MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b654cc7509e9ae72e91b1481a3517558f2abd29395b422451a8c384ef968dbc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 4 File information Comments

SHA256 hash:	b654cc7509e9ae72e91b1481a3517558f2abd29395b422451a8c384ef968dbc5
SHA3-384 hash:	1b215274ecbd3df006857229d32c5379b6436098c950a965ca9f9978d3f182c1cc32b2f042bacd68f2ab65a96975ae62
SHA1 hash:	c66f51a56e83044f67f99a9ae6e0364f25e92965
MD5 hash:	dbf65ab8af8d7a290966a2bb7000cf9f
humanhash:	island-red-hot-kansas
File name:	DBF65AB8AF8D7A290966A2BB7000CF9F.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	502'272 bytes
First seen:	2021-07-25 15:01:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f1287ea8340d83d7c6e292a6b7d8dbf5 (3 x RaccoonStealer, 1 x RedLineStealer)
ssdeep	6144:AC9WIW89wA9TaummQRorMjgFG5oSgF6WoqVgkdRYP/x5lvLyXNJJClrFzdy:LW9WF7QRmrFG5eFloqyvnnljy9J4L
Threatray	1'832 similar samples on MalwareBazaar
TLSH	T167B40110F5E0C032E6B64A3458F7C2911A7EBD6669788A0F77453ACE2F323C2567E752
dhash icon	b9c8c89098a8e0c9 (1 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://34.141.84.7/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://34.141.84.7/	https://threatfox.abuse.ch/ioc/162785/

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DBF65AB8AF8D7A290966A2BB7000CF9F.exe

Verdict:

Malicious activity

Analysis date:

2021-07-25 15:03:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/19c1c1da-09b1-4e5c-9e5b-fdc27b2ce5d6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/174024/

Detection(s):

Win.Packed.Pwsx-9880609-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Sending a UDP request

DNS request

Connection attempt

Sending an HTTP POST request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5c1006ca-4b33-43b0-b425-af84d35d1481

Gathering data

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-07-22 09:48:07 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wzkmy5ij5gxhf2i3csa2gulvldzkxuutsw2ceri2rq4e56li3pcq._file

Verdict:

malicious

RaccoonStealer

37137c97a81252bf7a3653ca231b1ac8653d99d6df4d24597f1a09eaefd3072b

RaccoonStealer

ca2edb79a9c558fcc52a3ce5b3767dadf832036a260f9aad37bf2cfb2725c52a

RaccoonStealer

cada28cf855a9059f761e89e4441797a92aed1e4a5878c2e87171090295dcaea

RaccoonStealer

e3168c6e143525f0604f8e6a81dda4e8c485b8f96e9c94638d97c8db272b7936

RaccoonStealer

ee22929b148bbbc5527e628d58085c517b34f546f6d06625a6e81f030f8e5d89

RaccoonStealer

+ 1'822 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/210725-zlx6h8b312/

Behaviour

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Unpacked files

SH256 hash:

704e300f73ee275e8c1af57f9a89b690a79557ad17bc122fe9dc89216c00c273

MD5 hash:

e923c0ad67f21a15c7f98024c3fc9848

SHA1 hash:

39aaa3b35ed2ede44e70ddcb7a3593a021c1cef7

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/eb3ff6c8-0ce9-48c4-97eb-eb79d649e8d3/

SH256 hash:

b654cc7509e9ae72e91b1481a3517558f2abd29395b422451a8c384ef968dbc5

MD5 hash:

dbf65ab8af8d7a290966a2bb7000cf9f

SHA1 hash:

c66f51a56e83044f67f99a9ae6e0364f25e92965

Link:

https://www.unpac.me/results/eb3ff6c8-0ce9-48c4-97eb-eb79d649e8d3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b654cc7509e9ae72e91b1481a3517558f2abd29395b422451a8c384ef968dbc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon/Racealer infostealer

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/174024/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample