MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5676e0a540f1996d4866fe92847a70f40b43a8d7a2e4622053126f4b19e318ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 2 File information Comments

SHA256 hash:	5676e0a540f1996d4866fe92847a70f40b43a8d7a2e4622053126f4b19e318ea
SHA3-384 hash:	1e1eb1fb09091d4769e1bfbb41eba3691cd00757fdde17b3713468f8b9b3160ae6d3306a49113dab617ead7239642bca
SHA1 hash:	2499ec077708dc91eeb5fa1df21952835e3fa05e
MD5 hash:	bdf583da337e0c5f6b2243f8053a3c05
humanhash:	cardinal-east-diet-july
File name:	bdf583da337e0c5f6b2243f8053a3c05.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	733'696 bytes
First seen:	2021-12-29 16:05:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bbdc5cea7d9bbd6ae9c6a36e9d9fb769 (8 x RedLineStealer, 3 x RaccoonStealer, 1 x Smoke Loader)
ssdeep	12288:A1l8N9umSUU9DqRBWYnX5YWyMf7fc0YBqcfiC4FdquAbTTIez5Z:ZNK9DqnhnX5Nt7fcDqxnqjd
Threatray	5'080 similar samples on MalwareBazaar
TLSH	T18EF4F110BBA0D035F5F722F84579A679B63E7AA0AB3490CB62D517E94774AE0EC30347
File icon (PE):
dhash icon	68e8e8e8aa62a499 (8 x RedLineStealer, 7 x RaccoonStealer, 3 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://185.163.204.24/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.163.204.24/	https://threatfox.abuse.ch/ioc/289030/

Intelligence

File Origin

# of uploads :

# of downloads :

254

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

bdf583da337e0c5f6b2243f8053a3c05.exe

Verdict:

Malicious activity

Analysis date:

2021-12-29 16:10:20 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/fe59ec61-b62e-4aeb-9b75-d3661b4bf516

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/216798/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Changing an executable file

Creating a window

Unauthorized injection to a recently created process

Сreating synchronization primitives

Modifying an executable file

DNS request

Sending a custom TCP request

Sending an HTTP POST request

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Query of malicious DNS domain

Infecting executable files

Sending an HTTP GET request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

banload coinminer greyware nimnul packed ramnit virus

Link:

https://www.filescan.io/uploads/61cc876e4ab5c44cbf564916/reports/b04b0cdf-c167-444a-9868-8d64dfaa325b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f0785b33-f731-4a97-a309-7d20fff35ce1

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

99 / 100

Link:

https://www.joesandbox.com/analysis/913850

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has a writeable .text section

Tries to evade analysis by execution special instruction which cause usermode exception

Uses known network protocols on non-standard ports

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5676e0a540f1996d4866fe92847a70f40b43a8d7a2e4622053126f4b19e318ea/

Threat name:

Win32.Virus.Wapomi

Status:

Malicious

First seen:

2021-12-27 10:20:36 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

41 of 43 (95.35%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kz3objka6gmw2sdg72jii6tq6qfuhkgxulsgeictcjxuwgpdddva._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

3a3032f28b080be56626c4ff6c345fe83457e4148644026b4899e6aead5bd570

RaccoonStealer

919ccc1f90bae8d58cc6ef51359e15af853de90a7083c640b5c2a99eb1a61281

RaccoonStealer

bf5031c61e39f9dfb379eba03181bfc5bdc63527c25588279fc9e2684e462c11

RaccoonStealer

cfe0285c92fd3ba73b574809c128333d493a354b509aafbf9d05402f8f82fc93

RaccoonStealer

d09f1f4d1e5cf1ea2c2ffcf037bb2af20315e592f5c7f6d8692c1b60c2713927

RaccoonStealer

+ 5'070 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:b620be4c85b4051a92040003edbc322be4eb082d aspackv2 stealer

Link:

https://tria.ge/reports/211229-tj3sqsdehq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Raccoon

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

9e166608fd14618b17f23266784c1ba85735fe33af8dd7c4a341beecb6a5d9d0

MD5 hash:

aeefcda83a1e05d4c568cb94e023d9eb

SHA1 hash:

ceca52d585b22485fc7b2427127334ffb0c4b7d0

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/f09c38f0-bf65-4c7c-bedd-f812c8b57eb9/

Parent samples :

68d61644f7d6304a670f5beb08f72b7f4ccff94768bbba63618b3395efad0dcc
a68f787d330808769f87c48f03f9da428bba40595757cd045535b20c7d66d53e
56283f214f84bf23a55813990e2147767f71a61c6158ed1e5e9178527a6f90f1
919ccc1f90bae8d58cc6ef51359e15af853de90a7083c640b5c2a99eb1a61281
5676e0a540f1996d4866fe92847a70f40b43a8d7a2e4622053126f4b19e318ea

SH256 hash:

e0936284ba099cf7ad7a10877cd3471747832fb89ad95a3ddb69c16324e90a6f

MD5 hash:

7e248ae62621392fc55d1715c7eab460

SHA1 hash:

b69656b66e5612eeb921bb295c76c23bb2046a3a

Link:

https://www.unpac.me/results/f09c38f0-bf65-4c7c-bedd-f812c8b57eb9/

SH256 hash:

5de1809d2e19fa5fa05a4670e6a663a615a8ab8fe5d313268faae791b33a0991

MD5 hash:

2c5b310a9ca64a18f1120756e405f0e3

SHA1 hash:

a4d9a7226f20c07c18e9e816c93abed53d0da26e

Detections:

win_unidentified_045_g0

win_unidentified_045_auto

Link:

https://www.unpac.me/results/f09c38f0-bf65-4c7c-bedd-f812c8b57eb9/

SH256 hash:

5676e0a540f1996d4866fe92847a70f40b43a8d7a2e4622053126f4b19e318ea

MD5 hash:

bdf583da337e0c5f6b2243f8053a3c05

SHA1 hash:

2499ec077708dc91eeb5fa1df21952835e3fa05e

Link:

https://www.unpac.me/results/f09c38f0-bf65-4c7c-bedd-f812c8b57eb9/

Malware family:

Raccoon v1.7.2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5676e0a540f1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5676e0a540f1996d4866fe92847a70f40b43a8d7a2e4622053126f4b19e318ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ASPack Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ASPack

Rule name:	win_unidentified_045_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.unidentified_045.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/216798/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample