MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac63474c04736ab2b250230f4a47d589ece05b7839df739d16c1db622b80db19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac63474c04736ab2b250230f4a47d589ece05b7839df739d16c1db622b80db19
SHA3-384 hash: abd270eb2f7ea61df9f865441d62ef1808c8a1e943de4c0a28677823fbe89ca342de9ba80f22ef6d2e4f42e2c4b625b5
SHA1 hash: a8a3081047e0a9eea2f4bd1492f51923dbca641c
MD5 hash: b453a090b51a07a1f2a8a28295b767a4
humanhash: johnny-november-coffee-april
File name:b453a090b51a07a1f2a8a28295b767a4
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:439'296 bytes
First seen:2021-08-29 02:36:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3c9c233147536fd2cb825c3f3ce75bc (5 x Smoke Loader, 4 x RaccoonStealer, 2 x GCleaner)
ssdeep 6144:rQsEs+yEsMziuhaZsU1gI8LzGEyfUja5e4x/wpbYdhEcbddBuI6v68/3NN215sIh:lmhDU1g7LzJljH4xWcbdHuI6C2bpc
Threatray 2'861 similar samples on MalwareBazaar
TLSH T10E940245FA71C473C1C629314C55D3A1367F6D616A61928B3F8CABAE3F626D04B2E383
dhash icon 4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://84.246.85.16/ https://threatfox.abuse.ch/ioc/201706/

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b453a090b51a07a1f2a8a28295b767a4
Verdict:
Malicious activity
Analysis date:
2021-08-29 02:39:13 UTC
Tags:
trojan stealer raccoon loader opendir
Link:
https://app.any.run/tasks/6a3ad5f4-8ec8-42e1-9771-cd5d9b60ed35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183184/
Detection(s):
Win.Packed.Generic-9888754-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9987a93d-d55e-4f72-bd1a-0d54479567d8
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/840933
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ac63474c04736ab2b250230f4a47d589ece05b7839df739d16c1db622b80db19/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-28 00:14:25 UTC
AV detection:
34 of 46 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vrruotaeonvlfmsqemhuur6vrhwoaw3yhhpxhhiwyhnwek4a3mmq._file
Verdict:
malicious
Similar samples:
2b0a76c45a3dd1e9bd3b867465a7095762272a9bbe59c1672da1226f59d3d641
RaccoonStealer
51e6527daa5a10028c434c7ceaed1570ddd95e1de0eafa702f77860cec3d0b7c
RaccoonStealer
7f1cd16cd2d2e5644752a3e0fd411c3902bad47051779d5bd539e9650f53787c
RaccoonStealer
88614f9e923a5d979c64bee190f05f0932bc01f351ded417c59e1b2a92be560b
RaccoonStealer
89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f
RaccoonStealer
f60f32ec899bcb92fd50491a8c32f0548afbd4dc02462dfa373d484b4b161a86
RaccoonStealer
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
RaccoonStealer
+ 2'851 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:d02c5d65069fc7ce1993e7c52edf0c9c4c195c81 discovery persistence spyware stealer
Link:
https://tria.ge/reports/210829-ldmtpjp9n2/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
fc4e10219fe2313fedef57c199bab6c22f0db36f517224abd9d9f7cb560b666a
MD5 hash:
00b9c6a81b13c859b1159d7732bb04be
SHA1 hash:
303152135355f20a0ab244cec9311806dae83a46
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/f6d4ded4-8588-4ef4-9b17-8e3219e158ee/
Parent samples :
ac63474c04736ab2b250230f4a47d589ece05b7839df739d16c1db622b80db19
c8c136d959b8815ef99e16640525758e0ed9a5596275f056735752b351ae5972
f38d282d627b764fe174e33d3ee4082797ab39c393e9fc9f2317c8b1e8326a29
SH256 hash:
ac63474c04736ab2b250230f4a47d589ece05b7839df739d16c1db622b80db19
MD5 hash:
b453a090b51a07a1f2a8a28295b767a4
SHA1 hash:
a8a3081047e0a9eea2f4bd1492f51923dbca641c
Link:
https://www.unpac.me/results/f6d4ded4-8588-4ef4-9b17-8e3219e158ee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac63474c04736ab2b250230f4a47d589ece05b7839df739d16c1db622b80db19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe ac63474c04736ab2b250230f4a47d589ece05b7839df739d16c1db622b80db19

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1573806/
Cape
Cape
https://www.capesandbox.com/analysis/183184/

Comments


Avatar
zbet commented on 2021-08-29 02:36:41 UTC

url : hxxp://65.21.223.132/Pluton.exe