MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5227efde4e348fe3e789976e8af1a7969d6e3704e6df83e310531b4c9a415c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 2 File information Comments

SHA256 hash:	c5227efde4e348fe3e789976e8af1a7969d6e3704e6df83e310531b4c9a415c5
SHA3-384 hash:	75a1f7a25dd39792891a7245e14a8b7a3e9d7582d3cb49027bbc1d5502797aaa90f06261ad68ea54d7bb3076de32891c
SHA1 hash:	797778eb918c85f88bc717e91c7eaf462d5b0b89
MD5 hash:	c7220497a7f793675a66c0a25b1af348
humanhash:	stream-mississippi-sixteen-aspen
File name:	c7220497a7f793675a66c0a25b1af348.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	1'818'640 bytes
First seen:	2021-05-30 23:35:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:bQFTo79g+b/zgSi++jxJQvXYCNhow+/5GrTq3aDh70S66jhLAS+:q+9HgSi++jbQ7L8Grm3U0S7j4
Threatray	813 similar samples on MalwareBazaar
TLSH	69856B1929984A51E3EBA776C5C9943B43139D33E5E2B62FA4D733240EF239738053AD
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://45.140.147.99/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://45.140.147.99/	https://threatfox.abuse.ch/ioc/67541/

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://fusenz.xyz/?s=163&q=NTLite-211-Build-7917-Crack-With-License-Key-Full-Free-Download-2021&g=cc00bda61e3a4a1185f1c586d8e92509&mode=

Verdict:

Malicious activity

Analysis date:

2021-05-28 04:09:59 UTC

Tags:

trojan evasion opendir stealer vidar raccoon rat redline danabot netsupport unwanted phishing

Link:

https://app.any.run/tasks/6cf7f35a-1060-41d4-ba37-689b2f421626

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/163283/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.763-1.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/794403

Signature

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM3

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/c5227efde4e348fe3e789976e8af1a7969d6e3704e6df83e310531b4c9a415c5/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2021-05-28 12:14:48 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yurh57pe4nep4ptytf3orly2pfu5ny3qjzw7qprrauy3jsnecxcq._file

Verdict:

malicious

RaccoonStealer

2884051cd64be98b26224c6cd9ba46bc6802242fdb2aabbb3dd4aa6b1eb16a78

RaccoonStealer

45269d3d0fbf13c80d6c496d3ee36e13808e36063bc82e3247cfc291e0f9223c

RaccoonStealer

4960918e52dd7f7db806c36c9393ef8329e173c60d9f59de66474af874ba1e46

RaccoonStealer

4a8de772cb047939cbac796b1461b5276e418fb33249cb4d41785ef37fa91a35

RaccoonStealer

75bc5234ba652f847e14755352f4b39c26ffcfb5cec2b48d34e066b0581772dd

RaccoonStealer

9d98cf2a209bc4ccc92b7dc792c6f3b21c0ce1c2f7eb72498823e7a593145fea

RaccoonStealer

a08a7177db0107d81bfe600111224a280635177a05a8040ec50037a4c0805605

RaccoonStealer

aa703fb814c6e09c409060654ea9b5798b6a99cb0ceb25bd31bf894dc60702f5

RaccoonStealer

ee0b39b480c2c564f9fbc5eb69a852b43d8c558ae0fdce7fd814a4b5339eec16

RaccoonStealer

+ 803 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:5889a006c2b6a80d86368c09067fadc8b043a58e stealer

Link:

https://tria.ge/reports/210530-444rmnt7zs/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Raccoon

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c5227efde4e348fe3e789976e8af1a7969d6e3704e6df83e310531b4c9a415c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/163283/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample