MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9012e4c26b86f5dcc9a921462b9ef05e1621791d79698594db58085b60d5bc3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 6 File information Comments

SHA256 hash:	9012e4c26b86f5dcc9a921462b9ef05e1621791d79698594db58085b60d5bc3d
SHA3-384 hash:	56cf4f52eacc69a26abef5806965c14f6bc00b44c997c9811eb8acb2358304cc49506c15dbd9b170a4436091d0ada382
SHA1 hash:	6605737ddb9884469c634112087dd5a18cf20fd0
MD5 hash:	946fe609f46a3053f4356a6df184c5e1
humanhash:	hydrogen-burger-gee-two
File name:	6810825092 ISF - EMC ??? - Draft.scr.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	783'872 bytes
First seen:	2021-10-29 06:57:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:RlfZxmOBp8xDqQJVX4z+rHNzgjHiMoVAR0+7SmUeDNcjh/APHtR+FH8RPSIw8T3P:RlfZxm9d4z+dgjHiMoVAUXedPHt+648D
Threatray	3'935 similar samples on MalwareBazaar
TLSH	T176F41209B339CB6BF6BE07B940E3165503F6682233A1FB456FD638D61923B821E05D97
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://194.180.174.181/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://194.180.174.181/	https://threatfox.abuse.ch/ioc/239344/

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.6999.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/3bbaa18f-b7cb-4b2e-8dff-69b74c8db12b

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/879088

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM3

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/9012e4c26b86f5dcc9a921462b9ef05e1621791d79698594db58085b60d5bc3d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-29 06:58:09 UTC

AV detection:

8 of 45 (17.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sajojqtlq325zsnjefdcxhxqlylcc6i5pfuylfg3laefwygvxq6q._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

2a081b2e6f932f6c6773603ef59b1e66f7961be9df09fbb10282eeef7d6491a0

RaccoonStealer

3d3bdfa63f14658e164027af06ac4728891f5025fadddac2f2f6debb4021d531

RaccoonStealer

5451dce2ce5d9e6b5f9ed22dd2b535b36557c73511b734134fa8877f064eb8d7

RaccoonStealer

58012e1bc38619a3a83b1b3742b066a7bc1ad2bceb622ed5603d7a0175489e54

RaccoonStealer

71c8ba3bff2028ae1586c04850560d0d11711f166b4713604c65bb68db07e03a

RaccoonStealer

8136e992f634fec74c2c923edc4cf43ab8601dd3dc229bb3fde7d798e644beae

RaccoonStealer

ab9a992f805bce47b17d65b705612b2c88d55beafd9714c5a278be7ee09e1d58

RaccoonStealer

d446ebd0bb5a6a33e8252ffda9084f2eb912bb6c2a461e96dcc3c317b3ef41ce

RaccoonStealer

fc6b841e6c753eeebf0d7cc8820cd3c6fcbeb40fc4d2c4d9a8bf9d3f0907fb76

RaccoonStealer

+ 3'925 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:a41ffcd20150e4814320ae5f467659001fd5a10f stealer

Link:

https://tria.ge/reports/211029-hrh8hscgf4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Raccoon

Unpacked files

SH256 hash:

d63c899275dfe2ac1f1814c863abbf9821f2fd963908b6013a02901bda800a2b

MD5 hash:

1b25e170e511a88e0594cb2dbc15cfe7

SHA1 hash:

68532be157765e3cb9d03e6723738b69876ed4ca

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/3f875c6e-775d-4f61-90cd-22f82358b7be/

Parent samples :

9012e4c26b86f5dcc9a921462b9ef05e1621791d79698594db58085b60d5bc3d
0a8405ad8d7fb8f334acd2fa1e0729a9b267d85af6bf7cbed9450c1640fae973
39eab0fe41e582741cfe50e4cf5163c345d4e48aa10b7e2a9bd53336bcfb6e03

SH256 hash:

4fd71c247819cbd3373552e856367688def68ecea470dfc512add650691d3ee8

MD5 hash:

334f32bfcc443a06ef8f1e1f9e33b7dc

SHA1 hash:

0b3ee2d779e3d3607ead518484f14fab2e1c93fe

Link:

https://www.unpac.me/results/3f875c6e-775d-4f61-90cd-22f82358b7be/

SH256 hash:

4d1ee061c817ea30ca4e461a4f44388662c1c1c2775be2b323858ddbc1679b35

MD5 hash:

1b6d3d31872537cc611ff4322ffc1099

SHA1 hash:

0108adafb207ce044bfb3f7933da45594c545bee

Link:

https://www.unpac.me/results/3f875c6e-775d-4f61-90cd-22f82358b7be/

SH256 hash:

9012e4c26b86f5dcc9a921462b9ef05e1621791d79698594db58085b60d5bc3d

MD5 hash:

946fe609f46a3053f4356a6df184c5e1

SHA1 hash:

6605737ddb9884469c634112087dd5a18cf20fd0

Link:

https://www.unpac.me/results/3f875c6e-775d-4f61-90cd-22f82358b7be/

Malware family:

Raccoon v1.7.2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/9012e4c26b86/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.71

Link:

https://yomi.yoroi.company/submissions/9012e4c26b86f5dcc9a921462b9ef05e1621791d79698594db58085b60d5bc3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Raccoon stealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample