MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c014da0473a1f16ebcb8b1b1d6a5655d0f240474874b1e413643c459f3279a15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c014da0473a1f16ebcb8b1b1d6a5655d0f240474874b1e413643c459f3279a15
SHA3-384 hash: 5d44b5682b03329bbab3900acf70a6553191951eff9379daf8a281b94d8d45c1e940de1cd0b77d295b57add49e65d98e
SHA1 hash: 6314dc5728f1164eabd936cf4b9027167eaa962c
MD5 hash: a2209ec8a3533d25e654a3cc3492a0cc
humanhash: five-freddie-six-princess
File name:a2209ec8a3533d25e654a3cc3492a0cc.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:606'208 bytes
First seen:2021-06-01 06:05:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1b2eb0959f4570acd48df61d115e8278 (2 x RaccoonStealer, 1 x Loki)
ssdeep 12288:AHJNn+piIaw1zSzxwknDubM9OMYz1lNQosXYSOU:knnsaCSdbuo9OMYzz9U
Threatray 1'143 similar samples on MalwareBazaar
TLSH 40D4D13176A1C031F4FB01F445B642B965BABDB15B2410EF62D42BEE5E346E0AC31B9B
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://193.203.203.233/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://193.203.203.233/ https://threatfox.abuse.ch/ioc/68025/

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a2209ec8a3533d25e654a3cc3492a0cc.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-01 06:06:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c2b3e2e2-9662-4296-94e6-06fe929ea923

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/163636/
Detection(s):
Win.Ransomware.Generickdz-9864351-0
Create hunting rule

Win.Ransomware.Gandcrypt-9864650-0
Create hunting rule

Win.Ransomware.Gandcrypt-9864653-0
Create hunting rule

Win.Ransomware.Gandcrypt-9864719-0
Create hunting rule

Win.Malware.Raccoon-9864651-1
Create hunting rule

Win.Dropper.Raccoon-9864699-1
Create hunting rule

Win.Ransomware.Raccoon-9864772-1
Create hunting rule

Win.Malware.Generic-9865197-0
Create hunting rule

Win.Ransomware.Stop-9865910-0
Create hunting rule

Win.Ransomware.Raccoon-9865949-1
Create hunting rule

Win.Packed.Raccoon-9865954-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Running batch commands
Launching a process
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/794989
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c014da0473a1f16ebcb8b1b1d6a5655d0f240474874b1e413643c459f3279a15/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-05-27 10:20:41 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yaknubdtuhyw5pfywgy5njlfluhsibduq5fr4qjwipcft4zhtikq._file
Verdict:
malicious
Similar samples:
173fc4f87a8d8992d3bf55addd4e9872ff8d76ab84ed04240e9c820ad778f909
RaccoonStealer
26c9efda91b44bd3b22646ee7e1bf6da939dca186890fae2a1fde4cb1adee352
RaccoonStealer
2a12ae5aabbbe3e508d3b69e3cad540c351ad3021d895303094f54523c99e0d4
RaccoonStealer
463a368c85c49254ec2a84f7a042c3ec68353b7e0280ba464701ca13a7391c5b
RaccoonStealer
4b6b6d5e17ad6e15bbe3ea479b43761a8e1fe173cd755e6f72ea2f2ffdb1cdce
RaccoonStealer
7725783b9c6ee597f0b1017861d4adcc0470de26d10bfe1757145bd44776ea54
RaccoonStealer
8d52c410200f15e0ce1dc51b0cf92dcd7563f07783f23e1699e5f0b3ffde0362
RaccoonStealer
9fb72b04dafeee8369bd08074788b236686c72a3a97ad436a6a0cb0aeae090a6
RaccoonStealer
b0c84cd041aff3cb343209e44f26884fa28883329b2d02efe25bf670a3718d01
RaccoonStealer
b3596656f7c4c056325e161c0e5eb5ea4eaf494a3c89d6f227d2e2d6b3c5bf96
RaccoonStealer
+ 1'133 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1a03f57f5a21ae7ddd2e57109aca7803c9c7d464 discovery spyware stealer
Link:
https://tria.ge/reports/210601-zhm89jc8ws/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c014da0473a1f16ebcb8b1b1d6a5655d0f240474874b1e413643c459f3279a15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163636/

Comments