MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c23f7427ef397ef00212583329e993347165a21aa8b06e4162844f89b0dc3b23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c23f7427ef397ef00212583329e993347165a21aa8b06e4162844f89b0dc3b23
SHA3-384 hash: d78b34844319a1b81b2935f311925bf4e540dcdcb6a952aa6998b2afe0c50f0aacade81f3144e47819aca18991315d0e
SHA1 hash: 541e876f6b406abd4e6b045d063a7cfea9e48cb6
MD5 hash: f3f96bb7e6b3f2574109351a35bec6ea
humanhash: winner-burger-nine-glucose
File name:C23F7427EF397EF00212583329E993347165A21AA8B06.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:35'246'092 bytes
First seen:2021-09-03 07:46:09 UTC
Last seen:2021-09-03 09:35:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (54 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 786432:IN3V9hSTeLihOkpSTkNJIp2YSXQbrhZe7NKUiw0elKZn6Je/i:IFV9hSTOiXpSuIpLzrGxKE1Jx
Threatray 156 similar samples on MalwareBazaar
TLSH T196773337736AA039C0791F3503A25512DEB7E6689D976F1A29B0C09DCF390D30D3AA5B
dhash icon 70f2869797c6f270 (2 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://5.181.156.221/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.221/ https://threatfox.abuse.ch/ioc/213378/

Intelligence

File Origin
# of uploads :
2
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C23F7427EF397EF00212583329E993347165A21AA8B06.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-03 07:49:17 UTC
Tags:
installer
Link:
https://app.any.run/tasks/704c904d-746e-4495-94a2-f42f34f82eab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file
Moving a recently created file
Deleting a recently created file
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP POST request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
46 / 100
Link:
https://www.joesandbox.com/analysis/844668
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Detected VMProtect packer
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is protected by VMProtect
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477093 Sample: C23F7427EF397EF00212583329E... Startdate: 03/09/2021 Architecture: WINDOWS Score: 46 76 173.255.195.56 LINODE-APLinodeLLCUS United States 2->76 78 108.177.119.155 GOOGLEUS United States 2->78 80 21 other IPs or domains 2->80 98 Antivirus / Scanner detection for submitted sample 2->98 100 Multi AV Scanner detection for dropped file 2->100 102 Multi AV Scanner detection for submitted file 2->102 104 4 other signatures 2->104 10 C23F7427EF397EF00212583329E993347165A21AA8B06.exe 2 2->10         started        13 svchost.exe 2->13         started        16 svchost.exe 9 1 2->16         started        19 9 other processes 2->19 signatures3 process4 dnsIp5 58 C23F7427EF397EF002...347165A21AA8B06.tmp, PE32 10->58 dropped 21 C23F7427EF397EF00212583329E993347165A21AA8B06.tmp 5 14 10->21         started        108 Changes security center settings (notifications, updates, antivirus, firewall) 13->108 68 8.8.8.8 GOOGLEUS United States 16->68 70 23.211.4.86 AKAMAI-ASUS United States 16->70 72 127.0.0.1 unknown unknown 16->72 74 192.168.2.1 unknown unknown 19->74 file6 signatures7 process8 file9 40 C:\...\is-SA1FH.tmp, PE32 21->40 dropped 42 C:\...\aFCDKiW1DOxXjGm.exe (copy), PE32 21->42 dropped 44 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->44 dropped 46 2 other files (none is malicious) 21->46 dropped 24 setup UltData.exe 2 21->24         started        27 aFCDKiW1DOxXjGm.exe 3 21->27         started        process10 file11 56 C:\Users\user\AppData\...\setup UltData.tmp, PE32 24->56 dropped 30 setup UltData.tmp 30 518 24->30         started        106 Injects a PE file into a foreign processes 27->106 34 aFCDKiW1DOxXjGm.exe 27->34         started        signatures12 process13 dnsIp14 88 208.95.112.1 TUT-ASUS United States 30->88 90 104.18.25.249 CLOUDFLARENETUS United States 30->90 92 172.67.179.206 CLOUDFLARENETUS United States 30->92 60 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 30->60 dropped 62 C:\Users\user\AppData\...\SoftwareLog1.dll, PE32 30->62 dropped 64 C:\...\zlibwapi.dll (copy), PE32 30->64 dropped 66 172 other files (none is malicious) 30->66 dropped 36 UltData.exe 30->36         started        94 149.154.167.99 TELEGRAMRU United Kingdom 34->94 96 94.158.245.24 MIVOCLOUDMD Moldova Republic of 34->96 file15 process16 dnsIp17 82 216.58.215.238 GOOGLEUS United States 36->82 84 23.211.5.115 AKAMAI-ASUS United States 36->84 86 23.50.110.42 AKAMAI-ASUS United States 36->86 48 C:\Users\user\AppData\...\msvcr120.dll, PE32 36->48 dropped 50 C:\Users\user\AppData\...\msvcp120.dll, PE32 36->50 dropped 52 C:\Users\user\AppData\Roaming\...\log4net.dll, PE32 36->52 dropped 54 11 other files (none is malicious) 36->54 dropped file18
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-16 01:09:59 UTC
AV detection:
7 of 28 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yi7xij7phf7paaqslazst2mtgrywliq2vcyg4qlcqrhytmg4hmrq._file
Verdict:
malicious
Similar samples:
01469064718c89b6853365f1c7008c72ccd6a1ecb88a52cfcf82880e39dd0358
RaccoonStealer
0cd1346813ea66e5ecb353180f0f01d9b2e53b230ccb5aece10e4366d632df25
RaccoonStealer
111d1529eb5320465bc09a12146b321b0f4409372a8b73048b7798904082068c
RaccoonStealer
2eeae1c74dff19b7538522acd75a4c9e0d369cec323d4837bdfbc00b8fc81799
RaccoonStealer
43fd44a53e16097ae8b813e48be98cddfce369cd515efa1383fd0ea0b5a4c0bc
RaccoonStealer
4bb96e7c641e9f343965704cf4e7327e4448b83fc97cf1766f82ce61ac54d48a
RaccoonStealer
7130f3050718b8dc5bcf760bf129dc68da5285d058d59d27ae3f2c667c7a8809
RaccoonStealer
d794e006d6b517389745d3245e17e91771724786ed0a1c0e0f5bac1de66534a9
RaccoonStealer
f1849f447bfa07c3a9a9db11501a026d133541d0264424198f297f5ec70e1ff3
RaccoonStealer
fce1d9496dbdcf9505069283bf61e825e76a1c99af5258beae9feb0a34385cd7
RaccoonStealer
+ 146 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:642662683c0d3cc4ca0b917d15c96d1da2ae3d70 stealer
Link:
https://tria.ge/reports/210903-jmmwkscga7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Raccoon
Raccoon Stealer Payload
Malware family:
Raccoon v1.7
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c23f7427ef39/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c23f7427ef397ef00212583329e993347165a21aa8b06e4162844f89b0dc3b23

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments