MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c26a73079daf216cff436925d647e992acafff5ccc644d97424e1bf05797e44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c26a73079daf216cff436925d647e992acafff5ccc644d97424e1bf05797e44
SHA3-384 hash: f9b25a5edac902342a68c8e80368ca3707acad99e24efa5d3821c799a999c00d25d2520bde8c9ade80920f08dcc4abb6
SHA1 hash: 7fd54e1f83e74a7ee3f62a73edb019d00b935d7e
MD5 hash: 7cb082ea00471e30b676fa9a8877967e
humanhash: jig-failed-louisiana-fix
File name:7cb082ea00471e30b676fa9a8877967e.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:524'800 bytes
First seen:2021-07-21 12:56:09 UTC
Last seen:2021-07-21 14:06:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 90448e8f7733b3c6bdf5b48508246f5a (2 x RaccoonStealer, 1 x CryptBot)
ssdeep 12288:wBdE11xr1VqNjDJf5k+MojUfzFDuOBdUEQRlyA6Lhm2ld:OdETx3wj1f++NjuzFZdfcy7Lz
Threatray 1'606 similar samples on MalwareBazaar
TLSH T14CB40180F6D0CD32D2B3083148F78795267FBC66697C8A4B66543ACF2E716C1A27E746
dhash icon 08b9b2b4e8c18c90 (5 x RaccoonStealer, 5 x RedLineStealer, 2 x DanaBot)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.88.33.218/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.88.33.218/ https://threatfox.abuse.ch/ioc/161793/

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172978/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.22593.8229.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/edb8562e-8363-48fe-9991-977c83f1dd6e
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819494
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9c26a73079daf216cff436925d647e992acafff5ccc644d97424e1bf05797e44/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 11:07:31 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqtkomdz3lzbnt7ug2jf2zd6tevmv77vztdejwluetq36blzpzca._file
Verdict:
malicious
Similar samples:
0128936379b8761d89b22f7eed080acfe103b2d429ef1b4d06f6c781f682bacc
RaccoonStealer
137026a259166724d41d797fc3a5fd8ba40c30e9eab4e71db7ab8ad54747a77a
RaccoonStealer
323dcfa2326ac5b132ac699f6d259e9f340d1e01d45032a0955cf024a420aa37
RaccoonStealer
372e3f20168cb6280781e04db5b47a84c3496bde190343f4cb54a7e80c4a0c6e
RaccoonStealer
73ccf81d0e86eba685edcf4b42f97a036e6d2d5a5e9573d7580c71a74c7c116c
RaccoonStealer
9222fdec61d1a3c43985439deb73066998f0941c5e68d82147b71aee8f9b66d1
RaccoonStealer
93778624b7006cd4697db31c259a21d3b14231bf979244c41d8468845eeaaf43
RaccoonStealer
e11501c9e16a2f69751da6f5d8d2e5ff3023eea48baf5008a197e20a2ffd66be
RaccoonStealer
f2e446de19385b892001229c285798ccf8ef498b4b2a12092e9d07a437d3002d
RaccoonStealer
fede5b49f081d6a49e095c8eb78f0005ea4f161288b57ff138a28175fd1c363b
RaccoonStealer
+ 1'596 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon discovery spyware stealer
Link:
https://tria.ge/reports/210721-1zzw6wp3n2/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Deletes itself
Downloads MZ/PE file
Raccoon
Unpacked files
SH256 hash:
25ab3d0494d3be9c1971eead58bda99a275b27e67cb3c11db2433926c01ad528
MD5 hash:
8fa3fabe1d7cadc97d1eb00b4dfd21d3
SHA1 hash:
2b3d6d03435710dda190ade0262f97fb0bef840a
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/2719caa5-5920-4304-9687-4f2c61ec6da9/
Parent samples :
39a941b9eb9606a9b178c97dd4fd38e58f379f4794a6ce60960e093d02b9f991
fd334a4ab28967e20bc7460e59d1016d52988bfe8b2b7885f77f88eef05a68bf
7a3fc9f6ee1d3c7546cba0d8ad3d9d7ce7af249c5d69f7d8c9e65f3ba41bfa40
92c79201b019efccd41eaa985d94ad4fcd4989c2023d323f4cdcfe359e3a5433
7dd1c908d34a6170526100d59e3f9bdba5b40bff6655cfac2165e9a600b74052
070ec3d1919bf35c817b1cb28ad379d2411a888160442d2e5e4c52f471611079
f2e446de19385b892001229c285798ccf8ef498b4b2a12092e9d07a437d3002d
12fe2d127b9b07cbb83148502c9e297825fcd43c4538097e6ed376d31c020a2d
f6a03d67c52f6d431a7500e311b09edc8835d0cae6414e09b884fdab6e608e2b
73ccf81d0e86eba685edcf4b42f97a036e6d2d5a5e9573d7580c71a74c7c116c
0128936379b8761d89b22f7eed080acfe103b2d429ef1b4d06f6c781f682bacc
c6455136a31d5172e97027b300869d6d1f70081fab41b2e18f0b444475e3280a
e4d1670d1785eabdda12d45ee5c32c185863e1f3d049424a8c616a062659cb50
9b150336d4abc38eb73c89d41777d33ced5bc6cb5c7549b893422d48c4b5bb41
9767a7bc59eb352854aa19905169dbd0801d99831322b0d899b58085509700ff
b1ba2d7a4b78729cf332357c9d5e5e63b51796bc107fff6a45dd6149a3760365
fede5b49f081d6a49e095c8eb78f0005ea4f161288b57ff138a28175fd1c363b
323dcfa2326ac5b132ac699f6d259e9f340d1e01d45032a0955cf024a420aa37
137cc549003d220137e5277e1bd6ad842f212aa545d4ee7e58ad8b5c4e244cac
9421686fa8a1d7760d903d3a0f4c062182a0434cf50a98de2e2e80a11525360b
9c26a73079daf216cff436925d647e992acafff5ccc644d97424e1bf05797e44
f008c90d89557c6fc77c36be56ebabf294e414e04ac1ddf00b4fdaa22af3a7f1
c3b24fb20cb96eddd7d3cd9072bc9b690dcc07b8a69873f21efab1cc02cbab90
cb00c6d4692dba24ced86cb2c28685c5fba1a05492b1a6454c1cf92d6b2f99eb
0c66ab7992f278f1bbcc3256c2dc934b9e87247c2dfbe234a8d4c4800aef8e0f
2b496b44c02b426347ec40f323b9a43912dbf79fdde8196e52c66825b6f5c535
cc700dbe94443210da536da83b5eb74444d81fe581d018c8b4a9fd6800eb6947
0427b3ecda18d67665d14b989d6296fe02b74cf27b8721a5fd09cc14a92493b5
779dfdc196d5a63adb4e8b7ba1b2b65ed8e52eaea518a1dfd735a69c3b109046
a91d1235d7b44e451dada8c9a827e570b7b83eb8790c065af88c0c974de5dd51
e297c89612778a4e826b0c9500211d586a6d88ae51a1cc0219f68a2de88f41c2
57b1d501068652fb0e62a38dcbca64da9daed1a650f60e5c795dd4036c73890e
5e97b63b5e06af7693cf6603d48ab68101a18b0c6d72b837d320e891e1597ea0
SH256 hash:
9c26a73079daf216cff436925d647e992acafff5ccc644d97424e1bf05797e44
MD5 hash:
7cb082ea00471e30b676fa9a8877967e
SHA1 hash:
7fd54e1f83e74a7ee3f62a73edb019d00b935d7e
Link:
https://www.unpac.me/results/2719caa5-5920-4304-9687-4f2c61ec6da9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c26a73079daf216cff436925d647e992acafff5ccc644d97424e1bf05797e44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 9c26a73079daf216cff436925d647e992acafff5ccc644d97424e1bf05797e44

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1470649/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172978/

Comments