MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc98ee14bc8504ed2dae9d010c7f209775de51f9f31086814e2fb6b42baa7cb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc98ee14bc8504ed2dae9d010c7f209775de51f9f31086814e2fb6b42baa7cb5
SHA3-384 hash: b66b5cd9cccc95348f8850106478a9bfd91393665dbc65f939a5bcc593f8dba5bc5b2ff7772dc68562df9b2eaf565572
SHA1 hash: ddc876cf17c2cc3b38a02f75770522c5cf939ef6
MD5 hash: 906bf68f10d642ba7f5fb9685249db99
humanhash: low-tennessee-uniform-comet
File name:906bf68f10d642ba7f5fb9685249db99.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:595'456 bytes
First seen:2021-10-17 09:10:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f62cde959e9e12a6ba3449e452359154 (6 x RaccoonStealer, 1 x GCleaner)
ssdeep 12288:hQzY+9+bMw7eyUnFafcqTUiHrC9wahAwgUPHMrpTZg83CJWW4tDM:h69/essQiLwwaFgrZg83LM
Threatray 3'796 similar samples on MalwareBazaar
TLSH T1C5C4CF10A650C039F5F351F84ABA9368A62E7FE16B2490CB53D52AED97386E0FD30357
File icon (PE):PE icon
dhash icon 6ae8e8e8aa66a489 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.204.33/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.204.33/ https://threatfox.abuse.ch/ioc/234895/

Intelligence

File Origin
# of uploads :
1
# of downloads :
551
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
906bf68f10d642ba7f5fb9685249db99.exe
Verdict:
Malicious activity
Analysis date:
2021-10-17 09:12:05 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/1907d8ac-9b44-4cd0-a16b-d54a2ef2b00e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197963/
Detection(s):
Win.Trojan.Generic-9902991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/616be8abdb358dd15ebddb05/reports/5ac134eb-ef01-46a6-bb2a-7c3daeb257c4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88e3a428-f993-499b-981b-acf27d4dd0e9
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871774
Signature
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cc98ee14bc8504ed2dae9d010c7f209775de51f9f31086814e2fb6b42baa7cb5/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2021-10-17 09:11:08 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zsmo4ff4quco2lnotuaqy7zas5254upz6miinakof63lik5kps2q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
175857c3f9480499cf56d30f394f885d51ac9ef05bbc1d6bd86d3b4af393c261
RaccoonStealer
4cebb5a9492f91192a5def3c8345b217718a8223a9b845c3eec1e1eeaa8c6060
RaccoonStealer
94036ecca794753179e68c331482c2b42b0c06a067169c8b004fad4e7dda673a
RaccoonStealer
9e05d26ca31990960ecb59a804c99db6c1b07ae9d5afc4a835f04a0aceaea75e
RaccoonStealer
9f11cb88433023075e0ad899c15354f27a9ef34e3d53aee561d391130d77ddaa
RaccoonStealer
e128f0a54c481a677c0cdc5159600956776cc02fe066cec67775958e4d132ee9
RaccoonStealer
ee72d76436717cfab41a33950d641e7e6820d23369b21fe937cc2fc2549c6869
RaccoonStealer
fd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
RaccoonStealer
+ 3'786 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:7ebf9b416b72a203df65383eec899dc689d2c3d7 stealer
Link:
https://tria.ge/reports/211017-k5mtzadchl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
aa156806223068508fe317644fb0e5396107f71b0284e301577f754e0d286122
MD5 hash:
fa1486a2b835594d48c7f32ca1f15e48
SHA1 hash:
fe0297a9ddda480ba4d2264592d8e7cc4b8fadd3
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/62b45f4d-7e08-42d0-b74d-2c1046f79701/
Parent samples :
afa506dea7e88d3aa2ff4c2f58a21a91cf5d6ae5a00dea2cf482832d1613e37b
ccbfdd0661ad91a09b7226542b5feb70e01b108951a0a382b2381ea25b7c73d7
bc2bf5271de321e19fa21bae29bcf1260b2e43c8891ab056881f37a1209d8557
55927123aaddfc0c7d7b720e0f06aadd5bcc52d9b4955da3460b02561fb6447d
4cebb5a9492f91192a5def3c8345b217718a8223a9b845c3eec1e1eeaa8c6060
9e05d26ca31990960ecb59a804c99db6c1b07ae9d5afc4a835f04a0aceaea75e
9f11cb88433023075e0ad899c15354f27a9ef34e3d53aee561d391130d77ddaa
e128f0a54c481a677c0cdc5159600956776cc02fe066cec67775958e4d132ee9
921b85ad6dadda97e0c6a3d3eb36fb5e9943f24854c30dfa00bf29a8c722cf62
94036ecca794753179e68c331482c2b42b0c06a067169c8b004fad4e7dda673a
175857c3f9480499cf56d30f394f885d51ac9ef05bbc1d6bd86d3b4af393c261
cc98ee14bc8504ed2dae9d010c7f209775de51f9f31086814e2fb6b42baa7cb5
f71af415b9939891015d10018b116c538506e55aaa67dc825c2c95cf6626555c
7cff32466f0b5aed14c17999813f0e2395598fe70437805589ea0bb9dc4fe9d1
35d9bca5a3ae3990cf7c1e73f192600e7eddefda636d8594e1e3983e73fef941
fef23d7da54626830e7d3bf6738b1c6b587b204d16d888860c973cfc3bb999d7
37adbd4fc155549e6f725c4bc9d540eac67bbf78b0ae893059d860cca52b4aee
a9017566e9e66f032d8112dedb7a41398f0b56f607372d7df9096b555cc4c344
1a1eba19f1b9bc5eb62e70dfeda11fb27f7f79bb4c0aa3936d4e982bc0af41c1
33d3b2f2022f7bc8f6d5563a962d41fbb984b212b9e09f0ddf5fe7e9a44a8d34
b192cdd9dbe911ad254c513a7988cd62474cda9e72514557ae4399c163bcbfcc
ea35181753363a426ec2114c24bb445b642445698b5c3e419314b964ce60defb
88b8097ddd006cd54de00ea57d7d57c182df22fd4ba45629d922b5eae25ec786
503cc21000ab022ab292a174211951fb92b96c1a0a102bebf9c3c6d0194f1b72
c57897485abec1f54b3f54c762777cd2b8fb09d79282388a8b30bb1216052361
1aec6cc141b967ad7e484585cc9f14807fdea191960515a13e638d26ae1cbcee
3afa401a164d6cb1ba9ee8836c8f2af6c2bd445896bdf986a2385fa52e9e8c2d
7af9e7e44d7f033837b7bae0f23f2bd5d7eb5e31b2067fcf31be2886141517be
b2cfcca54559fe12152b31db92c3344cbf9024df4f9ba0bf4bd1790c3963a779
SH256 hash:
cc98ee14bc8504ed2dae9d010c7f209775de51f9f31086814e2fb6b42baa7cb5
MD5 hash:
906bf68f10d642ba7f5fb9685249db99
SHA1 hash:
ddc876cf17c2cc3b38a02f75770522c5cf939ef6
Link:
https://www.unpac.me/results/62b45f4d-7e08-42d0-b74d-2c1046f79701/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cc98ee14bc85/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc98ee14bc8504ed2dae9d010c7f209775de51f9f31086814e2fb6b42baa7cb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe cc98ee14bc8504ed2dae9d010c7f209775de51f9f31086814e2fb6b42baa7cb5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1678286/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197963/

Comments