MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4534091eb38b64fa82a5198841c841beec6f567fdf42b41a2b8b8781adc54805. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	4534091eb38b64fa82a5198841c841beec6f567fdf42b41a2b8b8781adc54805
SHA3-384 hash:	1a77ca92019b2074d8653b39615015cc88982b40183bef1560d3f3c2e7f63176a42f16708c0975729d0e178b9844c374
SHA1 hash:	747d5c952683a56a94781d42f33b5d899d548f44
MD5 hash:	c1dd4c4702377c14c9dcc26a9f6475dc
humanhash:	saturn-saturn-network-march
File name:	4534091EB38B64FA82A5198841C841BEEC6F567FDF42B.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	552'448 bytes
First seen:	2021-08-26 02:31:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6ed4f5f04d62b18d96b26d6db7c18840 (251 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep	12288:+IPsih9tp/crz1Uzlr6QHLvzYa77/DRlCa4cV:vs8p/Gz1W56kLvP77mHs
Threatray	2'205 similar samples on MalwareBazaar
TLSH	T131C422E2DC0449F2EC122C32D762B2D15915A02199BFFE33C94BDD4C3EB4492ABA5D0A
dhash icon	a29ecabc86a6ba86 (2 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://185.163.47.239/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.163.47.239/	https://threatfox.abuse.ch/ioc/195888/

Intelligence

File Origin

# of uploads :

# of downloads :

155

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4534091EB38B64FA82A5198841C841BEEC6F567FDF42B.exe

Verdict:

Malicious activity

Analysis date:

2021-08-26 02:36:42 UTC

Tags:

trojan stealer raccoon

Link:

https://app.any.run/tasks/e96df348-c044-4809-9f84-eeefc57a9772

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/182454/

Detection(s):

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

Win.Packed.Glupteba-9820400-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt to an infection source

Connection attempt

Sending an HTTP POST request

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5809ee48-2bce-4490-abcb-5c4b218d3c0d

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/839428

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/4534091eb38b64fa82a5198841c841beec6f567fdf42b41a2b8b8781adc54805/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-01-06 00:55:20 UTC

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=iu2ashvtrnspvavfdgeedscbx3wg6vt735bligrlrodydlofjacq._file

Verdict:

malicious

RaccoonStealer

44bc9b5ec0d573cb94869694eb76a9f9b50e35d2c678b42069d5fb4a014d9da6

RaccoonStealer

61abffe7b468184ecfd3d7dd2abba84685b03bc3f67c38d98bb034beb8a6aa71

RaccoonStealer

89999fe00328cf640ec8e3e37afe44423578b765bb5eca4f8358b028152b33d2

RaccoonStealer

a7a350da4a5263ee182de850ccd69662e6162b8e3fa42ed089a89be10cecbc05

RaccoonStealer

a9edd7cee5010a9f5aa39bc0be68f8738fa6a537cafd5d07620be35f7126fb95

RaccoonStealer

e712c96d24277d1104e11fecb574f588c5ea68d4b702dbb2348bc711b845c2b3

RaccoonStealer

+ 2'195 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:48f173f191a42f0a06d44a1d5262eb98e1d6778c stealer upx

Link:

https://tria.ge/reports/210826-b4fvmchma2/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Raccoon

Raccoon Stealer Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

a2cb965c4dbb8754068b8b637317f6fbda32c6c3926e6c6f81f1f4bb8eaf0395

MD5 hash:

e44eed650714cdc2f312224c157aed86

SHA1 hash:

b961b7e26eb7607ef43f04ea3425ab4c4818833b

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/5a27dfa8-661a-4730-8ddc-e38ede964a0b/

Parent samples :

4534091eb38b64fa82a5198841c841beec6f567fdf42b41a2b8b8781adc54805
cf9588ac6d9e1e69dad6298a0e1fa89c4930afdb5d522493f3bc56a5dbebd1d1

SH256 hash:

cf9588ac6d9e1e69dad6298a0e1fa89c4930afdb5d522493f3bc56a5dbebd1d1

MD5 hash:

cf16775ae7412187781d1962ff728f3c

SHA1 hash:

98a3f62e391e397a183348f6967b5b16b3d7bfb0

Link:

https://www.unpac.me/results/5a27dfa8-661a-4730-8ddc-e38ede964a0b/

SH256 hash:

4534091eb38b64fa82a5198841c841beec6f567fdf42b41a2b8b8781adc54805

MD5 hash:

c1dd4c4702377c14c9dcc26a9f6475dc

SHA1 hash:

747d5c952683a56a94781d42f33b5d899d548f44

Link:

https://www.unpac.me/results/5a27dfa8-661a-4730-8ddc-e38ede964a0b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.24

Link:

https://yomi.yoroi.company/submissions/4534091eb38b64fa82a5198841c841beec6f567fdf42b41a2b8b8781adc54805

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/182454/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample