MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d8f04bd64b81ed3367def9f74a8a98e9a868f30db9433a9ef37b481394c9046. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d8f04bd64b81ed3367def9f74a8a98e9a868f30db9433a9ef37b481394c9046
SHA3-384 hash: 6b52a578547409c43ef409b86e0e26db5b5d64ec01f54bb853c02bf83344d35c2953620a8e8162007a1901424b77afc8
SHA1 hash: 80db9b3c72f88b3cacb40362ee21baa2390de38c
MD5 hash: 82f7734fef8ee0789cf270f292651cbe
humanhash: robert-saturn-lamp-foxtrot
File name:82f7734fef8ee0789cf270f292651cbe.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'704'768 bytes
First seen:2021-09-28 06:38:16 UTC
Last seen:2021-09-28 10:16:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cd827b8586176b67403fab26f5e0d605 (1 x RaccoonStealer)
ssdeep 98304:62RwWMe+Sml+unSwywZ+741ksvzTciQoS9BTdrlv9z/8nltrM0C:S6+t3SpjsvzTJrSvz9Uf6
Threatray 130 similar samples on MalwareBazaar
TLSH T1B42612137A404199C0DA4E35842BBE8171F25F994962943F7BEDFDCE3F3E1A39606A42
File icon (PE):PE icon
dhash icon 8c8cf0e8e8b24280 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.138.164.150/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.138.164.150/ https://threatfox.abuse.ch/ioc/227268/

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
82f7734fef8ee0789cf270f292651cbe.exe
Verdict:
Malicious activity
Analysis date:
2021-09-28 06:39:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/94eb0c8d-5d46-4d0a-a06e-6de3e6b5cf74

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192406/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.22052.30546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36fe4074-094a-4dbe-90f1-9d9c2fcb1006
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859556
Signature
Contains functionality to steal Internet Explorer form passwords
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d8f04bd64b81ed3367def9f74a8a98e9a868f30db9433a9ef37b481394c9046/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=twhqjplexapngnt556pxjkfjr2nindzq3okdhkppg62icokmsbda._file
Verdict:
suspicious
Similar samples:
22a49fd2468178e5b33cad08985adde50f0530a33260affc58bee6b2401005a9
RaccoonStealer
2abe71b49e45492b408294a415a308799ed312ff79c013924a42e53ce9c32a82
RaccoonStealer
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
RaccoonStealer
36cbc77a5caaf8f805bc7347ee4cd27657fca600ea5e202e633aca7a09d73297
RaccoonStealer
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
RaccoonStealer
4098b54c9d27b00ce34d04ffac24213ed28993a2854827851b157d63407c2e4e
RaccoonStealer
8344424b2ab65b90171d02df7f9f8625308284c4b25e0e489c005f9c164784c2
RaccoonStealer
ae74fa3656db93c35b26ed229568607bb9c20684818ad072b95aefb585c63a08
RaccoonStealer
e97f71d3020b3cf4c3d22ebe380a902fddc0e5ce666cc1b0059efe8e67860a72
RaccoonStealer
+ 120 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:c1728bc068ff13c9172ac566c717a997b9a7b1dc discovery spyware stealer suricata
Link:
https://tria.ge/reports/210928-hemp6sahfm/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
Unpacked files
SH256 hash:
3ddc1496cad568993b4f7a6b06094c0ddbc2804d74a70471fff3f1ec2cb065f2
MD5 hash:
9bf7559f8f746ec86bd414763b7261cb
SHA1 hash:
738bb319f1e97761c49e606fe34925a5e70ad1c3
Link:
https://www.unpac.me/results/90d60791-6aa1-44c0-8436-672bb035e9a7/
SH256 hash:
9d8f04bd64b81ed3367def9f74a8a98e9a868f30db9433a9ef37b481394c9046
MD5 hash:
82f7734fef8ee0789cf270f292651cbe
SHA1 hash:
80db9b3c72f88b3cacb40362ee21baa2390de38c
Link:
https://www.unpac.me/results/90d60791-6aa1-44c0-8436-672bb035e9a7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9d8f04bd64b8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d8f04bd64b81ed3367def9f74a8a98e9a868f30db9433a9ef37b481394c9046

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 9d8f04bd64b81ed3367def9f74a8a98e9a868f30db9433a9ef37b481394c9046

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1646334/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/192406/

Comments