MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b67a1053ae9f63aca3e5d58e0a1ba38287f1910a756e8216759712a407b15b2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 3 File information Comments

SHA256 hash:	b67a1053ae9f63aca3e5d58e0a1ba38287f1910a756e8216759712a407b15b2b
SHA3-384 hash:	8f7b340fa38a840329880af7fe510bf412bb745d84e258f93f17695c9de666e8b67ef8f0f7a83f05ce9932db4070a8ba
SHA1 hash:	abcf16f3a246b0acc71cfde67a04e041ad8c3c2d
MD5 hash:	c4ee6561345be6fd4cbd352e43b548c0
humanhash:	kilo-crazy-illinois-montana
File name:	c4ee6561345be6fd4cbd352e43b548c0.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	605'184 bytes
First seen:	2022-02-26 19:35:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cfab3cc80f484d1f798accf1fb24254c (3 x RaccoonStealer, 1 x RedLineStealer)
ssdeep	12288:Z4EFKXkX+nE5wIuHwHTpXN4jzBlJB/ThpX/fgJiKYwnU:+QunE5BxzLUFlJB/ThZng/nU
Threatray	9'532 similar samples on MalwareBazaar
TLSH	T16CD4DF00BBA0C03DE0B315F47975D3BCA62E7EA25B2051CB22D56AEE16356E0EDB1747
File icon (PE):
dhash icon	2dac1370319b9b91 (22 x Smoke Loader, 20 x RedLineStealer, 18 x Amadey)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://185.163.204.32/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.163.204.32/	https://threatfox.abuse.ch/ioc/390944/

Intelligence

File Origin

# of uploads :

# of downloads :

355

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/245020/

Detection(s):

Win.Packed.Filerepmalware-9939423-0

Win.Dropper.Generickdz-9939781-0

Win.Dropper.Generickdz-9939782-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP GET request

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7482/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware mikey mokes packed raccoon smokeloader wacatac

Link:

https://www.filescan.io/uploads/621a8125dfdfa8501c619800/reports/cefd632d-4a97-4b53-986e-31fa40eb7017/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bc82dcab-7574-4e2f-b7a5-12ea33c8822b

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/946763

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b67a1053ae9f63aca3e5d58e0a1ba38287f1910a756e8216759712a407b15b2b/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2022-02-22 08:45:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

36 of 43 (83.72%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wz5bau5ot5r2zi7f2whaug5dqkd7deikovxieftvs4jkib5rlmvq._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

4e44bb177a3084e4475796d79a2f0c356a29953bd4f4ce8385e6098502d5ea31

RaccoonStealer

548ba1f0793f18ad70fa7efaf7295d97c68e44094de7c1cd20d850fe968401a0

RaccoonStealer

66aa75b6ff30878da162d4d3de032a34bf5a9b6cf69bdd203e3a35d7ad34722d

RaccoonStealer

bc111014315d5632ee5baad01a4956e0fd74996935e2ce531a6dea163451f415

RaccoonStealer

caeb2e0940afbfa4b23dbb65614ebc7dfdb74e7b1ab9c1f764d539322628c289

RaccoonStealer

fe05e12308ece58217a0a37f2c13659402a4a6fe734a19d69e29f9e4ce50889b

RaccoonStealer

+ 9'522 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:837073a00cedbde3afd1d843a062c298907cbe9a stealer suricata

Link:

https://tria.ge/reports/220226-ya81lscgej/

Behaviour

Raccoon

suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)

Unpacked files

SH256 hash:

92285bad361e59de3c701079b83a34a9c69d5c0a9a99124d0083abc2d347102f

MD5 hash:

49789a025dc23aa71acaff4e2a00c661

SHA1 hash:

e1b7ddf1f8667a296cd72255917037ad66260d7b

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/3b00ff4d-4672-4ed9-8e58-dbcd252c1ce0/

SH256 hash:

b67a1053ae9f63aca3e5d58e0a1ba38287f1910a756e8216759712a407b15b2b

MD5 hash:

c4ee6561345be6fd4cbd352e43b548c0

SHA1 hash:

abcf16f3a246b0acc71cfde67a04e041ad8c3c2d

Link:

https://www.unpac.me/results/3b00ff4d-4672-4ed9-8e58-dbcd252c1ce0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b67a1053ae9f63aca3e5d58e0a1ba38287f1910a756e8216759712a407b15b2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Raccoon stealer payload

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/245020/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample