MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc111014315d5632ee5baad01a4956e0fd74996935e2ce531a6dea163451f415. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 3 File information Comments

SHA256 hash:	bc111014315d5632ee5baad01a4956e0fd74996935e2ce531a6dea163451f415
SHA3-384 hash:	ed2cec9f76bec6068ec6081c4dea61b7170acba2bf0ba550feee0e1191f4e866d46012dee20f5cd50f151be7e45b16e8
SHA1 hash:	f542a2ebe6ed0db8b149fc38907cd00deaa4ff9e
MD5 hash:	a2a04cde1e0c517b71e96e0b9fa81d23
humanhash:	october-colorado-diet-avocado
File name:	a2a04cde1e0c517b71e96e0b9fa81d23.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	609'792 bytes
First seen:	2022-02-18 11:55:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cdabce09eb84a881a0aa3533bac60d11 (3 x RaccoonStealer, 1 x RedLineStealer)
ssdeep	12288:3e2WuR+UN2xl+wPNqi+0hIu2zvmParvli0OMCmtpv:NJN2rPc4errvli0jCev
TLSH	T193D4DF40BBA0D03DE0B716F8787593BCA52E7DA15B2451CB62D23AEE46346E0DDB530B
File icon (PE):
dhash icon	25ac1378399b9b91 (28 x Smoke Loader, 24 x Amadey, 21 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://194.180.191.124/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://194.180.191.124/	https://threatfox.abuse.ch/ioc/388507/

Intelligence

File Origin

# of uploads :

# of downloads :

296

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/242531/

Detection(s):

Win.Packed.Filerepmalware-9939423-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Sending an HTTP POST request

Launching the default Windows debugger (dwwin.exe)

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6605/overview

Behaviour

MalwareBazaar

CPUID_Instruction

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/620f8958a2660f3bb9fb008e/reports/6fadf39a-ccd3-4882-88af-a120aaa12931/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bfb0fce1-82e0-4f3c-b650-85fa32e4a5cf

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/942189

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bc111014315d5632ee5baad01a4956e0fd74996935e2ce531a6dea163451f415/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2022-02-18 11:56:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xqirafbrlvldf3s3vlibuskw4d6xjgljgxrm4uy2nxvbmncr6qkq._file

Verdict:

malicious

Label(s):

raccoon

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:e50c949ecf0380ef03a3368f13619264294662b6 stealer suricata

Link:

https://tria.ge/reports/220218-n32f5addak/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Raccoon

Suspicious use of NtCreateProcessExOtherParentProcess

suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)

suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6

Unpacked files

SH256 hash:

27d8f165e6319f02f93ed3c33bdee06b848b69d076390126a7a8a94a3d3c9e33

MD5 hash:

bae8f0a1e1c5305c84251384ee224173

SHA1 hash:

aecedfd51f9a27743f6b131c66c440ac767cb321

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/cb5c3e83-a45c-4a2d-bf4a-591c4db909e9/

Parent samples :

c0c3b3d28a7d7234cce6996c70cf235a20869c5d0f6b430b6a5bcf3b6a7434d2
02761cf4373052f66df32c7f5c981d90c013bdf16fc8f3ad8aafb6a96430c866
f9974bacd389548086f2e4814f763f460989fb242f1b1aa3c787dec6c39b6851
5030200d666e1f843a020f4dc2751fa2e91a9e52f929b8a7410ad6fc57d7f768
db2e87c99798d5a30cf5d0c31c589a0f9e07e4f4412e55dcb0bdb858578882d9
7971d9f44d083e8fd5f266c7e06ee50c87ec2d1b0630b0b21632282989b35a89
19813684f76bcc32fb50d0a5b8f92e4ab1c5fb4495d75d43228c71dcbea54741
ce621491bd4506b2e79e7c739bcdd643d5d2dab8a562bf20a1977660a3089fd1
cead8bab4b9438cc1b7e8d0002714afa905411a81673405b0e382456ba69de26
518f7eae214f5f0d25e36a746f2695c9f81b0f8c250b657af32f29e7417b006c
bc103a145b1fe5c822c73cb23fc46cf0b3922c7a66c5adc5726f50b2e38a155b
625fe1298820b5e535751e38ba8b25c8521e0a663f7fa0248b8b243d80acbe1d
dc199c7585c7d30d2132c40f40a6177da8312cdd9cc641282e4499f1fb32c979
d16b5c249dea1a1d9f395d5b38a62a5a4466c70fe23f2e7dbe95e8b531d7d383
21fe47c1ec28c406ad49dfeffa4dbae703a86b9ae7f93695d0d69aa58e408b3a
caeb2e0940afbfa4b23dbb65614ebc7dfdb74e7b1ab9c1f764d539322628c289
7a1ff7a23895d29ea7b16713073ff6149db56d63d42853a13993ad810c60cfdb
dac74ac8ca2257f92f6763f2db95baad4af92e4501a44c50572cc30b8042b310
f473b9b90112dd698de24ebe6fa904927e3f7a04e30922c5b3b990d706269286
10bcbff9daa66600e2c96c046f258631caa7c5b0da5618f001d46d8ed8f36d9c
bc111014315d5632ee5baad01a4956e0fd74996935e2ce531a6dea163451f415
fe05e12308ece58217a0a37f2c13659402a4a6fe734a19d69e29f9e4ce50889b
3e76725c3afe2b4d36b8474bc0bb08cee4716bb1d007432a0bbb454f16d2a1e7
333b7e8f8e544f5e99ef45bf08bb5f7311dd1692011a7f75ed1c903d02d1e2c3
201c56eb552e03593e9324daaec20c069719ae88cd2a99b9f8d8be6a88028234
e0c53ca40fa7065b0c76b01eacd256efcd8ada5e4c4cde3664dc95eadeafaafa
26196adf92b9651f89233c6317ca533dac00fa4bbd0b8f0fbeb8da9365b929ad
f4d38c6679a945fbcf738512e8555df77c498a82e39728385dc097956491b2a2
5c5084ef35d6a6a67521115b444a4931024cc2fac51295aabc354e28e8e00db4
d82a817121dbfb073d398328c0b18ba6c5571c768e97d14207afaf3b7a401560
466a22e3f5ef8a653a7bec43434eaa8fa19c7f089ece026352ebdbfcfc4df8a5
019d041219a518b5ca40ba5547cf5f8b80fcedce2ee8f791f02d9d9acda7388f
e8e513067019477664ad514141496271939fcd04025246222d1d679b1f3ea0ba
03fc818962bef15922b1098bfd60581bab3372d0bd717a932c19af5162d7b0a2
06068e7042a68b17c2a719f2b3eb07128ecefd9d7125c03ffa20eccce9409d2d
af0bc0b2149df1769de0128984f8178620fae9de69e5bb4e0a3d661ae8cd18eb

SH256 hash:

bc111014315d5632ee5baad01a4956e0fd74996935e2ce531a6dea163451f415

MD5 hash:

a2a04cde1e0c517b71e96e0b9fa81d23

SHA1 hash:

f542a2ebe6ed0db8b149fc38907cd00deaa4ff9e

Link:

https://www.unpac.me/results/cb5c3e83-a45c-4a2d-bf4a-591c4db909e9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bc111014315d5632ee5baad01a4956e0fd74996935e2ce531a6dea163451f415

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Raccoon stealer payload

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

exe bc111014315d5632ee5baad01a4956e0fd74996935e2ce531a6dea163451f415

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2046398/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/242531/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample