MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 514cf7b9751465c6f04d46cea1c49bf846c3322a4144faffef07e314793dc5e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 514cf7b9751465c6f04d46cea1c49bf846c3322a4144faffef07e314793dc5e3
SHA3-384 hash: 04b0e4873c46d0b949e304e4fd0cf69f862e08e872c2ed67ea774dd93dabed6c1659deb13c49c8acdf5222dc991295dd
SHA1 hash: 4efd278872e7ca4c93bb2ff6527fc9c21ecbf724
MD5 hash: 2f0f374ba2a8adf6d5b1095607fa6cea
humanhash: monkey-diet-nitrogen-louisiana
File name:2f0f374ba2a8adf6d5b1095607fa6cea.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:5'517'808 bytes
First seen:2021-08-28 21:15:40 UTC
Last seen:2021-08-28 22:04:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b9290431b366a1252cf05522cb28180 (8 x RaccoonStealer)
ssdeep 98304:vwU7gEP0pm1noxqvb9FbqZULA1oq/ze+PBkBbUfg+81K1T:9d0pm1nE23AULW/i+JkBHQ1T
Threatray 1'526 similar samples on MalwareBazaar
TLSH T18C46222B52218009E1E1C8369633FEB971B61E6A8B40EC3829F77CD735BB5D56513A0F
dhash icon c8c4e8d0aab2b2b8 (2 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://84.246.85.16/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://84.246.85.16/ https://threatfox.abuse.ch/ioc/201706/

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2f0f374ba2a8adf6d5b1095607fa6cea.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-28 21:18:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4da74811-cdfe-4b55-bfeb-1c178203af61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183156/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.12647.3238.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Sending a custom TCP request
Sending a UDP request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Running batch commands
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bb3a3310-4fc0-4e3d-81be-3fb319f359c5
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/840868
Signature
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/514cf7b9751465c6f04d46cea1c49bf846c3322a4144faffef07e314793dc5e3/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kfgppolvcrs4n4cni3hkdre37bdmgmrkifcpv77pa7rri6j5yxrq._file
Verdict:
unknown
Similar samples:
0f0eb4a8a538f339214f86a8b084d685a4fb51d54f258f5718393003ab1ff35b
RaccoonStealer
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
RaccoonStealer
60f649f6d971c44b959f6fef2bf1d08c3dbe00edeac7a889e81adc761ba5ddba
RaccoonStealer
676efd23da897b1cd244d4bf83607ee87fbb00434839e9913e0fd48e4fb48ef6
RaccoonStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RaccoonStealer
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
RaccoonStealer
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
RaccoonStealer
ebbef474434eab0794928cccebb8db93ed801dc2dd2b3e45f46c736d78718f9e
RaccoonStealer
+ 1'516 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:0a7408c65c3ceba29fcaa1d6f9f7143fe4fab73a discovery spyware stealer
Link:
https://tria.ge/reports/210828-p84yct17jn/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Unpacked files
SH256 hash:
32407c4dcc36250d2cffc7ee653b4836676eadefb9f6cff9535f04aa9b8001ac
MD5 hash:
12db10b578876a19c15024354503d099
SHA1 hash:
14666dfa14c012faabbe669d2c6bca7cccb81a45
Link:
https://www.unpac.me/results/e1f14a0e-edaa-4f29-8441-bef59babd562/
SH256 hash:
514cf7b9751465c6f04d46cea1c49bf846c3322a4144faffef07e314793dc5e3
MD5 hash:
2f0f374ba2a8adf6d5b1095607fa6cea
SHA1 hash:
4efd278872e7ca4c93bb2ff6527fc9c21ecbf724
Link:
https://www.unpac.me/results/e1f14a0e-edaa-4f29-8441-bef59babd562/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/514cf7b9751465c6f04d46cea1c49bf846c3322a4144faffef07e314793dc5e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 514cf7b9751465c6f04d46cea1c49bf846c3322a4144faffef07e314793dc5e3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1549207/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/183156/

Comments