MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73842595c824b3ed06e5e975c9fb247012ea58dba4facc6c1ecb1c7608b30032. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 8

Intelligence 8 IOCs 1 YARA 6 File information Comments

SHA256 hash:	73842595c824b3ed06e5e975c9fb247012ea58dba4facc6c1ecb1c7608b30032
SHA3-384 hash:	d2c436e42affda32d647c35127977381526834efe608f0f55e29f31e5568f305e9ec9599f76b9c21322eff35a09b5be5
SHA1 hash:	87f62ea3871f7751c097a429d6533e1bdef7d0e4
MD5 hash:	327caa0e0bbaa62deae08f92fb82318e
humanhash:	william-bluebird-maryland-early
File name:	73842595C824B3ED06E5E975C9FB247012EA58DBA4FAC.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	7'520'792 bytes
First seen:	2021-06-20 17:30:20 UTC
Last seen:	2021-06-20 18:33:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	58ca43c54c545fb000b546dccfb3c7d1 (4 x RaccoonStealer)
ssdeep	98304:qG+k/8jC9gnjuGjOUIarmWSFscnCdhaKp7Ps9ATNR/JB0uIqqYjIzw9nm:cegjuMEDfFxKDEuNY5
Threatray	33 similar samples on MalwareBazaar
TLSH	05767CE1B90AB7DFD19F16799417DD43E53D03FC4B100922ECADB87AAD62E853285C28
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://34.105.169.29/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://34.105.169.29/	https://threatfox.abuse.ch/ioc/137379/

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

73842595C824B3ED06E5E975C9FB247012EA58DBA4FAC.exe

Verdict:

No threats detected

Analysis date:

2021-06-20 17:35:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/39a72e42-5155-4ee0-a2f3-625f07069625

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/167211/

Detection(s):

SecuriteInfo.com.Variant.Razy.723832.12847.26469.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/872eadd9-24e1-444c-9ebc-ec6ae74d4ca2

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/804960

Signature

Antivirus / Scanner detection for submitted sample

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to evade analysis by execution special instruction which cause usermode exception

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/73842595c824b3ed06e5e975c9fb247012ea58dba4facc6c1ecb1c7608b30032/

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2021-04-05 20:52:09 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=oocclfoiesz62bxf5f24t6zeoajouwg3ut5my3a6zmohmcftaaza._file

Verdict:

unknown

RaccoonStealer

433811102726bc15416ca338a2df55ec1daaf3f2565ee00d7f6484064746fb30

RaccoonStealer

546e5320773891c160621ec99d48fb4d90d6d58bc26ab01d7e5a3f16fec9636c

RaccoonStealer

99b9b649c59745f1544c91ffe35dad1e1529c9cb6715325c95ee396bbe3db2ab

RaccoonStealer

a1226fa2480bd40c0490b5ce5e1407f663a27cbbb77187d70dc8557d78d46c5c

RaccoonStealer

bf375d5c15abb5c57b0cc3371a3537b79560fe82b1aff486afde752e05971ebb

RaccoonStealer

c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54

RaccoonStealer

d1e3656b4e1c609b2540cff74f59319a52d7fabf4cc512db0c7f9d3e8fe49ec7

RaccoonStealer

d7088573e0239d3260dc7ff251b3b0e1d3979d854b3d0442f7dc43226f9263ed

RaccoonStealer

f83b0cd39202e7040eae66dac5444eff5f9d878e3bb778613f1525aba2e3c5de

RaccoonStealer

+ 23 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion themida trojan

Link:

https://tria.ge/reports/210620-d59bszfqfn/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

73842595c824b3ed06e5e975c9fb247012ea58dba4facc6c1ecb1c7608b30032

MD5 hash:

327caa0e0bbaa62deae08f92fb82318e

SHA1 hash:

87f62ea3871f7751c097a429d6533e1bdef7d0e4

Link:

https://www.unpac.me/results/ccf726a0-2146-4527-b715-0bed7e110f2f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/73842595c824b3ed06e5e975c9fb247012ea58dba4facc6c1ecb1c7608b30032

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon/Racealer infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/167211/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample