MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bdacdc106dccb1068826353c41ec72f533718cf09a398a0b5966f40d9863165. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bdacdc106dccb1068826353c41ec72f533718cf09a398a0b5966f40d9863165
SHA3-384 hash: c60101fe05ba129a3632139c619b4defd1ae27cdefbd6f360a51c48ff1da2394421400cdf0cdead4cfe4eb799200d953
SHA1 hash: e0f6e3bda3739865125f62bebcdc6457af32bf9c
MD5 hash: 54f514d1a984a45bfa635e33b6e097a1
humanhash: mirror-uranus-carolina-april
File name:54f514d1a984a45bfa635e33b6e097a1
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:422'400 bytes
First seen:2021-08-09 04:16:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00a47d6be4445a02dce374ef34dd9b76 (3 x RaccoonStealer, 1 x DanaBot)
ssdeep 12288:q5VcdY1POjU8cB06VtORB1tDT8Qk7MQnELO:RAPBBFVtqtDTDk7XE
Threatray 1'664 similar samples on MalwareBazaar
TLSH T186941205F770CA33D4C621301C3DF6A096F96D321BB19947BF9A2B1E1E693E15E2931A
dhash icon 1072c091b0381802 (1 x RaccoonStealer)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://74.119.195.134/ https://threatfox.abuse.ch/ioc/166044/

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
54f514d1a984a45bfa635e33b6e097a1
Verdict:
Malicious activity
Analysis date:
2021-08-09 04:20:36 UTC
Tags:
trojan stealer raccoon
Link:
https://app.any.run/tasks/62c504cf-f8d6-490d-9e87-e4158828bba1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177349/
Detection(s):
Win.Dropper.Raccoon-9884213-0
Create hunting rule

Win.Malware.Generic-9884343-0
Create hunting rule

Win.Malware.Generic-9884468-0
Create hunting rule

Win.Dropper.Fragtor-9884486-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4819843-cefa-495f-a174-df78c70352a3
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828954
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Infostealer behavior detected
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5bdacdc106dccb1068826353c41ec72f533718cf09a398a0b5966f40d9863165/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-07 03:07:23 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lpnm3qig3tfra2ecmnj4ihwhf5jtoggpbgrzrifvszxubwmggfsq._file
Verdict:
malicious
Similar samples:
2a067a9926a833051caa67b4f1b60c32b312b6d09136da1b0ab8845af67fc5ee
RaccoonStealer
58290a4919362f3f76725d0cd01e812f6207d415017b91434ea7049b04c842b3
RaccoonStealer
74ce135948ae4d7c53c90befa412fad2e458fffd74df281d2f3525745a025a18
RaccoonStealer
8ed524c96a9aa1a4ea7928ad1d2335a1022e32b5eac96c3a596315da1224b6d5
RaccoonStealer
94ffd442633e4f89daa381496884c649d3121e41460b9082ccea5189b89d2334
RaccoonStealer
c3271923866c3b970f171da75cb02a490ce5f5e1fda207e9efcc3c507d82a0be
RaccoonStealer
c4e7522db67d9ccd282873cbff6d97a3ddee685b5028f664b7338589d0db2772
RaccoonStealer
cc734514a9be905018d6f5fb5c1382a610fcd9c01348d969682d2160dc03b1fb
RaccoonStealer
d0362f3639b969572b07c7ae731e50ef893168be960533e1232a6db65982305c
RaccoonStealer
e7712697b1259ff1a3f8cbfa6435c069b4127af3316ea52aa740d5ae8cf2bd4b
RaccoonStealer
+ 1'654 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:e593428d572f64087cbbaacf2f970ff1f26a86b7 stealer
Link:
https://tria.ge/reports/210809-tsm356ps6a/
Behaviour
Modifies system certificate store
Raccoon
Raccoon Stealer Payload
Unpacked files
SH256 hash:
10db9fbf9d30f257b7b341b60764f92205d216b091d7e996b390e56e27fb2452
MD5 hash:
fe718ffbfbb671216cbb600108aeed8e
SHA1 hash:
d9bc3c168e0c8760dacf98e808060eb60ae493e4
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/22dcc43c-6f69-412b-a65d-2a142ed4a1b4/
Parent samples :
c45613b7ffdb689a3510eaa680613b97c0e89a22a83271a87130a6abeb55c782
7c4ecadd70e6c4f82dd598949634e1b6a50bebd658cec4b8489a9302a95c03fb
662f58f0eb62731f52cf2cd2ffaa0933e175611f24e1d5f8e734d04dadc553ff
2542930821438d2ea9aa9b34ad96a1b23118e5c2987990d6608df7271879f6b4
f160d5f2005b0d5a260e5a29f6b2c40a3caa53ce813ed92e62eb67ea92099acb
fa0f85a012c1ad0242bad1ab65f236656c4a6198616d3a6163a6087483733cd6
2d7abc6173feb17ef4223fc045f35ed18607680b1844dfffcba70351d92626ce
878549ab9af1535e0791b8203d3d4baf96ee1e2e1f7925687092741f1014070d
87ac7b615a6bdc6ec0877f4c49ac696a8c782551d719586195d822cbecc8e0f9
1913b6aaeed7f9995e367a45bf37de622afe7f9cb796f23c7b5be6d7d4092d2e
7d5cb7b56d0f4a11cd2c5049552c0f06bb03a743f44fdffa47339e204fd9ff26
3cfe9f3d91956b6add8406f6824bcd6a6249eebcbfa3ed7cfd6f49ee7ab9c226
b11448ac4d9b70314836a2ebb59b545594693d148428ddedeed27ef3949cdb87
1a98ccd8e95f58b3d1bacf63d45303790f59594f7c362b6f220e7a40e92117b6
ed7f141aa53017f734f508ee23f427fc7ecac0f6bfa6278907c1fce6f4bac252
8e7b9993e8f860c3d0d68243fb65a22fb6163da6c7590998bef1fac286ea81a5
3a15a152dbd9dc30d0be526b565adb8d795d931dd1f5ea5c2e31fba91142ad8f
a0a3b26f50b5519b8f86f8648236bd0ac70ff42ad83ecbfd97b33383e9442f16
bf04c8a42f5e657b0391f725f98ceeadd88ed61a5056671ca54c65215b06a5bf
659b32b98b48e30f28ab64f2922d869d26061a6ac8ebbbe33def7c8fc532e27a
0fa70b582aa0b10107a3fdfd5e70a6e9c225ac0db07c9787c745d2ebfc75fb5d
e024cdc86e86ed70ee832fa2b123cf89c6c78bac46337e2738b12b2b03399661
7f5978cbfacc13c939f7db5e1c810b9ad85d2c3b0354ac00690ead5c072d9a8e
d6fa5792513209ba28e2fa45374b5792f6d4bdd1f87bc5f042c61294f01702d9
b1e70a6920b93d6df9e7bf189d43378b5e449beedcf65fe7d282338e57452c83
a6b60d3eaf83eb41ef1a22617ce085d5560f0768728a474a8a0219785ec7ff9d
63a6e0d05c8e1c029794b68e5ddb935d5bbb15f348c3730206cd654e3101c000
2c553b20f3bf02e2232880909f38135b8ae39ad58dcf18046aefebb0944fb650
04b056d5d948580c6d55fe04754bea00aa5a75b608bbbcb6be955effee032de9
920c41d8452f38863c3aef0d289b63c5919ba1ad30d58e31382d797f1d4bbe9a
6b01154004b3baac2cc7701d8319f4cc7a7ef361e02937989849ccdbd35b3e88
00c50c96fd2b57f718d98eb68cbcfa47c01f585a05babdf1b2cbf8c6491cd39a
7d5a52529f559487fc8b8f960b9427fa75e71d33a7e88d682700ec095dd8158e
bf53b4b404f09c51fc30b4e683f5258b8172e0698ec61837da1e88a9704b37e8
5bdacdc106dccb1068826353c41ec72f533718cf09a398a0b5966f40d9863165
SH256 hash:
5bdacdc106dccb1068826353c41ec72f533718cf09a398a0b5966f40d9863165
MD5 hash:
54f514d1a984a45bfa635e33b6e097a1
SHA1 hash:
e0f6e3bda3739865125f62bebcdc6457af32bf9c
Link:
https://www.unpac.me/results/22dcc43c-6f69-412b-a65d-2a142ed4a1b4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5bdacdc106dccb1068826353c41ec72f533718cf09a398a0b5966f40d9863165

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 5bdacdc106dccb1068826353c41ec72f533718cf09a398a0b5966f40d9863165

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/177349/

Comments


Avatar
zbet commented on 2021-08-09 04:16:17 UTC

url : hxxp://194.26.29.184/racoon.exe