MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9fc9c25f5f404ef33c87d1c766fb4b4d8f50efd211fe197e6c734d797aca2a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 3 File information Comments

SHA256 hash:	c9fc9c25f5f404ef33c87d1c766fb4b4d8f50efd211fe197e6c734d797aca2a2
SHA3-384 hash:	e7ca290186794bc1220524ae3166ece5b48b9710c5a256d7fe455a545684009682712475bf612ecdebf5af663de8d8a3
SHA1 hash:	b57532004a0344122c94652db33ddd825dc5c047
MD5 hash:	f3cbc36da896016555ef1915ebebfe5b
humanhash:	iowa-march-music-wolfram
File name:	f3cbc36da896016555ef1915ebebfe5b.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	524'800 bytes
First seen:	2022-04-03 04:35:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	82d4c36ef8d8d93a7382f02fd78b23b0 (6 x RaccoonStealer, 6 x Stop, 3 x RedLineStealer)
ssdeep	12288:ZHAYVvqqychVldJ2NY7nX5jdp5WxVuUszy3mMoKdtSyq:ZnViqychr2O7X5jdpAyUQ+dtSyq
Threatray	5'002 similar samples on MalwareBazaar
TLSH	T1C0B412213F51D231C5D110353C39C372AEADB9352AB0594F7BA62A6E0EB03D176BAB17
File icon (PE):
dhash icon	b29a9eb2ae96fa7c (1 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://103.155.93.70/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://103.155.93.70/	https://threatfox.abuse.ch/ioc/487849/

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

Win.Packed.Generickdz-9942099-0

Win.Packed.Crypterx-9942173-0

Win.Packed.Strab-9942213-0

Win.Packed.Crypterx-9942214-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending a TCP request to an infection source

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/12423/overview

Behaviour

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware hlux

Link:

https://www.filescan.io/uploads/624924331f2042394872eca2/reports/864d1256-8e43-4e02-98a8-2c1037657852/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/340cd39b-8bd0-4841-9dac-5f79db3310fe

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/969509

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c9fc9c25f5f404ef33c87d1c766fb4b4d8f50efd211fe197e6c734d797aca2a2/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2022-03-23 02:21:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zh6jyjpv6qco6m6ipuohm35uwtmpkdx5eep6df7gy42npf5mukra._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

3b616203dd828d928f361a33d49caabbdcc9fe22d58e7033d8b0a9ca49be62e5

RaccoonStealer

43b1ec0b060303ab2154b434a4142502b9367dd7cb951725bfd55b679a5398ef

RaccoonStealer

772b0096bf5c9bb9c71a7ea2ba9a631a80b115134f1d480c08af549fb6f90d87

RaccoonStealer

84862dd214cf92e7ba589fda632e1a7d1748341da19ed2d4cc56029f8a1bb6ce

RaccoonStealer

dbe977eb38b4307dcadcc923553535f94f762b91dd28eb11d27cdd6b8f9eab4f

RaccoonStealer

ff7f9819fae56695cb050049e7d19bedc070975f499d52735218085c7f3291d1

RaccoonStealer

+ 4'992 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:047eaa1340214d99a8deec47621412aa3ca866db stealer

Link:

https://tria.ge/reports/220403-e78xbsfaa3/

Behaviour

Raccoon

Unpacked files

SH256 hash:

dfc7901931b66293f0fb89a7151480ebee5a655caf905095f2c20e8a68eba6ca

MD5 hash:

da01082522d6b9fed831c157a66ffe2d

SHA1 hash:

e92e40b859bc6b02cc484b84c28271949fd4b85a

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/d512d9e3-203c-47d8-8a87-24a3908309e6/

Parent samples :

2324f4a3075dd29ad5968843189c8a11b536775cf64baa202ca6f3e9db418a0a
48160a7b32d933414246f5e2143e4921b27961588e07a56b98df65161b40377c
5551acf69e2dfecdfaaf1d327d308bda79cdd40864a8d4ecfd6d47bfa6f0f68a
c9fc9c25f5f404ef33c87d1c766fb4b4d8f50efd211fe197e6c734d797aca2a2

SH256 hash:

c9fc9c25f5f404ef33c87d1c766fb4b4d8f50efd211fe197e6c734d797aca2a2

MD5 hash:

f3cbc36da896016555ef1915ebebfe5b

SHA1 hash:

b57532004a0344122c94652db33ddd825dc5c047

Link:

https://www.unpac.me/results/d512d9e3-203c-47d8-8a87-24a3908309e6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c9fc9c25f5f404ef33c87d1c766fb4b4d8f50efd211fe197e6c734d797aca2a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Raccoon stealer payload

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/260230/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample