MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd44a6077b2679bc1eba5aeeaccbdaeff661789d7e1b297e0fbacaf39282a2be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 2 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd44a6077b2679bc1eba5aeeaccbdaeff661789d7e1b297e0fbacaf39282a2be
SHA3-384 hash: 7fc8fd1ac562c82ad27d40017261d26047f9c97c729ecb43e81ac263edbec6e1f5af94135ce322621026859048b1f04c
SHA1 hash: 4c0d3a844d55fd7f147707bea3bad08923f2ba8e
MD5 hash: a1e5e863988147a745d2b29faa257389
humanhash: pizza-fanta-equal-magnesium
File name:a1e5e863988147a745d2b29faa257389.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:359'424 bytes
First seen:2021-09-24 07:51:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a2bc3921f9c8d145b9a6f1e3eaf1f8a9 (5 x RedLineStealer, 1 x Loki, 1 x Stop)
ssdeep 6144:2rpNYOg8/pclnYaX3iszW4EuemUCDymlFG7k5X5MLfpPXmYQ:QNYOg8/pclliEW45egGmfD+DYY
Threatray 569 similar samples on MalwareBazaar
TLSH T16674AF20BBE0C035F1F712F849B993A8A53E7EB15B3481CB62D216EA66356E4DC30757
File icon (PE):PE icon
dhash icon 96714cb474dcf166 (2 x RaccoonStealer, 1 x GCleaner, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.204.37/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.204.37/ https://threatfox.abuse.ch/ioc/226142/
185.215.113.15:6043 https://threatfox.abuse.ch/ioc/226451/

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a1e5e863988147a745d2b29faa257389.exe
Verdict:
Malicious activity
Analysis date:
2021-09-24 07:52:33 UTC
Tags:
trojan loader opendir evasion stealer rat redline
Link:
https://app.any.run/tasks/e0e0b1d0-67d2-47a5-89f3-707f1506f204

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Gcleaner
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191083/
Detection(s):
Win.Packed.Fragtor-9895692-0
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2940d126-66c5-427d-a34a-a7c874bddddd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/857171
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cd44a6077b2679bc1eba5aeeaccbdaeff661789d7e1b297e0fbacaf39282a2be/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 20:53:06 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zvckmb33ez43yhv2llxkzs62573gc6e5pynss7qpxlfpheucuk7a._file
Verdict:
malicious
Similar samples:
13492a113107ae59e2fe02f3c3b9afa411a39caa73b78ea06dec0fb9a970f7a2
RaccoonStealer
15fcf16c0b002ac7f125ed2d81851a1504554164d8b0d5b72d670a73200b8bfb
RaccoonStealer
32668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
RaccoonStealer
46833cb6d7164e28570005bd33ca5a46e3d1f3666677d1a1ef541b70f98b5d14
RaccoonStealer
719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280
RaccoonStealer
9453ddc4bebb87a937e3d53d38c56814907b2862496142ccdb568f48caf2d467
RaccoonStealer
a5ae0f12308cd01e02c8c75137818f8945f4fba0785f5558c75bff2f20fb7957
RaccoonStealer
b41de952a4fc93913cc56535c289c1cfd5b4c249477a0fad912956abf6b2293b
RaccoonStealer
bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
RaccoonStealer
e95fd4b1c20d7547466b404f5a9f00940e40e3c8421c3838b619adfa6bbcb4cb
RaccoonStealer
+ 559 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210924-jqepdagcf9/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Unpacked files
SH256 hash:
eb4c0951d2bae23fe5610e3cc4d32efdfa39d12fbe4922df1b61340cbda1942e
MD5 hash:
31b9aa52f867c7dd74f5308633ae8fcd
SHA1 hash:
7c16b4d86428e53da0a9a7b71e8c3be56c8cdfbb
Link:
https://www.unpac.me/results/954fd8a2-2f30-40a2-b2b2-2bc87b27ab59/
SH256 hash:
cd44a6077b2679bc1eba5aeeaccbdaeff661789d7e1b297e0fbacaf39282a2be
MD5 hash:
a1e5e863988147a745d2b29faa257389
SHA1 hash:
4c0d3a844d55fd7f147707bea3bad08923f2ba8e
Link:
https://www.unpac.me/results/954fd8a2-2f30-40a2-b2b2-2bc87b27ab59/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd44a6077b2679bc1eba5aeeaccbdaeff661789d7e1b297e0fbacaf39282a2be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_AHK_Downloader
Create hunting rule
Author:ditekSHen
Description:Detects AutoHotKey binaries acting as second stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_RedLineDropperAHK
Create hunting rule
Author:ditekSHen
Description:Detects AutoIt/AutoHotKey executables dropping RedLine infostealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/191083/

Comments