MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54cad21bb34cbd9e336e95a0d9cac3bf53fbb94d1f053f16d040d5d8ed996e6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54cad21bb34cbd9e336e95a0d9cac3bf53fbb94d1f053f16d040d5d8ed996e6e
SHA3-384 hash: 56068ee00544efb8a19dc143319bae392f4734adb7155da0787d4177a8bc15ae51f6db3d2dc481e3192c78ede5ecd423
SHA1 hash: ef3b893b8975cfda47d9a5020071ec64130ce66b
MD5 hash: f336d238c205805efe0d7bfdd02287ae
humanhash: minnesota-april-kansas-utah
File name:16113Ihre Sparkasse informiert 24. September.scr
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:568'389 bytes
First seen:2021-09-24 17:36:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 658c49f2b142429657b3337ed8c9de9e (4 x RaccoonStealer, 3 x RedLineStealer, 1 x DanaBot)
ssdeep 12288:TXcOGDw1/6qtZ/U/nydI8lZROBPZx9jFr9j:wDw1//Z/6kISROtF
Threatray 3'204 similar samples on MalwareBazaar
TLSH T187C4F111BBE0C430E6B722B594F99378AA39BDB06B74C5CB63C545DA07A4AE0DC30397
File icon (PE):PE icon
dhash icon ead8ac9cc6e68ea0 (38 x RaccoonStealer, 18 x RedLineStealer, 12 x Smoke Loader)
Reporter neoxmorpheus1
Tags:DEU exe geo RaccoonStealer scr

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.204.37/ https://threatfox.abuse.ch/ioc/226142/

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
16113Ihre Sparkasse informiert 24. September.scr
Verdict:
Malicious activity
Analysis date:
2021-09-24 17:38:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0814765a-3a20-45fc-9963-2939020c790b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191224/
Detection(s):
Win.Packed.Generic-9896112-0
Create hunting rule

Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d325956b-af49-4111-b470-0e579b3954ae
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857363
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/54cad21bb34cbd9e336e95a0d9cac3bf53fbb94d1f053f16d040d5d8ed996e6e/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 17:37:08 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ktfneg5tjs6z4m3oswqntswdx5j7xoknd4ct6fwqidk5r3mznzxa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
09228fe3797c2de61f4cc484d22b7eed17ec9cc7d2e722c650ef525def22801b
RaccoonStealer
24d74834868ad2cd944eb3f5a863383e851bee9231c870258dd5ba4bddf58e83
RaccoonStealer
67d16a17f27f15cf21671ccb406e1e8b647aaf90c72c9b276bdbc7eb788ab0c3
RaccoonStealer
7cfa34e7f6ea3ee53ef9911983581f2c8865363d1e8de9d40ea42775de0f9e7e
RaccoonStealer
9f60a157b1a91cc18125825a286baaf011e65b0808be4adda258c3180f0be3ac
RaccoonStealer
b8fa5db247142aeb5f090fe861606d46dbcd50cf36249b0e422384a32d1dfc2b
RaccoonStealer
be54f94776405673d2e6d5c453d540dc93c8f4057d4abb0e046b77f926ed9db2
RaccoonStealer
d00b481be4fa65ceba3125d6741e76792fd98fe4ed427dd498afda550c1927d1
RaccoonStealer
e4a17e7fabd31dca0c8ffa32fdb6ffbe1d4a696e2a6636186787b8259b95eb54
RaccoonStealer
f4e89acd2fe686f7b8006dec8326057703ce9ae4c2636a6119ae48ef4db1fdcb
RaccoonStealer
+ 3'194 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:b9905b767dbd1678bb046cbc1696faa3058ae6ba discovery spyware stealer suricata
Link:
https://tria.ge/reports/210924-v66ctahdcn/
Behaviour
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
Unpacked files
SH256 hash:
9985750072ab0aef4db0e2d26fdde78384c72083b8c445e67ec7c70c80b5ce7e
MD5 hash:
f187a2bdc6e41e2e497cb1ac1482e9d2
SHA1 hash:
c8c7fac7aad65f06b3886f7f3b68f7f57685e6de
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/656f16d9-9545-42fc-8233-c983018012e6/
Parent samples :
54cad21bb34cbd9e336e95a0d9cac3bf53fbb94d1f053f16d040d5d8ed996e6e
6fba94fad3e01d57b5405b62aefc567342445131e99681532bf16d691953959f
2762f83a68c4f2c6c2248000fc0071f3c39565e8fef8239e085fe71a7b5a0a57
a4e96ae6829639366a4f4ecad2a0783cbe4dae67dd27bf91e525c742a2bc19f3
SH256 hash:
54cad21bb34cbd9e336e95a0d9cac3bf53fbb94d1f053f16d040d5d8ed996e6e
MD5 hash:
f336d238c205805efe0d7bfdd02287ae
SHA1 hash:
ef3b893b8975cfda47d9a5020071ec64130ce66b
Link:
https://www.unpac.me/results/656f16d9-9545-42fc-8233-c983018012e6/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/54cad21bb34c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/54cad21bb34cbd9e336e95a0d9cac3bf53fbb94d1f053f16d040d5d8ed996e6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/191224/

Comments