MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5250f2676a9aff2bc9fb44f75a98bbbac098c2079246bf2228ece9638bba3e04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 3 File information Comments

SHA256 hash:	5250f2676a9aff2bc9fb44f75a98bbbac098c2079246bf2228ece9638bba3e04
SHA3-384 hash:	a10fd8fce956ab2c72a3d3a37f54b18821fff64bbdd04cfe4b646424485c977abfae36c2cc7ba7554b631212ef4b0d50
SHA1 hash:	9df74d8129ab9a375eff281511c4efc6e8343d18
MD5 hash:	64228adb5fcdacedf403389292fb159a
humanhash:	princess-fanta-steak-finch
File name:	64228adb5fcdacedf403389292fb159a.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	535'040 bytes
First seen:	2022-01-26 16:41:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	57d5db840a81e7e803bb5a77a606db21 (2 x RaccoonStealer)
ssdeep	12288:1Bi87bQcnk8iWtKy6Ov3tWwGheJQpv+lN:jiIVbdnEw0pveN
Threatray	4'596 similar samples on MalwareBazaar
TLSH	T1F3B412307E80C436D44616BC6526DFD41A6DFD71486B4252F2A83B8BBEB37C458EA21F
File icon (PE):
dhash icon	fcfcb4b4b494d9c1 (74 x Amadey, 56 x Smoke Loader, 38 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://185.163.204.47/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.163.204.47/	https://threatfox.abuse.ch/ioc/340640/

Intelligence

File Origin

# of uploads :

# of downloads :

191

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

64228adb5fcdacedf403389292fb159a.exe

Verdict:

Suspicious activity

Analysis date:

2022-01-26 23:29:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/920bb8e9-bd7f-4757-8d67-4083da2caac7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/223528/

Detection(s):

Win.Malware.Mikey-9917879-0

Win.Packed.Lockbit-9919158-0

Win.Malware.Generic-9937404-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5253/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61f179ebd73ca9d4648e454e/reports/2f6e91ac-0187-4b51-96b1-7d41d3d1aaa8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fc39e839-4546-4c94-998f-1ee5d231d014

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/928116

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5250f2676a9aff2bc9fb44f75a98bbbac098c2079246bf2228ece9638bba3e04/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-01-23 20:59:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 42 (73.81%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kjipez3ktl7sxsp3it3vvgf3xlajrqqhsjdl6iri5tuwhc52hyca._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

1e061432a06c9e4935cd837118e5d68d79ec6c6bbdddcc40d8682e50db7344fa

RaccoonStealer

54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c

RaccoonStealer

70e14ddf23a5fe3d69cc50752fcc491aa2964a2cfee3d48caf182244929f9953

RaccoonStealer

7616d28ae0259737b65234b689f0ed88875aaede87f2408068ad41144dd489d0

RaccoonStealer

7d8de08a564f08ee20d746a2c445245b75247e772248073431fc30d16a4b9b14

RaccoonStealer

849beb1413d9750e1bad8a3758dc87053d47fe5cba1528723414c918625e6d27

RaccoonStealer

a206d34bbfb7274775956f308ae81339a673c0e894ed55ee1e8e0f01f20ba5fb

RaccoonStealer

e438f74e71aa80712289eaac851a59a481b24e46ba5d607e3cd42aeea6129bd8

RaccoonStealer

+ 4'586 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:db5c3e1587573de80d412dcd301d4f5260eb3b76 stealer

Link:

https://tria.ge/reports/220126-t7nzgsfcfl/

Behaviour

Raccoon

Unpacked files

SH256 hash:

f1031c1e5b01a3338e398d42c25522bca002ebcb0923e46c757227931d9df07c

MD5 hash:

1e06f281b12dba1e8dba8540db76467a

SHA1 hash:

5e72d6e56c191e80c751907b4d85670f88e5df4f

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/3b060cac-a9f0-4684-aceb-62f7b5ef2798/

Parent samples :

5250f2676a9aff2bc9fb44f75a98bbbac098c2079246bf2228ece9638bba3e04
179eb1b0cdf652cec17a8a326daf14f9992991060d0f985954c8951796eae403

SH256 hash:

5250f2676a9aff2bc9fb44f75a98bbbac098c2079246bf2228ece9638bba3e04

MD5 hash:

64228adb5fcdacedf403389292fb159a

SHA1 hash:

9df74d8129ab9a375eff281511c4efc6e8343d18

Link:

https://www.unpac.me/results/3b060cac-a9f0-4684-aceb-62f7b5ef2798/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5250f2676a9aff2bc9fb44f75a98bbbac098c2079246bf2228ece9638bba3e04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Raccoon stealer payload

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/223528/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample