MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5146dcf82d334df70b5d75763f4625af0694934aa667e9faaadfad02c56c85a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 2 File information Comments

SHA256 hash:	5146dcf82d334df70b5d75763f4625af0694934aa667e9faaadfad02c56c85a9
SHA3-384 hash:	b990ef3ecd91682f1447f3caad61dd58441fd324a94ee75068b27da92aaeec6f00f515ece5c429ccf01c9e5b71c14adb
SHA1 hash:	84f206e3f782a58c122be02dc107210ac894e6ea
MD5 hash:	8c9b46d8c682557e142bf5e96b70709a
humanhash:	nebraska-oranges-network-hotel
File name:	8c9b46d8c682557e142bf5e96b70709a.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	1'182'208 bytes
First seen:	2021-06-20 23:40:24 UTC
Last seen:	2021-06-21 01:05:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	24576:3s0YQCWrvyQbD2o7z/bVJvlP2t1AQWldhIOku/gNyM6Zy:3s0YQCQbD2o7P1G1AQAdhIOku/gV6Z
Threatray	1'653 similar samples on MalwareBazaar
TLSH	B04529303FB863D6E07AEAA145ABB447C9ED61FA250DC8CD5C5007C557326CB4AF2D29
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://34.105.169.29/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://34.105.169.29/	https://threatfox.abuse.ch/ioc/137379/

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8c9b46d8c682557e142bf5e96b70709a.exe

Verdict:

Malicious activity

Analysis date:

2021-06-20 23:41:37 UTC

Tags:

trojan stealer raccoon loader

Link:

https://app.any.run/tasks/c6ba0392-8a8a-45c5-8ce0-531902b16f25

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.849.3457.6804.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f3ba0fc2-e5f5-4980-b7b0-9f2c964eb337

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/5146dcf82d334df70b5d75763f4625af0694934aa667e9faaadfad02c56c85a9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-06-19 15:53:19 UTC

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kfdnz6bngng7oc25ov3d6rrfv4djje2kuzt6t6vk36wqfrlmqwuq._file

Verdict:

malicious

RaccoonStealer

24a722ce99ba486cf511c6534f66b8e8c9e7f90836dbcbd46e608dc085657a1c

RaccoonStealer

3bbc9dc239950316f60ce159afff3e7d7d1ea57c0feb1288a699da981662b9d5

RaccoonStealer

3d528b742ada6b08740dd5413b53471fadd61ca065332bd768904603bd640fa6

RaccoonStealer

4a0f69418fd192f33d63baeb991a343db79af86be3cde253f38b05ac33205d9e

RaccoonStealer

612e83248527b731211cc4161bf7c9bf3c15c59312725ef1285902558c3ceb70

RaccoonStealer

67ee0a1422563807cb5af36dd2527d3e96f5532f34020c0cdacb4325d31d77b0

RaccoonStealer

b46bcadf27236d47a847bf4d96e24db984c7f61485b0eec1f97ca1e3c3ac4079

RaccoonStealer

c84e411fb1f1ffeb1de2b123f7259409b93f6dd3e67c227373ea22d3e7efcdf2

RaccoonStealer

dd1dea95bf17e3f135d2740e87d8b9f08ccf347e4ff832b9e747f775017ff346

RaccoonStealer

+ 1'643 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon discovery spyware stealer

Link:

https://tria.ge/reports/210620-xj6msfd952/

Behaviour

Delays execution with timeout.exe

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Raccoon

Unpacked files

SH256 hash:

db7f159f12ac70a9cd7259c92e6d339653f51e6b5f5327400325d253b20c7875

MD5 hash:

0db3054496e364d8c328f5b26d46cdf5

SHA1 hash:

40aed2da4898140f15593c7cb91b427be0823219

Link:

https://www.unpac.me/results/b499830b-d94e-4ca8-ba61-d71871306cd0/

SH256 hash:

5146dcf82d334df70b5d75763f4625af0694934aa667e9faaadfad02c56c85a9

MD5 hash:

8c9b46d8c682557e142bf5e96b70709a

SHA1 hash:

84f206e3f782a58c122be02dc107210ac894e6ea

Link:

https://www.unpac.me/results/b499830b-d94e-4ca8-ba61-d71871306cd0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5146dcf82d334df70b5d75763f4625af0694934aa667e9faaadfad02c56c85a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample