MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c660d57bd98c4b7cecedeaa8405adba7ba4057e6f1ce62636a5d1003fea36e61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	c660d57bd98c4b7cecedeaa8405adba7ba4057e6f1ce62636a5d1003fea36e61
SHA3-384 hash:	53b902dbe75eb33f97a1f6c1abc112f55dffa7029ec54c9ac6cac9caf2ad9a5bd8da8934802c29db9773ced5a5ec25a8
SHA1 hash:	9ed84377a3442b82d421c27b771ccc9035fe8607
MD5 hash:	53c12421ff1c34129c7fe4fc19abbd39
humanhash:	jig-charlie-lake-lamp
File name:	9ed84377a3442b82d421c27b771ccc9035fe8607.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	506'368 bytes
First seen:	2021-09-20 21:10:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8771048b1c01475c23bc95fc636ac433 (7 x RaccoonStealer, 4 x RedLineStealer, 1 x DanaBot)
ssdeep	12288:rsBGefhh8F6UNU7p+zTJLWElM4rPiGgejNX:wBGyHUAp+zIES5ZaB
Threatray	3'311 similar samples on MalwareBazaar
TLSH	T151B4F120A6A0C038F4B712F9597A537CB83C7A715B7461CB62D626ED27382E8DD30357
File icon (PE):
dhash icon	ead8ac9cc6e68ea0 (38 x RaccoonStealer, 18 x RedLineStealer, 12 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://179.43.187.252/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://179.43.187.252/	https://threatfox.abuse.ch/ioc/223814/

Intelligence

File Origin

# of uploads :

# of downloads :

147

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9ed84377a3442b82d421c27b771ccc9035fe8607.exe

Verdict:

Malicious activity

Analysis date:

2021-09-20 21:12:36 UTC

Tags:

trojan stealer raccoon

Link:

https://app.any.run/tasks/0ea5a07e-b959-4393-b9ff-31ce1e1c973a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/189609/

Detection(s):

SecuriteInfo.com.Ransom.Stop.Z5.26427.UNOFFICIAL

Win.Malware.Generic-9894279-0

Win.Malware.Raccoon-9894280-1

Win.Malware.Raccoon-9894303-1

Win.Malware.Raccoon-9894356-1

Win.Malware.Generic-9894375-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/06771ca1-5ef2-4dd5-8a28-e174b61ad339

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/854461

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/c660d57bd98c4b7cecedeaa8405adba7ba4057e6f1ce62636a5d1003fea36e61/

Threat name:

Win32.Trojan.RedlineStealer

Status:

Malicious

First seen:

2021-09-18 08:01:45 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yzqnk66zrrfxz3hn5kueaww3u65eav7g6hhgey3kluiah7vdnzqq._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

3255394172556a89378c6a369e4d88fcd1992017cf1eeb7ee2794495758bf785

RaccoonStealer

4fbba8bdb65d473f64768724b7fef94845dad92ec8fdde2074778c8344e9ed01

RaccoonStealer

884429c12ac459c21450fb85cd1c3a05cb83d4eeff21132ffd8e6fefd1df1e13

RaccoonStealer

91abbb352f4857d4abfb9e90ec4aadda158566f23b7bc11a48e87fc5150e7706

RaccoonStealer

9ba1db35f1faf6730c60c798a290ad44ca12170b002b4e721428aa2750b4d31c

RaccoonStealer

c95c6fd450506a24342b1786cbaf6b9d1d25ebe4547072c275ab015152ffbb79

RaccoonStealer

d690f8acb2be07e4c3c00c177e4541fe6152f82fa719b911a9ae41987e0325ea

RaccoonStealer

f8f5ee131a58780ff2f013e6d323660a2d02a8b57316db7942d7d94652f3d27b

RaccoonStealer

fe1990750afee81d40a30939cdbd0b3005f5817c23592e8670619fcfec895426

RaccoonStealer

+ 3'301 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon discovery spyware stealer

Link:

https://tria.ge/reports/210920-z1k7xaabek/

Behaviour

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Raccoon

Unpacked files

SH256 hash:

be45760bc302c3b5bbc429156d3f4aa6d9a6ad31ac6943c2a31df1cde9791593

MD5 hash:

af96742458fcb0c9d1082c92e586ee23

SHA1 hash:

77887d4b449d72d1b9f915a19e9b4b0936932ff9

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/cc9d8d71-926b-4975-9dda-65ba51b1c020/

Parent samples :

22f3b23ee63e47656daa0fcb45c58b9a2665e28f54b56766b6dddc94d8781281
c660d57bd98c4b7cecedeaa8405adba7ba4057e6f1ce62636a5d1003fea36e61
a422ed03a4f32c092a5dc53c3d8fbce7e32243f838a45b27a396175b84cab369

SH256 hash:

c660d57bd98c4b7cecedeaa8405adba7ba4057e6f1ce62636a5d1003fea36e61

MD5 hash:

53c12421ff1c34129c7fe4fc19abbd39

SHA1 hash:

9ed84377a3442b82d421c27b771ccc9035fe8607

Link:

https://www.unpac.me/results/cc9d8d71-926b-4975-9dda-65ba51b1c020/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c660d57bd98c4b7cecedeaa8405adba7ba4057e6f1ce62636a5d1003fea36e61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/189609/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample