e8612cc52b900a116d69bea02c
2c709cff5a598470d744d9e5ef8abcaadaa6e79df04c138b05e4d4bdafbeabc8
354d08e5328a5ff62c2d78e3c66194b52dc4907a4cdb624c0aef4b4a72d2fd9e
3963cd89bb2d8ab3b3cf093cd70c5bebb9d1a10404c2c6414566b1ec86691e55
0119840753a6856f54c78aa99175502f3a9d8f652ee945a7dc59a56682c7f7d8
543b301962f679c9550e70616c84e3ed0b78ea3ae70916aa2ecd4d2ac257a6d7
69eda8136b98f80bf6c09d8bff8f19551e23c06a82d59715ca37274331e33efd
43b1ec0b060303ab2154b434a4142502b9367dd7cb951725bfd55b679a5398ef
8e0caed1df3b6a4b202d41b71406761c6111263eb22bfdb9b7c0df081e8d4dad
5f8efd8bb77c1fb4b6f501a149d523e537ba70995567d7fc2b541fb6c76aa368
3b616203dd828d928f361a33d49caabbdcc9fe22d58e7033d8b0a9ca49be62e5
6524ee3db299399fb8942869050b092f86970530ffeed461ef82206008b19061
b7aa18a92712cdd14629e5ec03173f3127c364a28ec90f1613dc772bd0e8c362
5835d2ce0985153deb9b41be631586e6a18a2407dcc4e738a2345d31aa0f67ea
a4de6b05daac0da9e80c020a83350fe787f72fdcd6646fdabc15cda395845231
31581bd5462402b881d915d8675facdaf35dd855834b05923e45bdc098284c78
SH256 hash:
3963cd89bb2d8ab3b3cf093cd70c5bebb9d1a10404c2c6414566b1ec86691e55
MD5 hash:
84d6b5947ebfef649dd4f81f21ccf3a1
SHA1 hash:
e2e1291a2541677cf9bddc475a2bf62594b18abb
Link:
https://www.unpac.me/results/cf276722-a4fa-48d6-b8d8-c5e83a895256/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3963cd89bb2d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3963cd89bb2d8ab3b3cf093cd70c5bebb9d1a10404c2c6414566b1ec86691e55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 3963cd89bb2d8ab3b3cf093cd70c5bebb9d1a10404c2c6414566b1ec86691e55

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2090750/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/249763/

Comments