MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dffb38ace0630c5af9e53abbe55ad17cb42c09dfda521a584ab8707c1746e28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5dffb38ace0630c5af9e53abbe55ad17cb42c09dfda521a584ab8707c1746e28
SHA3-384 hash: cf7be215047e43117804dd650c7932686fa31c9453fb3e6ccce3ae5034137715dea42fccd8eeeb8f9451a8b869ce0719
SHA1 hash: 4dd7688b52f7778c6871c26fed1a696019f406cb
MD5 hash: 3e065f6ac4f62a4f7c66c11ceaef79e0
humanhash: oranges-neptune-arizona-helium
File name:3e065f6ac4f62a4f7c66c11ceaef79e0.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'048'128 bytes
First seen:2022-03-08 17:15:58 UTC
Last seen:2022-03-08 19:51:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c4550907b393aa96be6147a66cc4c986 (1 x RaccoonStealer)
ssdeep 49152:kzLkzIxD5nwg6053e7xeTXh7unMapowLbaehcNf:kPkzIx663eAxHaZbah
Threatray 9'353 similar samples on MalwareBazaar
TLSH T1A2952392E5957982D137CC72B18F82226B35DC8388BD6C7724903746A9B1DA31C7F2DE
File icon (PE):PE icon
dhash icon 7b6d7dfe3b6bfcee (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://101.99.95.5/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://101.99.95.5/ https://threatfox.abuse.ch/ioc/393044/

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248370/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.22347.1011.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware hacktool overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62279a960cd58dbd926882c7/reports/02a2c680-700d-4539-b2ee-118b003118ad/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18f65e38-0d14-49d0-b8ea-05d472d02abc
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952807
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5dffb38ace0630c5af9e53abbe55ad17cb42c09dfda521a584ab8707c1746e28/
Threat name:
Win32.Trojan.Badur
Create hunting rule
Status:
Malicious
First seen:
2022-03-05 09:32:03 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lx73hcwoayymll46kov34vnnc7fufqe57wssdjmevodqpqlunyua._file
Verdict:
unknown
Similar samples:
1e061432a06c9e4935cd837118e5d68d79ec6c6bbdddcc40d8682e50db7344fa
RaccoonStealer
31ad805cd3b0420e4780a14a04ead82456043d344453405c091caafb0462d129
RaccoonStealer
33c853d0f6d5467701301b6c4dfcf49da0e556b3ac2363b5619f673033627dca
RaccoonStealer
3b5e990293dcfca8b51f8d5f6c958a9f116411d865a6fcc263203f08d42d5575
RaccoonStealer
8a1f3bf6fede5567536ef4d0b5d96451cfb1bea8b6c643752cf8475747410063
RaccoonStealer
972385a61cc340b61a7e3101c1854a589ef2a61df0cc31ef680a329c2e68f0e6
RaccoonStealer
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
RaccoonStealer
+ 9'343 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:db168a731ca66c989273d1cef0943bdcdae99d97 stealer suricata
Link:
https://tria.ge/reports/220308-vs5t5acdhp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Raccoon
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
Unpacked files
SH256 hash:
6e925f9900650ed7819cc049899802fae928df25200e1e2a3e2fdb69d41fe511
MD5 hash:
17f763898c2fc92a243800d9f8a75d94
SHA1 hash:
3d1fba2333fc61ab1f9a4883701649d626e64b8e
Link:
https://www.unpac.me/results/18c57419-6c9c-46d7-8efa-56fa4aff0838/
SH256 hash:
5dffb38ace0630c5af9e53abbe55ad17cb42c09dfda521a584ab8707c1746e28
MD5 hash:
3e065f6ac4f62a4f7c66c11ceaef79e0
SHA1 hash:
4dd7688b52f7778c6871c26fed1a696019f406cb
Link:
https://www.unpac.me/results/18c57419-6c9c-46d7-8efa-56fa4aff0838/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5dffb38ace06/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/5dffb38ace0630c5af9e53abbe55ad17cb42c09dfda521a584ab8707c1746e28

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 5dffb38ace0630c5af9e53abbe55ad17cb42c09dfda521a584ab8707c1746e28

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2084468/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/248370/

Comments