MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd9ccc34c800028f931499a2f193911065ce24e92f070964c6b0e107befcb8ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	cd9ccc34c800028f931499a2f193911065ce24e92f070964c6b0e107befcb8ed
SHA3-384 hash:	557d30cef0e42c98bfd9341a5821e98a3ae4c06f63b57f281f41780756955c42ab1dcf75c4c0f9503b802e9bf65030e0
SHA1 hash:	e1a8bbfcef9ef62b83f27211ff38ad1e7ef26478
MD5 hash:	f9d64d21cc1354362e794509126aecb1
humanhash:	vermont-hotel-cat-may
File name:	f9d64d21cc1354362e794509126aecb1.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	535'040 bytes
First seen:	2021-09-07 18:11:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bd83a1bf510d7a089e2d041b1c2c46b5 (2 x RaccoonStealer, 1 x RedLineStealer, 1 x DanaBot)
ssdeep	12288:aDfpPDamgQDvbvHgbqBuuQs5C5LzpPWBp65yaQt:aRDTgy6DSs5LzpK65rQt
Threatray	3'548 similar samples on MalwareBazaar
TLSH	T12DB4E030B6A4C235E4F311F4697EA36868297E716B2090CB63D626EE96376E0DD30753
dhash icon	ead8ac9cc6e68ea0 (38 x RaccoonStealer, 18 x RedLineStealer, 12 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://178.23.190.242/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://178.23.190.242/	https://threatfox.abuse.ch/ioc/216953/

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f9d64d21cc1354362e794509126aecb1.exe

Verdict:

Malicious activity

Analysis date:

2021-09-07 18:12:33 UTC

Tags:

trojan stealer raccoon

Link:

https://app.any.run/tasks/a34e6d8e-a510-44fa-98cb-e526d11a4031

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/186113/

Detection(s):

Win.Packed.Generic-9887590-0

Win.Packed.Generic-9887643-0

Win.Packed.Generic-9887653-0

Win.Packed.Raccoon-9887654-1

Win.Packed.Generic-9887830-0

Win.Packed.Raccoon-9888530-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt to an infection source

Connection attempt

Sending an HTTP POST request

Sending a UDP request

Query of malicious DNS domain

Sending a TCP request to an infection source

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eb155609-e414-4b4b-af71-cabdad0c3db5

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/846857

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Detected unpacking (changes PE section rights)

Found malware configuration

Infostealer behavior detected

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/cd9ccc34c800028f931499a2f193911065ce24e92f070964c6b0e107befcb8ed/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-08-21 23:14:17 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zwomyngiaabi7eyutgrpde4rcbs44jhjf4dqszggwdqqppx4xdwq._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

12185f80846ccff1cdbb9dddc6c751dfed2626b8ee9186407547fdf2171d9e66

RaccoonStealer

3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d

RaccoonStealer

5ad7bfb790fc652df60360024af60578790930bb78489aabf352eae3fff103fb

RaccoonStealer

78f958d430a4dec84e4126958d0bde722beab77f03f1ecd733ba94827997dec7

RaccoonStealer

b01b61c911a3b80d4f265e4915f9d62275efa34f84989f77be142f3f9e062f9b

RaccoonStealer

bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32

RaccoonStealer

bf955e96dafd88ef3b4c926108800c1d220cf07fff9e7cc58086f2c70a81f245

RaccoonStealer

eb521300b6ee49fdaad2d339f8389528bd676124d78b2490a238d8f439574635

RaccoonStealer

ed2483bd5eecc185be7bce77dfaea0f2d7e4e525903d318786d502ece18ba83f

RaccoonStealer

+ 3'538 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:7d87e36d5dbdebc7faf369c54a6fe893b000b98b stealer

Link:

https://tria.ge/reports/210907-ws6l4agchm/

Behaviour

Raccoon

Unpacked files

SH256 hash:

b0c75d766cdc49c5d1646187eb1bb07b255124f873bea556628f750e251cabc1

MD5 hash:

5700d8028c0b241efc7401da60001fb2

SHA1 hash:

0c276eb30c8f29523fe76550379ba81870c9c5fb

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/1a8f1315-fe49-4833-be4a-a64a660f7b55/

SH256 hash:

cd9ccc34c800028f931499a2f193911065ce24e92f070964c6b0e107befcb8ed

MD5 hash:

f9d64d21cc1354362e794509126aecb1

SHA1 hash:

e1a8bbfcef9ef62b83f27211ff38ad1e7ef26478

Link:

https://www.unpac.me/results/1a8f1315-fe49-4833-be4a-a64a660f7b55/

Malware family:

Raccoon v1.7.2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/cd9ccc34c800/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cd9ccc34c800028f931499a2f193911065ce24e92f070964c6b0e107befcb8ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/186113/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample