MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ce1c2ca453f62552ae1b3562d042bccee069c35f37518bf2be7e6f33efc165b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ce1c2ca453f62552ae1b3562d042bccee069c35f37518bf2be7e6f33efc165b
SHA3-384 hash: 56795bc932a5d024993b570927a885a8bfea9b7a7020b6accc139bf142fed6b6c1a5c09f077c234ea4c43e99b9f969f3
SHA1 hash: 6c322dfbdad84db835e450acffef803aebbcdeef
MD5 hash: 020f9b939f6c1537ac3d65dde61ee4f0
humanhash: east-timing-hydrogen-green
File name:020f9b939f6c1537ac3d65dde61ee4f0.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:6'266'224 bytes
First seen:2022-03-03 09:01:40 UTC
Last seen:2022-03-17 06:33:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3718975ff28c3ea4832c41cc9615593d (1 x RaccoonStealer, 1 x CoinMiner)
ssdeep 98304:elOeWKZEqbvbpPYWwWxFSA73OIJrrpw/YF4Gq5ncYivlrcSTOGph5HcXW7YD2eV:EFEqLhYW7FSaJrFw/YF4GAcYqrP6GbVu
Threatray 14'340 similar samples on MalwareBazaar
TLSH T16856338145241B10DFC2263BBED5888589DC3FC632981FEB19CEB9565D3EB629D0B0F9
File icon (PE):PE icon
dhash icon 9aa6b6b0b6b498a6 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246811/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Unauthorized injection to a recently created process
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c179a0ab-70eb-4617-a67d-62e258d0d137
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/949828
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ce1c2ca453f62552ae1b3562d042bccee069c35f37518bf2be7e6f33efc165b/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 09:02:17 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0991de38b14e2b48e3dca4769a4c12de3e4a59634935ec5361659b0e28657c1b
RaccoonStealer
10bcbff9daa66600e2c96c046f258631caa7c5b0da5618f001d46d8ed8f36d9c
RaccoonStealer
71cffe242e5525e46eb17084c15b57d111b3aff005f37ee330ad21ae8b239d48
RaccoonStealer
7a1ff7a23895d29ea7b16713073ff6149db56d63d42853a13993ad810c60cfdb
RaccoonStealer
be2a74bc76e5429010ce7741e58aecc253a33e1dbd713d8b6f02a20545469502
RaccoonStealer
caeb2e0940afbfa4b23dbb65614ebc7dfdb74e7b1ab9c1f764d539322628c289
RaccoonStealer
d16b5c249dea1a1d9f395d5b38a62a5a4466c70fe23f2e7dbe95e8b531d7d383
RaccoonStealer
dc199c7585c7d30d2132c40f40a6177da8312cdd9cc641282e4499f1fb32c979
RaccoonStealer
+ 14'330 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:a188edbc06f9e99e3cffef33d708f2f9fae5464b evasion stealer suricata themida trojan
Link:
https://tria.ge/reports/220303-kzf48sbggp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
Unpacked files
SH256 hash:
477476e253a0f909e1af1db2e27615614321afba29bd99c32182a3236c659cce
MD5 hash:
762cbe64fbd90f9e4f0fc9020f3d4263
SHA1 hash:
42f4821faf3f2a5ea59922f0ea25c677aa8e6566
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/64ddc8f5-7c0b-4f8b-abab-7af8e9f8d7c7/
SH256 hash:
5d59c8d0f9dc6043eb34bae68409995d88efb33c8d0117fbf92aa63b16944e43
MD5 hash:
bb2817a0f7e0493cb402031133079a0c
SHA1 hash:
c8db74d9590eed5f9256ec1ea938ac00a07c40a1
Link:
https://www.unpac.me/results/64ddc8f5-7c0b-4f8b-abab-7af8e9f8d7c7/
SH256 hash:
9ce1c2ca453f62552ae1b3562d042bccee069c35f37518bf2be7e6f33efc165b
MD5 hash:
020f9b939f6c1537ac3d65dde61ee4f0
SHA1 hash:
6c322dfbdad84db835e450acffef803aebbcdeef
Link:
https://www.unpac.me/results/64ddc8f5-7c0b-4f8b-abab-7af8e9f8d7c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9ce1c2ca453f62552ae1b3562d042bccee069c35f37518bf2be7e6f33efc165b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 9ce1c2ca453f62552ae1b3562d042bccee069c35f37518bf2be7e6f33efc165b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2072599/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246811/

Comments