MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 75c941b968a0da0f653a9e21ec2939d615e49e4ffc3f64bb16e00170a5457b5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RaccoonStealer
Vendor detections: 13
| SHA256 hash: | 75c941b968a0da0f653a9e21ec2939d615e49e4ffc3f64bb16e00170a5457b5a |
|---|---|
| SHA3-384 hash: | f3cef79870a6b400b0cba4b8fa17b2256fceb4990a9eceb298c5667821e848af0994e93ab82c5f1f2c5f2621d1097288 |
| SHA1 hash: | 5c57bf6d8d63c9a322cf63267f860bf8fb2fe08c |
| MD5 hash: | 9d1b1acf7876b24e9defb19e6d261d73 |
| humanhash: | happy-skylark-eighteen-fish |
| File name: | 9d1b1acf7876b24e9defb19e6d261d73.exe |
| Download: | download sample |
| Signature | RaccoonStealer |
| File size: | 499'712 bytes |
| First seen: | 2021-09-10 13:05:53 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 311b6c030e043059833e0196a691b0ad (3 x RaccoonStealer, 1 x Tofsee, 1 x RedLineStealer) |
| ssdeep | 12288:YaC9uRvoSXDM7IlyYZ4Kmub2epmAWwxa5aQ:YaCsii4rub7pRa5a |
| Threatray | 3'005 similar samples on MalwareBazaar |
| TLSH | T183B4F12077E1E071C466D5B18966C6B09B7E38306974A48FB79D1FAD7F312D2273A382 |
| dhash icon | fcfcd4f4d4d4d8c0 (23 x RedLineStealer, 21 x RaccoonStealer, 6 x Smoke Loader) |
| Reporter |  abuse_ch |
| Tags: | exe RaccoonStealer |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| http://5.181.156.77/ | https://threatfox.abuse.ch/ioc/219656/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9d1b1acf7876b24e9defb19e6d261d73.exe
Verdict:
Malicious activity
Analysis date:
2021-09-10 13:07:18 UTC
Tags:
trojan stealer raccoon loader
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Sending a UDP request
Creating a window
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Malware family:
Raccoon Stealer
Verdict:
Malicious
Result
Threat name:
Clipboard Hijacker Raccoon
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Detection:
raccoon
Threat name:
Win32.Trojan.Tnega
Status:
Malicious
First seen:
2021-09-10 13:06:10 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 2'995 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Score:
10/10
Tags:
family:raccoon discovery spyware stealer
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Unpacked files
SH256 hash:
765d19b4728008c1589f222d1fa49f1cb7310204c7a4574eb9f930d0544bed7b
MD5 hash:
043da3110ddd8f5ac84e7f9c0d2d685e
SHA1 hash:
2d13ecbc31ccf9921cbf6f0b2089fae09d4f4395
Detections:
win_raccoon_auto
Parent samples :
b8fa5db247142aeb5f090fe861606d46dbcd50cf36249b0e422384a32d1dfc2b
dd32ec7e9a26563e3088286af32a147b95988188302c65024ed97a5a3b6289c6
7ac7316234cbc2894267e99ceca5574f892cb2e49b66cfb2611d73388f0994b3
24d74834868ad2cd944eb3f5a863383e851bee9231c870258dd5ba4bddf58e83
03d23ad7ab07c264aa23794c51236157641a98f8a6b40dc063e3403e831b967b
dba5e6264deed1c0d630810ce0ba5931e442398ab117ab551f05e77d69613bfb
e4a17e7fabd31dca0c8ffa32fdb6ffbe1d4a696e2a6636186787b8259b95eb54
3fa40031fe4c0dda1a5e228221ab8e839333f6219d74e89114067c332b59bf39
675d315e728f48317a23c5f63712f99e82090a2922ecb255f80f2545bfed788a
75c941b968a0da0f653a9e21ec2939d615e49e4ffc3f64bb16e00170a5457b5a
0ddb264e5fcc3d88e1319319d421edb7d12fb66ef73920f8ec45f5e3eddcce07
447ef561d540f7b87bc2c4d822994b35758e8e2fb6e5a37d92b5ed11be769ea6
3c2557c292a2e3a61a85cd44f45f8f3998fd16db3e5e523353eac61a879f726a
561a8533273e9f2b9c5fb33089538d4c70d6b7d6358750ba89dcf3c56417d95d
88bea616209dfb7515186c71ef3555315eae375e4bf1fdff5267aea751323ae6
694c879e26f27610bc40ea419bea615dacb1e3a946a2c843f22af724623d1704
4a6434d66a30ccd95a6c269ba54133d0cade8eb565cd7fd6582abeff8a02a3fc
148c2ff6c877196d1bbdb73f1dc956f5a7dccbab86037648e235c149a3f4eef2
b349af407e596fa823ca28d516ac7ce5481550003d45195e26ea535944cc7f5e
be54f94776405673d2e6d5c453d540dc93c8f4057d4abb0e046b77f926ed9db2
e8d4fc0be0e5dee8f09fe56397cf7c06146ebe9b426d69bef676bfd08431d16a
2f7aa46027a15a329be8297a786d8c9c61f8ae89dcca9a72d88e0cfc08f38ec2
bfb1e4895a98b83a61f405199730fea989dc84ab8acf6e6234e4264db179cc84
fe217c1f1d0ab6e7b287c409a3133a11883ce2832b4f30dce686459751584969
7cfa34e7f6ea3ee53ef9911983581f2c8865363d1e8de9d40ea42775de0f9e7e
51731aae19093da264b42957d2b604f4134a3250aa57a1873c6bfd379c3f4e54
c37ce493533868e32350a7a72a2682092d2e14afaec4c429f6ff1c7d046b3cb4
5f340f1335f9e6a3d4e5c51eb3097e3bdf4d93645b925f537a45477427b87494
e9d0565443dbb2553948e2a89bb580a81470a00ac3108ecb1e67a5a121e9d65c
0ebf095d8bc7029868cd05f7ad20f51c324755881ade188d88ba8ed94d67f788
28a1d5fa2dc4e99192f634223cd08d146980534b6f51b36842a2d7c471868fd8
237c6adb7012050c271ed33932bbd6a18a86dc18ace5841b5c0d52f3fe79dcc1
f6fd32309de31db16489c5aee61ed853407c071488503c27537b82346db81911
dd32ec7e9a26563e3088286af32a147b95988188302c65024ed97a5a3b6289c6
7ac7316234cbc2894267e99ceca5574f892cb2e49b66cfb2611d73388f0994b3
24d74834868ad2cd944eb3f5a863383e851bee9231c870258dd5ba4bddf58e83
03d23ad7ab07c264aa23794c51236157641a98f8a6b40dc063e3403e831b967b
dba5e6264deed1c0d630810ce0ba5931e442398ab117ab551f05e77d69613bfb
e4a17e7fabd31dca0c8ffa32fdb6ffbe1d4a696e2a6636186787b8259b95eb54
3fa40031fe4c0dda1a5e228221ab8e839333f6219d74e89114067c332b59bf39
675d315e728f48317a23c5f63712f99e82090a2922ecb255f80f2545bfed788a
75c941b968a0da0f653a9e21ec2939d615e49e4ffc3f64bb16e00170a5457b5a
0ddb264e5fcc3d88e1319319d421edb7d12fb66ef73920f8ec45f5e3eddcce07
447ef561d540f7b87bc2c4d822994b35758e8e2fb6e5a37d92b5ed11be769ea6
3c2557c292a2e3a61a85cd44f45f8f3998fd16db3e5e523353eac61a879f726a
561a8533273e9f2b9c5fb33089538d4c70d6b7d6358750ba89dcf3c56417d95d
88bea616209dfb7515186c71ef3555315eae375e4bf1fdff5267aea751323ae6
694c879e26f27610bc40ea419bea615dacb1e3a946a2c843f22af724623d1704
4a6434d66a30ccd95a6c269ba54133d0cade8eb565cd7fd6582abeff8a02a3fc
148c2ff6c877196d1bbdb73f1dc956f5a7dccbab86037648e235c149a3f4eef2
b349af407e596fa823ca28d516ac7ce5481550003d45195e26ea535944cc7f5e
be54f94776405673d2e6d5c453d540dc93c8f4057d4abb0e046b77f926ed9db2
e8d4fc0be0e5dee8f09fe56397cf7c06146ebe9b426d69bef676bfd08431d16a
2f7aa46027a15a329be8297a786d8c9c61f8ae89dcca9a72d88e0cfc08f38ec2
bfb1e4895a98b83a61f405199730fea989dc84ab8acf6e6234e4264db179cc84
fe217c1f1d0ab6e7b287c409a3133a11883ce2832b4f30dce686459751584969
7cfa34e7f6ea3ee53ef9911983581f2c8865363d1e8de9d40ea42775de0f9e7e
51731aae19093da264b42957d2b604f4134a3250aa57a1873c6bfd379c3f4e54
c37ce493533868e32350a7a72a2682092d2e14afaec4c429f6ff1c7d046b3cb4
5f340f1335f9e6a3d4e5c51eb3097e3bdf4d93645b925f537a45477427b87494
e9d0565443dbb2553948e2a89bb580a81470a00ac3108ecb1e67a5a121e9d65c
0ebf095d8bc7029868cd05f7ad20f51c324755881ade188d88ba8ed94d67f788
28a1d5fa2dc4e99192f634223cd08d146980534b6f51b36842a2d7c471868fd8
237c6adb7012050c271ed33932bbd6a18a86dc18ace5841b5c0d52f3fe79dcc1
f6fd32309de31db16489c5aee61ed853407c071488503c27537b82346db81911
SH256 hash:
75c941b968a0da0f653a9e21ec2939d615e49e4ffc3f64bb16e00170a5457b5a
MD5 hash:
9d1b1acf7876b24e9defb19e6d261d73
SHA1 hash:
5c57bf6d8d63c9a322cf63267f860bf8fb2fe08c
Malware family:
Raccoon v1.7.2
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many email and collaboration clients. Observed in information stealers |
| Rule name: | win_raccoon_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.raccoon. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.