MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac9d3193a2f9d3c34acb6d90d3e6dcfe275b0616352f1af8d4d25ed05ef8a9ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac9d3193a2f9d3c34acb6d90d3e6dcfe275b0616352f1af8d4d25ed05ef8a9ce
SHA3-384 hash: 6a1442bde192d1e5fdc438166e63975cacd21d2c65dc3fcaba2320dc6619501be2000cfbfd7b6f88f4ff0ecc04afad55
SHA1 hash: d7b78fbe50ccec1bed0ab115f5373dbac28f61db
MD5 hash: 590e264b93f09df86421a0e8749afb95
humanhash: table-johnny-mountain-floor
File name:590E264B93F09DF86421A0E8749AFB95.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:528'384 bytes
First seen:2021-09-08 14:15:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f530acf7acd4a5c8880ba2a4704d4cbb (14 x RaccoonStealer, 4 x Glupteba, 2 x Tofsee)
ssdeep 12288:X6xbjrSmSFvh8KurqIetZfaipbb7KZJgY5ZDkjJhnf:2zS9h8Ku7ehd3KZJZZmjn
Threatray 2'983 similar samples on MalwareBazaar
TLSH T18AB4F10E7E51E533C591C6714960C7B4DE3EBC622B38057BB358FB6A6E32380562E366
dhash icon b67e7c7d767e6e76 (5 x RaccoonStealer, 1 x CoinMiner)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.45.90/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.45.90/ https://threatfox.abuse.ch/ioc/218040/

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
590E264B93F09DF86421A0E8749AFB95.exe
Verdict:
Malicious activity
Analysis date:
2021-09-08 14:21:29 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/f4924d60-f709-4794-b5c3-ae3c87f37d5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186392/
Detection(s):
Win.Packed.Generic-9890937-0
Create hunting rule

Win.Packed.Filerepmalware-9891026-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Sending an HTTP POST request to an infection source
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1303a0d3-772b-4ad9-9968-2bc6064cd75d
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/847545
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 479977 Sample: XkMYlF7Eqz.exe Startdate: 08/09/2021 Architecture: WINDOWS Score: 92 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 3 other signatures 2->52 6 XkMYlF7Eqz.exe 80 2->6         started        process3 dnsIp4 42 telete.in 195.201.225.248, 443, 49742, 49744 HETZNER-ASDE Germany 6->42 44 45.140.147.99, 49745, 49767, 49785 SYNLINQsynlinqdeDE United Kingdom 6->44 20 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 6->20 dropped 22 C:\Users\user\AppData\...\vcruntime140.dll, PE32 6->22 dropped 24 C:\Users\user\AppData\...\ucrtbase.dll, PE32 6->24 dropped 26 56 other files (none is malicious) 6->26 dropped 54 Tries to steal Mail credentials (via file access) 6->54 56 Contains functionality to steal Internet Explorer form passwords 6->56 58 Tries to harvest and steal browser information (history, passwords, etc) 6->58 11 WerFault.exe 9 6->11         started        14 WerFault.exe 9 6->14         started        16 WerFault.exe 9 6->16         started        18 6 other processes 6->18 file5 signatures6 process7 file8 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 11->28 dropped 30 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->30 dropped 32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->40 dropped
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ac9d3193a2f9d3c34acb6d90d3e6dcfe275b0616352f1af8d4d25ed05ef8a9ce/
Threat name:
Win32.Trojan.RacoonStealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-04 23:05:04 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vsotde5c7hj4gswlnwinhzw47ytvwbqwguxrv6gu2jpnaxxyvhha._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
14e4824be0683d1089694045fb18bfef2da645ab2c4c8b07158894e9d9ec2a1b
RaccoonStealer
704ea934e75448ed30e38117fe27b81b6dfdeb0f2a498bd0ae5474ec3d5014d7
RaccoonStealer
764fde7f31d06b2abf47c6ebe506d0843d6188f8066bba84dd99235d9b3be8fa
RaccoonStealer
9dc0631ea1726b49d0e25b634b6e57253951088f4d007b00407118fcd82fa272
RaccoonStealer
a267e0d83b4ece8957283582de37e53a2d0d66938a29ca621592f5ccf0b416a8
RaccoonStealer
cfa6b6f011518b09676b544189184ab180f77cee281ca7728255fe05077bb2c8
RaccoonStealer
+ 2'973 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:56be4efb71b0a38de783d05b401b05f1bc805bb2 discovery spyware stealer
Link:
https://tria.ge/reports/210908-rk7rzaeeh7/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
0e2a294165840a5ba0a18343331b26dc15747c99e989c3bf5b8a219d968709d0
MD5 hash:
c7086aa56ded0f3d493cd93d50e3c7b8
SHA1 hash:
6baafff73dd33408ae9865331afd5ebc0e8c6a7e
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/017a39d3-874c-488b-a897-7dfb37dbf3a0/
Parent samples :
77c40ad589b025d3e607000a82a93ac4695a0cd444b3413e432a648c7a375d4d
ce3ab3701778b42da8a688e9e9ea7d3dcbc7873464f95a214771962ad40c710b
b33af04dc64bab485eaaccbe574940a2e641107f8886d0e5e60b303dbe5f797c
38a1d1189d24606ff02ab44bb3e960c11f0d3eee0784e00aeda1fb17fbb3338f
435025a3a84b8da4ccab5d7fd59de3f2c4f58b11db8e11adcfee10c99f491d63
deddab103a2aaae2ce26b6b3b1b1d263ac4c272584ec1d7d5ff8a96bcbaebd4f
e6571c9ee5508a3a15a186c993d9e13ff43b0c0874d43db45dbead81d280c58c
1e2ff254e9ce7fcaba6d728b569ed2adefc8b6080a8cbacb2e62f41203055d94
cd682f673e7dfbeac62b8e2fad4afa3fd12e25faf8356635f4ff76c4dd326cbf
ac9d3193a2f9d3c34acb6d90d3e6dcfe275b0616352f1af8d4d25ed05ef8a9ce
4f86bb133e6e11730ea9a42d2b199d6e28ac7e29add3250416b467212921a02b
SH256 hash:
ac9d3193a2f9d3c34acb6d90d3e6dcfe275b0616352f1af8d4d25ed05ef8a9ce
MD5 hash:
590e264b93f09df86421a0e8749afb95
SHA1 hash:
d7b78fbe50ccec1bed0ab115f5373dbac28f61db
Link:
https://www.unpac.me/results/017a39d3-874c-488b-a897-7dfb37dbf3a0/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ac9d3193a2f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac9d3193a2f9d3c34acb6d90d3e6dcfe275b0616352f1af8d4d25ed05ef8a9ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186392/

Comments