MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8544f85e040d93d38c12d4c096607ee4eabdd17feeec444d0b9d4b633ba3d193. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8544f85e040d93d38c12d4c096607ee4eabdd17feeec444d0b9d4b633ba3d193
SHA3-384 hash: 2195cc0046ff0c2a3a8732a5079a7f9de8dd070e823180aa84d34b2cae333c6592267058fa15172c118ca89e3df45438
SHA1 hash: bb877507a3e83ea040c8afb4c8557a92444c2685
MD5 hash: a3bbca634feeed0e81631a02a49a27ec
humanhash: cup-undress-west-indigo
File name:a3bbca634feeed0e81631a02a49a27ec.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:596'480 bytes
First seen:2021-09-14 07:05:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b2892ac4e7dd2f64b4fb830ba7d3e9b8 (1 x RaccoonStealer)
ssdeep 12288:0plTP1k7RISJY2LQwbGyvN8REhOcKsABqZ5a8hSFz88wu:0DO7nXPNWRE2BqX4Q8w
Threatray 3'038 similar samples on MalwareBazaar
TLSH T152C4D0F4A6A0C431E1BB41B469B98BA8E72D7E715B3050CFE2D136DA463C2E49D3174B
dhash icon 9824e7d0c4e72158 (35 x RedLineStealer, 23 x Smoke Loader, 14 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://94.158.245.117/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.117/ https://threatfox.abuse.ch/ioc/221022/

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a3bbca634feeed0e81631a02a49a27ec.exe
Verdict:
Malicious activity
Analysis date:
2021-09-14 07:09:31 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/4020bed3-4f0b-4fe1-9666-0a9f347a5d4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187724/
Detection(s):
Win.Packed.Mdeclass-9892577-0
Create hunting rule

Win.Packed.Generic-9892598-0
Create hunting rule

Win.Dropper.Generickdz-9892609-0
Create hunting rule

Win.Packed.Generic-9892623-0
Create hunting rule

Win.Packed.Generic-9892631-0
Create hunting rule

Win.Packed.Generic-9892633-0
Create hunting rule

Win.Packed.Generic-9892638-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61750bd7a9d585e6d5370cce/reports/c94c226e-f189-4fa9-8a6f-25c77cb078d0/overview
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8da7872d-39ff-4258-baa0-1bdc92640cb2
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850436
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8544f85e040d93d38c12d4c096607ee4eabdd17feeec444d0b9d4b633ba3d193/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-12 14:35:12 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qvcpqxqebwj5hdas2tajmyd64tvl3ul753weitiltvfwgo5d2gjq._file
Verdict:
malicious
Similar samples:
03d23ad7ab07c264aa23794c51236157641a98f8a6b40dc063e3403e831b967b
RaccoonStealer
091ee9a9dd7f5501d96e04c9d7cfda6bb6cf3cdcb308f2ef293c123f675d56a7
RaccoonStealer
19e1615b05d89f0268b47c11407aa8023a65d704dadba3660557d81dd3e507cb
RaccoonStealer
3c2557c292a2e3a61a85cd44f45f8f3998fd16db3e5e523353eac61a879f726a
RaccoonStealer
75114eeae6429f297193678413f5523eea5e25474745d3c9f29f3a519143a3f3
RaccoonStealer
80f0607db29814c032dd81fabf31e3c7e1134c5cf9fde17d639556381d5299d3
RaccoonStealer
88bea616209dfb7515186c71ef3555315eae375e4bf1fdff5267aea751323ae6
RaccoonStealer
d5c5a22d496c874ed4da5e38cae2c72cc94bc9238e9385f05e7c0b11b87ff35a
RaccoonStealer
dba5e6264deed1c0d630810ce0ba5931e442398ab117ab551f05e77d69613bfb
RaccoonStealer
f4e89acd2fe686f7b8006dec8326057703ce9ae4c2636a6119ae48ef4db1fdcb
RaccoonStealer
+ 3'028 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon discovery spyware stealer
Link:
https://tria.ge/reports/210914-hw4d9aacaj/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Unpacked files
SH256 hash:
7fd7a3bf30a4131ac6de2eb917af50646362529e14e11cc706502ef7c8d3374e
MD5 hash:
a0f127bae255f244fb181945d8833800
SHA1 hash:
7bed721718a53f97d8f29698b5d573392a709363
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/c6698129-6709-46b4-8f0d-91ca55e121ad/
SH256 hash:
8544f85e040d93d38c12d4c096607ee4eabdd17feeec444d0b9d4b633ba3d193
MD5 hash:
a3bbca634feeed0e81631a02a49a27ec
SHA1 hash:
bb877507a3e83ea040c8afb4c8557a92444c2685
Link:
https://www.unpac.me/results/c6698129-6709-46b4-8f0d-91ca55e121ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8544f85e040d93d38c12d4c096607ee4eabdd17feeec444d0b9d4b633ba3d193

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187724/

Comments