MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa80ec75a2bb08c54c2ee98f24ee9e7a872c682396cb825d209c3b457bf50bc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 4 File information Comments

SHA256 hash:	aa80ec75a2bb08c54c2ee98f24ee9e7a872c682396cb825d209c3b457bf50bc5
SHA3-384 hash:	8f1982b0f4d2dc1fd446688e2a7486a38cf25cd05269aafabc6147117f05e9ce7d37fa1f3c53a30dc86e1e4ffb248409
SHA1 hash:	8c7106c9e0ec0bdb0f914fc28a320f8e374dc83b
MD5 hash:	08ad7e2e66aeb842c95f47978274ccbb
humanhash:	island-colorado-illinois-mango
File name:	AA80EC75A2BB08C54C2EE98F24EE9E7A872C682396CB8.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	606'720 bytes
First seen:	2021-08-30 23:21:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	928ce6a1c3ed4dc8c4db0816d5ad1440 (3 x RaccoonStealer, 3 x RedLineStealer, 1 x CryptBot)
ssdeep	12288:Rbl87b4xKQ6jkUrZ9GJFZlCuMVlWW6n/1Kp4UUA/imUFogws/Y:P874++4Sx/1KHUM71gwsw
Threatray	2'583 similar samples on MalwareBazaar
TLSH	T1DFD4E0216BA1C035F1F712B445B6A278653ABDA0A731B0CF6DC03BEE46346E4AD31797
dhash icon	d212f0ece8696c44 (1 x RaccoonStealer, 1 x DanaBot)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://5.181.156.120/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://5.181.156.120/	https://threatfox.abuse.ch/ioc/203162/

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http://45.15.143.191/files/file2.exe

Verdict:

Malicious activity

Analysis date:

2021-05-25 18:29:06 UTC

Tags:

trojan stealer raccoon

Link:

https://app.any.run/tasks/cc1604c3-192a-4b22-aa4e-58a730229164

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/183916/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Connection attempt

Sending a custom TCP request

Sending an HTTP POST request

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/84e932dc-33c1-46d5-bcc4-b092c3bf5aa7

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/842074

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/aa80ec75a2bb08c54c2ee98f24ee9e7a872c682396cb825d209c3b457bf50bc5/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-05-25 20:43:04 UTC

AV detection:

25 of 27 (92.59%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vkaoy5ncxmemktbo5ghsj3u6pkdsy2bds3fyexjatq5uk67vbpcq._file

Verdict:

malicious

RaccoonStealer

1555f744c779e3ce93f92b454ad2092e136622c39c21eca20125dd79cdf8fb94

RaccoonStealer

2c5105d428486ab9bd43df850f2b74e9250769976662bc9937128ce0ff6257b0

RaccoonStealer

4e0cca88ac33e671cd7cc9689605b8830d03ad80e39e716516381499be1c906a

RaccoonStealer

6af6df91512079a7d6223dd4464cfd571ac21a2f9bfcb9136f9bcb3a5dbce52b

RaccoonStealer

afa7f830663555f46ce1f944605092c8259dbc9f36970d7305588d56ba03c728

RaccoonStealer

c5a3e3c23c820cc768a283e2a66515722048a51ece2387bcb8883a3b6a061b41

RaccoonStealer

e266297bd6f57232b8421fa09de406f352591328d452b04b183144427f43011a

RaccoonStealer

+ 2'573 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:74452b5cbc58563477e4a9e149f2093398530bbd stealer

Link:

https://tria.ge/reports/210830-96r9e77wx6/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Raccoon

Raccoon Stealer Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

4ee1f840b20430ca687665fba0e317a55e457af7260095940bd601d424c3c926

MD5 hash:

532a391e608d186ab4521bc929d81027

SHA1 hash:

1e069b0fa31069325ac66d95bcb4f5266be2fd32

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/aba83c83-9065-401e-80a8-0a9f1b22e646/

Parent samples :

847a6ee401f8fabccd33c0e7d72e67f26423ae5cc085d6df9ba575720aec784d
aa80ec75a2bb08c54c2ee98f24ee9e7a872c682396cb825d209c3b457bf50bc5

SH256 hash:

aa80ec75a2bb08c54c2ee98f24ee9e7a872c682396cb825d209c3b457bf50bc5

MD5 hash:

08ad7e2e66aeb842c95f47978274ccbb

SHA1 hash:

8c7106c9e0ec0bdb0f914fc28a320f8e374dc83b

Link:

https://www.unpac.me/results/aba83c83-9065-401e-80a8-0a9f1b22e646/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aa80ec75a2bb08c54c2ee98f24ee9e7a872c682396cb825d209c3b457bf50bc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon/Racealer infostealer

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/183916/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample