MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95dc0afc7cf64855174a99bd755c1853163bcfb6ae85de989302bb4a0ffe8c63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95dc0afc7cf64855174a99bd755c1853163bcfb6ae85de989302bb4a0ffe8c63
SHA3-384 hash: 159a0487f6e04a9affb7e7281fac96fabd5340dd470ec1e700b3ab950858f2b779ffe81a147455769ef44f72bc727456
SHA1 hash: 35ca794a6659ae54212a0c65e8e064413c59dd29
MD5 hash: e54d385c3ce8d97782994fb977b45bf0
humanhash: cola-bulldog-echo-low
File name:e54d385c3ce8d97782994fb977b45bf0.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:6'592'944 bytes
First seen:2021-06-08 07:09:55 UTC
Last seen:2021-06-08 08:12:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'659 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 1536:tEiER7QvNFrEo53H4cmF0ChbPi1Qy2ezCabdy+JVLyx5Iym2SsAHcSyCCSUEDOMm:W
Threatray 1'433 similar samples on MalwareBazaar
TLSH 7C66F37A1B78990657E4F3FB260C3FA492CFEFF0407445917609732AA35419A89E27F2
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://193.203.203.233/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://193.203.203.233/ https://threatfox.abuse.ch/ioc/68025/

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e54d385c3ce8d97782994fb977b45bf0.exe
Verdict:
Malicious activity
Analysis date:
2021-06-08 07:26:51 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/627f7b85-c205-43e0-a3b6-2be8496893d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165224/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46384578.11226.3403.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Launching a process
Running batch commands
Unauthorized injection to a recently created process
Adding an access-denied ACE
DNS request
Sending a custom TCP request
Sending a UDP request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Delayed reading of the file
Creating a window
Stealing user critical data
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798574
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430973 Sample: 5TpcWgYxZe.exe Startdate: 08/06/2021 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Antivirus detection for URL or domain 2->55 57 6 other signatures 2->57 7 5TpcWgYxZe.exe 6 6 2->7         started        process3 file4 31 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->31 dropped 59 Contains functionality to steal Internet Explorer form passwords 7->59 61 Adds a directory exclusion to Windows Defender 7->61 63 Hides threads from debuggers 7->63 65 Injects a PE file into a foreign processes 7->65 11 5TpcWgYxZe.exe 87 7->11         started        16 WerFault.exe 7->16         started        18 AdvancedRun.exe 1 7->18         started        20 5 other processes 7->20 signatures5 process6 dnsIp7 45 tttttt.me 95.216.186.40, 443, 49721 HETZNER-ASDE Germany 11->45 47 dowwwl.com 11->47 49 34.88.52.57, 49723, 80 GOOGLEUS United States 11->49 33 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 11->33 dropped 35 C:\Users\user\AppData\...\vcruntime140.dll, PE32 11->35 dropped 37 C:\Users\user\AppData\...\ucrtbase.dll, PE32 11->37 dropped 41 56 other files (none is malicious) 11->41 dropped 67 Tries to steal Mail credentials (via file access) 11->67 69 Tries to harvest and steal browser information (history, passwords, etc) 11->69 39 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->39 dropped 22 AdvancedRun.exe 18->22         started        25 conhost.exe 20->25         started        27 conhost.exe 20->27         started        29 timeout.exe 1 20->29         started        file8 signatures9 process10 dnsIp11 43 192.168.2.1 unknown unknown 22->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95dc0afc7cf64855174a99bd755c1853163bcfb6ae85de989302bb4a0ffe8c63/
Threat name:
ByteCode-MSIL.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-05-29 23:56:59 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sxoav7d46zefkf2ktg6xkxaykmldxt5wv2c55getak5uud76rrrq._file
Verdict:
malicious
Similar samples:
03659dfd8c9a7f8b300972af15621b9d67b8854cfbf66ecab15f63b1686afa2c
RaccoonStealer
25635e943bef1181ce962f2294a131960b61c093159e197dabda485a88e9b069
RaccoonStealer
2884051cd64be98b26224c6cd9ba46bc6802242fdb2aabbb3dd4aa6b1eb16a78
RaccoonStealer
4169236e7560956d442207c2cc74a767f6470bcedf1d8022677e0aee8949d4f5
RaccoonStealer
45269d3d0fbf13c80d6c496d3ee36e13808e36063bc82e3247cfc291e0f9223c
RaccoonStealer
4960918e52dd7f7db806c36c9393ef8329e173c60d9f59de66474af874ba1e46
RaccoonStealer
4a8de772cb047939cbac796b1461b5276e418fb33249cb4d41785ef37fa91a35
RaccoonStealer
75bc5234ba652f847e14755352f4b39c26ffcfb5cec2b48d34e066b0581772dd
RaccoonStealer
9d98cf2a209bc4ccc92b7dc792c6f3b21c0ce1c2f7eb72498823e7a593145fea
RaccoonStealer
aa703fb814c6e09c409060654ea9b5798b6a99cb0ceb25bd31bf894dc60702f5
RaccoonStealer
+ 1'423 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1e3ed6322e220c342260106ab8c93de3819f3bed discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/210608-jraleb2rxe/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Raccoon
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
91fd7dd653474601815977016661c7e7db5c51575ff06f827202973d68b8e1cd
MD5 hash:
645328bbf41508b8f69990aa26543bd7
SHA1 hash:
aa79adafee4e7d4532315b65352ea2488ff6cd88
Link:
https://www.unpac.me/results/3816618c-9bf4-439a-83dc-8b5c6fc80e17/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/3816618c-9bf4-439a-83dc-8b5c6fc80e17/
SH256 hash:
45474375bccc95f19e728ded67fd566cbaaeb92de4159002ce718afd0848f607
MD5 hash:
8543197ff647c60159cba8a4a1a6b4f7
SHA1 hash:
612a999754321c1544d34cca2d81857d20136b04
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/3816618c-9bf4-439a-83dc-8b5c6fc80e17/
SH256 hash:
95dc0afc7cf64855174a99bd755c1853163bcfb6ae85de989302bb4a0ffe8c63
MD5 hash:
e54d385c3ce8d97782994fb977b45bf0
SHA1 hash:
35ca794a6659ae54212a0c65e8e064413c59dd29
Link:
https://www.unpac.me/results/3816618c-9bf4-439a-83dc-8b5c6fc80e17/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95dc0afc7cf64855174a99bd755c1853163bcfb6ae85de989302bb4a0ffe8c63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165224/

Comments