MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c544dd2476397c624cdea7975b552cf06cbfd2ec5f87e4f3ac34df5cb906eb60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c544dd2476397c624cdea7975b552cf06cbfd2ec5f87e4f3ac34df5cb906eb60
SHA3-384 hash: 17a6ec51103dcb42f83a34d6309d12a5e98840380481d47a5979334f67d8aeee5529ba1d3f08a16ee2f076663fcd8ba2
SHA1 hash: 47fc870ff3bb412463c46ade2fb987db5700d1f3
MD5 hash: 0d8dc65c4bf7e60a49dbe37ae7bc9fb7
humanhash: cold-kentucky-carpet-dakota
File name:0D8DC65C4BF7E60A49DBE37AE7BC9FB7.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:3'580'840 bytes
First seen:2021-05-28 21:20:38 UTC
Last seen:2021-06-01 11:51:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f06072711ef546223ae963302369defb (1 x RaccoonStealer)
ssdeep 98304:k02f6/rawQrowoo/7y7hEK81shS8GcChzkMu:fs6jaUk7yFushSbhfu
Threatray 715 similar samples on MalwareBazaar
TLSH 24F5B022B2818C33D0732A38DD6AE25595697D701D38944B3AEC3F4C6FB57417B2B29B
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.105.230.174/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.105.230.174/ https://threatfox.abuse.ch/ioc/66374/

Intelligence

File Origin
# of uploads :
2
# of downloads :
291
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0D8DC65C4BF7E60A49DBE37AE7BC9FB7.exe
Verdict:
Malicious activity
Analysis date:
2021-05-28 21:26:52 UTC
Tags:
installer trojan stealer raccoon
Link:
https://app.any.run/tasks/f024e3eb-b6d3-4702-9f2a-75962111dcb0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163113/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending an HTTP POST request
Creating a file in the Program Files subdirectories
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Reading critical registry keys
Creating a service
Delayed reading of the file
Launching a service
Transferring files using the Background Intelligent Transfer Service (BITS)
Running batch commands
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun for a service
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/794135
Signature
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to steal Internet Explorer form passwords
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 426531 Sample: XDWrMvPVA5.exe Startdate: 28/05/2021 Architecture: WINDOWS Score: 66 126 Multi AV Scanner detection for submitted file 2->126 128 Machine Learning detection for sample 2->128 9 XDWrMvPVA5.exe 136 2->9         started        14 svchost.exe 9 2 2->14         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 process3 dnsIp4 110 195.201.225.248 HETZNER-ASDE Germany 9->110 112 34.105.230.174 GOOGLEUS United States 9->112 122 2 other IPs or domains 9->122 90 C:\Users\user\AppData\Local\...\install1.exe, PE32 9->90 dropped 92 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 9->92 dropped 94 C:\Users\user\AppData\...\vcruntime140.dll, PE32 9->94 dropped 102 57 other files (none is malicious) 9->102 dropped 132 Detected unpacking (changes PE section rights) 9->132 134 Contains functionality to steal Internet Explorer form passwords 9->134 136 Tries to harvest and steal browser information (history, passwords, etc) 9->136 20 install1.exe 2 75 9->20         started        24 cmd.exe 9->24         started        114 13.225.74.76 AMAZON-02US United States 14->114 116 2.17.180.113 AKAMAI-ASUS European Union 14->116 118 127.0.0.1 unknown unknown 14->118 96 C:\Users\user\AppData\Local\...\BIT739A.tmp, PE32+ 14->96 dropped 138 Benign windows process drops PE files 14->138 140 Changes security center settings (notifications, updates, antivirus, firewall) 16->140 26 MpCmdRun.exe 16->26         started        120 13.224.195.105 AMAZON-02US United States 18->120 98 C:\...\brave_installer-x64.exe, PE32+ 18->98 dropped 100 C:\...\brave_installer-x64.exe, PE32+ 18->100 dropped 142 DLL side loading technique detected 18->142 28 brave_installer-x64.exe 18->28         started        30 BraveUpdate.exe 18->30         started        32 BraveUpdate.exe 18->32         started        file5 signatures6 process7 dnsIp8 108 151.101.1.32 FASTLYUS United States 20->108 80 C:\Program Files (x86)\...\BraveUpdate.exe, PE32 20->80 dropped 82 C:\Program Files (x86)\...\psuser_64.dll, PE32+ 20->82 dropped 84 C:\Program Files (x86)\...\psuser.dll, PE32 20->84 dropped 88 65 other files (none is malicious) 20->88 dropped 34 BraveUpdate.exe 16 74 20->34         started        38 conhost.exe 24->38         started        40 timeout.exe 24->40         started        42 conhost.exe 26->42         started        86 C:\Program Files (x86)\...\setup.exe, PE32+ 28->86 dropped 44 setup.exe 28->44         started        file9 process10 file11 64 C:\Program Files (x86)\...\BraveUpdate.exe, PE32 34->64 dropped 66 C:\Program Files (x86)\...\psuser_64.dll, PE32+ 34->66 dropped 68 C:\Program Files (x86)\...\psuser.dll, PE32 34->68 dropped 78 66 other files (none is malicious) 34->78 dropped 130 Creates an undocumented autostart registry key 34->130 46 BraveUpdate.exe 34->46         started        48 BraveUpdate.exe 34->48         started        51 BraveUpdate.exe 44 34->51         started        53 BraveUpdate.exe 34->53         started        70 C:\Program Files\...\chrome_proxy.exe, PE32+ 44->70 dropped 72 C:\Program Files\BraveSoftware\...\brave.exe, PE32+ 44->72 dropped 74 C:\Program Files\BraveSoftware\...\setup.exe, PE32+ 44->74 dropped 76 C:\Program Files\...\chrmstp.exe, PE32+ 44->76 dropped 55 setup.exe 44->55         started        signatures12 process13 dnsIp14 57 BraveUpdateComRegisterShell64.exe 46->57         started        60 BraveUpdateComRegisterShell64.exe 46->60         started        62 BraveUpdateComRegisterShell64.exe 46->62         started        104 13.224.195.124 AMAZON-02US United States 48->104 106 91.1.25.68 DTAGInternetserviceprovideroperationsDE Germany 55->106 process15 dnsIp16 124 1.3.101.0 DIL-AS-APDONGFONGINCLIMITEDHK China 57->124
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c544dd2476397c624cdea7975b552cf06cbfd2ec5f87e4f3ac34df5cb906eb60/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 11:11:42 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yvcn2jdwhf6getg6u6lvwvjm6bwl7uxml6d6j45mgtpvzoig5nqa._file
Verdict:
malicious
Similar samples:
03659dfd8c9a7f8b300972af15621b9d67b8854cfbf66ecab15f63b1686afa2c
RaccoonStealer
2884051cd64be98b26224c6cd9ba46bc6802242fdb2aabbb3dd4aa6b1eb16a78
RaccoonStealer
4169236e7560956d442207c2cc74a767f6470bcedf1d8022677e0aee8949d4f5
RaccoonStealer
45269d3d0fbf13c80d6c496d3ee36e13808e36063bc82e3247cfc291e0f9223c
RaccoonStealer
4960918e52dd7f7db806c36c9393ef8329e173c60d9f59de66474af874ba1e46
RaccoonStealer
4a8de772cb047939cbac796b1461b5276e418fb33249cb4d41785ef37fa91a35
RaccoonStealer
75bc5234ba652f847e14755352f4b39c26ffcfb5cec2b48d34e066b0581772dd
RaccoonStealer
9d98cf2a209bc4ccc92b7dc792c6f3b21c0ce1c2f7eb72498823e7a593145fea
RaccoonStealer
a08a7177db0107d81bfe600111224a280635177a05a8040ec50037a4c0805605
RaccoonStealer
aa703fb814c6e09c409060654ea9b5798b6a99cb0ceb25bd31bf894dc60702f5
RaccoonStealer
+ 705 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:b8848cef28716f6d3a8ff8bef2a888697a7f9f31 discovery persistence spyware stealer
Link:
https://tria.ge/reports/210528-qta54xkav6/
Behaviour
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Installed Components in the registry
Sets file execution options in registry
Raccoon
Registers COM server for autorun
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c544dd2476397c624cdea7975b552cf06cbfd2ec5f87e4f3ac34df5cb906eb60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163113/

Comments