MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c342fdfec0daba55c2c00a9f2c141668488b2789db1245b842ecf1f4cb43202a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c342fdfec0daba55c2c00a9f2c141668488b2789db1245b842ecf1f4cb43202a
SHA3-384 hash: 4fe52df77719fa7c58b7744e3e19d5bdcaf0dbb17c92dd816db563722c1e26d57d42abdc6de6397d093e8776e895c01a
SHA1 hash: e9c38c70504351242167c6c08b8787b19769d6a7
MD5 hash: 30d55f0551f6c69f9cac1399be4af767
humanhash: lemon-speaker-happy-cold
File name:e9c38c70504351242167c6c08b8787b19769d6a7.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:568'320 bytes
First seen:2021-09-17 18:55:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bb2ce1e2182a201f95af251a96da1408 (5 x RaccoonStealer, 1 x Stop)
ssdeep 12288:x4/TC9MwpcP27Q7qO6X5qb+En6G43F0Gc5fzdlZvqD/r:abC9VqhJ6Xg+E613ChlZi/
Threatray 3'079 similar samples on MalwareBazaar
TLSH T124C4D030AA90C036D0AA01F755BAC768E5297E71FB3305C772D5EAEE56382E49D31387
dhash icon 5012b0e068696c46 (8 x RaccoonStealer, 8 x RedLineStealer, 6 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://179.43.175.24/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://179.43.175.24/ https://threatfox.abuse.ch/ioc/222954/

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e9c38c70504351242167c6c08b8787b19769d6a7.exe
Verdict:
Malicious activity
Analysis date:
2021-09-17 19:02:47 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/0910b397-d041-4e7b-b493-ec1f810702f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188804/
Detection(s):
Win.Packed.Fragtor-9893002-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61752f4aa9d585e6d5371335/reports/b6cc1f85-d5fe-47d1-a496-56a605419e37/overview
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8f582ab-d449-4f10-9323-ba96a2fe01d5
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852952
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c342fdfec0daba55c2c00a9f2c141668488b2789db1245b842ecf1f4cb43202a/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-15 08:42:14 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynbp37wa3k5flqwabkpsyfawnbeiwj4j3mjelocc5ty7js2deava._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0c791330b6c9714529cf845649a17339f96df293f02bf550e6c4e007faf6a9e8
RaccoonStealer
148c2ff6c877196d1bbdb73f1dc956f5a7dccbab86037648e235c149a3f4eef2
RaccoonStealer
769e6fac3f7be0c7278bf32ec84b6e96690e06c4ed2c4d06df1f790fc97165e5
RaccoonStealer
79353b4beb5c15fb26a1a4e35742da675a5adeff230f9a4d8f3577d47e263e97
RaccoonStealer
7dab69ecef0dc000e97634c8bf2840242b9e75038f32c0eac5eb79772309e43c
RaccoonStealer
b349af407e596fa823ca28d516ac7ce5481550003d45195e26ea535944cc7f5e
RaccoonStealer
be54f94776405673d2e6d5c453d540dc93c8f4057d4abb0e046b77f926ed9db2
RaccoonStealer
bfb1e4895a98b83a61f405199730fea989dc84ab8acf6e6234e4264db179cc84
RaccoonStealer
f0c98f4c47a7f3890884cea6e1e84d19fd63eeed8b05ba9cb367707a0f28aeba
RaccoonStealer
fe217c1f1d0ab6e7b287c409a3133a11883ce2832b4f30dce686459751584969
RaccoonStealer
+ 3'069 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon discovery spyware stealer
Link:
https://tria.ge/reports/210917-xlcacagbf9/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Unpacked files
SH256 hash:
83d2ad84bd98ee73768aaab4852780491ed52778e7487a7b9cda9dc15340194b
MD5 hash:
934b9c124901d719e4e41beef3cb4347
SHA1 hash:
1b4e567b30b3701538bf64e126e4b9b1360eae79
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/8ce42e14-24c6-4c11-895d-9107123b6c65/
Parent samples :
84cb1084ca0ef1fe91c17b9f81878e670eb8883f37cd9cc32bb48ad93ab8cff5
c342fdfec0daba55c2c00a9f2c141668488b2789db1245b842ecf1f4cb43202a
2a410380d53c1470b12627d31896ba071df1ddbccfb23bf6875016db92e13689
SH256 hash:
c342fdfec0daba55c2c00a9f2c141668488b2789db1245b842ecf1f4cb43202a
MD5 hash:
30d55f0551f6c69f9cac1399be4af767
SHA1 hash:
e9c38c70504351242167c6c08b8787b19769d6a7
Link:
https://www.unpac.me/results/8ce42e14-24c6-4c11-895d-9107123b6c65/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c342fdfec0daba55c2c00a9f2c141668488b2789db1245b842ecf1f4cb43202a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188804/

Comments