MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84c253c61523798734a2bafaa54b04974aeb1828d3c93001fcdbce748b68ca78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 5 File information Comments

SHA256 hash:	84c253c61523798734a2bafaa54b04974aeb1828d3c93001fcdbce748b68ca78
SHA3-384 hash:	2f9f229ee84a5f8d01c7fd530604d0b2376864723e56115820e7d7db90fb0cd6e8d6a29ae87ca15ed661804e9b11ef3b
SHA1 hash:	515d53d84b4173aaff61497d198008ac749c70f5
MD5 hash:	6819e51902a78faec6b4047eb0b38241
humanhash:	bulldog-papa-robert-social
File name:	6819e51902a78faec6b4047eb0b38241.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	606'208 bytes
First seen:	2021-05-26 16:56:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	23a77f1d99ca6e5aff045e04254be800 (4 x RaccoonStealer, 1 x RedLineStealer, 1 x DanaBot)
ssdeep	12288:WuMlO4FzwTyrNU9m6Y7RM4zsskS52l+FW52QWCraZbU2M5/IMlzAVbBz69C5JXwq:mlK60lWnw5ZGDzdJgJY
Threatray	644 similar samples on MalwareBazaar
TLSH	42D4E031AAA0C034F5FED2B4457642B9653A7DF1AB3450CF52F42AEE86346E0AC31797
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://45.67.231.109/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://45.67.231.109/	https://threatfox.abuse.ch/ioc/64474/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6819e51902a78faec6b4047eb0b38241.exe

Verdict:

Malicious activity

Analysis date:

2021-05-26 23:05:04 UTC

Tags:

trojan stealer raccoon

Link:

https://app.any.run/tasks/580febf2-b4ea-4b2e-8784-5c1b58058e0c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/162469/

Detection(s):

Win.Malware.Generic-9864651-0

Win.Dropper.Gandcrypt-9864806-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending a custom TCP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/792726

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/84c253c61523798734a2bafaa54b04974aeb1828d3c93001fcdbce748b68ca78/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-05-26 08:52:01 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qtbfhrqven4yonfcxl5kksyes5fowgbi2petaap43phhjc3izj4a._file

Verdict:

malicious

RaccoonStealer

63f7c2def826b631ced507f85a38f51aed894d3c4959fc04c26293247325208e

RaccoonStealer

7396e6b887ea90222eebcbb2772a8618d59d93d9bcd33c61e306e2b70bb0c3ff

RaccoonStealer

9fb72b04dafeee8369bd08074788b236686c72a3a97ad436a6a0cb0aeae090a6

RaccoonStealer

a21b6b2e6336efdfe470806c0d615ede9acacd44ab317ce7e4c59cfb8de1619f

RaccoonStealer

c0d3a2b9dc565d489246646514178a20bd5a346edcc19b2d28e9f60d0ae17949

RaccoonStealer

caf3eca514de58e215b5e9f568f748293be64a3c82e15c2f905903cd9bfacc1c

RaccoonStealer

e906adc81c7aa287b3a410216d9e659f5202c152f9eb1e997fd1ad4a7ed7de48

RaccoonStealer

fb0b9f62088f1bafb3bde3e3ce22b53555b46c4501c5fa5c4024ec0fa6de4e6d

RaccoonStealer

fce1d9496dbdcf9505069283bf61e825e76a1c99af5258beae9feb0a34385cd7

RaccoonStealer

+ 634 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:f22a6327920c25827041427aa3d4673334aa22ea stealer

Link:

https://tria.ge/reports/210526-2st3swtz8e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Raccoon

Suspicious use of NtCreateProcessExOtherParentProcess

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/84c253c61523798734a2bafaa54b04974aeb1828d3c93001fcdbce748b68ca78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon/Racealer infostealer

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator