MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4a432f1248930343a999a11dbcf5c7790f7c0d4856200aba7d20f956455fa2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 2 File information Comments

SHA256 hash:	d4a432f1248930343a999a11dbcf5c7790f7c0d4856200aba7d20f956455fa2e
SHA3-384 hash:	846ae5591edb955fe6654baf0bce0ee8ff243453eebe50428bbdaa072e5b652ee9a16cacb7870e0526a7eb6c078c062c
SHA1 hash:	7bd5b208b489f3c2c1c5050d74aa6472e6c5750b
MD5 hash:	3c20252381796353e6cf1abb3cfc6e11
humanhash:	bravo-blossom-enemy-artist
File name:	d4a432f1248930343a999a11dbcf5c7790f7c0d485620.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	505'856 bytes
First seen:	2021-09-18 16:10:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b6fc451038266fcf59b2e92a5ee2c7df (3 x RaccoonStealer, 2 x RedLineStealer, 1 x ArkeiStealer)
ssdeep	12288:4ZNiurLKU33M6W+5fChONn10NTYuB8HxCrfHeFTl5bCpWE:4bPrJ602snO2uB8HAMTlkQ
Threatray	3'108 similar samples on MalwareBazaar
TLSH	T1EDB4E120AAA0C035F4B716F559B943B8B82D7AB25B3410CB62DA16FE57387F49C30797
File icon (PE):
dhash icon	ead8ac9cc6a68ee0 (93 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://185.225.17.248/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.225.17.248/	https://threatfox.abuse.ch/ioc/223336/

Intelligence

File Origin

# of uploads :

# of downloads :

215

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d4a432f1248930343a999a11dbcf5c7790f7c0d485620.exe

Verdict:

Malicious activity

Analysis date:

2021-09-18 16:13:46 UTC

Tags:

trojan stealer raccoon loader

Link:

https://app.any.run/tasks/6677493c-7a88-4aab-b7a0-7a617d2c6c54

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/188939/

Detection(s):

SecuriteInfo.com.Ransom.Stop.Z5.17917.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/95e9d7f3-d9ea-41c2-aac2-62eefc197443

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/853238

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/d4a432f1248930343a999a11dbcf5c7790f7c0d4856200aba7d20f956455fa2e/

Threat name:

Win32.Trojan.DllCheck

Status:

Malicious

First seen:

2021-09-18 16:11:07 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ssdf4jereydiouztii5xt24o6ippqguqvrabk5h2ihzkzcv7ixa._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

51731aae19093da264b42957d2b604f4134a3250aa57a1873c6bfd379c3f4e54

RaccoonStealer

5f340f1335f9e6a3d4e5c51eb3097e3bdf4d93645b925f537a45477427b87494

RaccoonStealer

78d2e3ffb53da033d7df217d5a67ea52dbac7928cb77d907307a1c77b4453cfe

RaccoonStealer

79353b4beb5c15fb26a1a4e35742da675a5adeff230f9a4d8f3577d47e263e97

RaccoonStealer

7dab69ecef0dc000e97634c8bf2840242b9e75038f32c0eac5eb79772309e43c

RaccoonStealer

c37ce493533868e32350a7a72a2682092d2e14afaec4c429f6ff1c7d046b3cb4

RaccoonStealer

e206cdfadd769d8506f7dde22b1a3277075506810b455f491ff08fd42707a0a0

RaccoonStealer

e6f0ab95e920970099a345f11ea0637ece8c061b0a73c74ecaffc072c68a0766

RaccoonStealer

f0c98f4c47a7f3890884cea6e1e84d19fd63eeed8b05ba9cb367707a0f28aeba

RaccoonStealer

+ 3'098 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon discovery spyware stealer

Link:

https://tria.ge/reports/210918-tmx2naccfq/

Behaviour

Modifies system certificate store

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Raccoon

Unpacked files

SH256 hash:

02ca51cfdba274d2df1c3ee291a6018dec004cce0012d0bea0e4406d5a060499

MD5 hash:

8edd8e914c197432324a0af09f8edf64

SHA1 hash:

d6ad05102b8f628d3a7fe5646166086b59019f2d

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/6c3d3626-ab99-4920-b1ac-73097c8f5d0a/

Parent samples :

091ee9a9dd7f5501d96e04c9d7cfda6bb6cf3cdcb308f2ef293c123f675d56a7
59beb29d06be48da8c6b6719d5840614cd4d55f1a4da75653ba41c2d2e407b55
80f0607db29814c032dd81fabf31e3c7e1134c5cf9fde17d639556381d5299d3
d5c5a22d496c874ed4da5e38cae2c72cc94bc9238e9385f05e7c0b11b87ff35a
f099d1a0b66cc96504494723d26bf5db6a92218a39ff036cbc05b067c0f0ff6a
b4b0d2468c23ab82e82ad967c641e703b623436f950b6a7be1c5ee7211deef15
19e1615b05d89f0268b47c11407aa8023a65d704dadba3660557d81dd3e507cb
f4e89acd2fe686f7b8006dec8326057703ce9ae4c2636a6119ae48ef4db1fdcb
75114eeae6429f297193678413f5523eea5e25474745d3c9f29f3a519143a3f3
9f60a157b1a91cc18125825a286baaf011e65b0808be4adda258c3180f0be3ac
67d16a17f27f15cf21671ccb406e1e8b647aaf90c72c9b276bdbc7eb788ab0c3
79353b4beb5c15fb26a1a4e35742da675a5adeff230f9a4d8f3577d47e263e97
7dab69ecef0dc000e97634c8bf2840242b9e75038f32c0eac5eb79772309e43c
78d2e3ffb53da033d7df217d5a67ea52dbac7928cb77d907307a1c77b4453cfe
f0c98f4c47a7f3890884cea6e1e84d19fd63eeed8b05ba9cb367707a0f28aeba
830de75be32c7b749962b6ba9b8f9bb50db8bb9145653fa9e38f33715732ded4
450e075bf8a574b403096f9ffb1cd87857ee543771ed744c63012e6613807b0e
47d10ac8920b58c08d0da346b4f1b8527977dc053a87185e052cbdc538f172f4
0c791330b6c9714529cf845649a17339f96df293f02bf550e6c4e007faf6a9e8
2e1b565f42f99e8d17cd485f47d9fc6018a809b168a860ece96441aecc709a0c
8c9a9047c056ec7ce9b5b5c9df7934bcb265e3854994ee98f437b3c821b20408
d690f8acb2be07e4c3c00c177e4541fe6152f82fa719b911a9ae41987e0325ea
3255394172556a89378c6a369e4d88fcd1992017cf1eeb7ee2794495758bf785
fe1990750afee81d40a30939cdbd0b3005f5817c23592e8670619fcfec895426
e838650dcbc88fd2e8ce7f9dcbdf9f1afba6a007e133c87e73597ad947695c89
e6f0ab95e920970099a345f11ea0637ece8c061b0a73c74ecaffc072c68a0766
884429c12ac459c21450fb85cd1c3a05cb83d4eeff21132ffd8e6fefd1df1e13
d4a432f1248930343a999a11dbcf5c7790f7c0d4856200aba7d20f956455fa2e
a56a640c907fb37b76e27091785c28b2b182967cf7c3c9f2a78d5e72fd754e99
990fc57523f695bbd5814b6b66bf0e3caecd7ccd66900c41faa2edb9ec3e3ea2
e021c2eeab7d9fa1bfafa82502b1d9b5e4bea406ee10193fa0d7d2e8ee535efd
2b2394b8ecbee2ffe037f5eb6912ce33e6a1800a7c2ab772d2136e55dcad5693
4536b4f09029d0abdc6d7b2fac07d6df06b6a7f3ba38e8f8de143ad3f24098a5
e43a9203ce9b7398946020198e343d697bb2dd9190fe9c36b209a3db35872d7b
0597fec78019b2f9914df4a6c7f5a54eb0129ffb527bf9e7a144246ff6130eba
bdf737ebe428090dc14434f31c606094dcc85e552bd361e48c16fc6b2a74329a
fb4ee55f6d4868657b33a834fa135aa874b26d98e84398b7b8b72da06064e070
0cfff6093535e3816840c50d4f1f4e17a3609a459527194c3cf4076bc4b529de
a10988cafea84ff676e2f8a3c24f9a4f6af043e30437a0673bbfed5034c764f2
c1545e4cff8b74630cf80b0631d197dacedbd3b65725153913c9ebc83e8b9420
19d47c7108f49e1e5c9e6437d3deef5274dde24eedafe76f1ab97aa5f0a223c1
ce7fb6b222f840a7af7d162d6726316e882d57fc1a46f35a53b90e030b0b208b
ec487dae69d41d508b3f771845781e7779174bc36bb393b9bcbe19ecf586d8fc
13d6a16d6626f7c0967e4dfb75112b136eb97a56f50e2239adcfa4f97dad8a1e
af90943b5aa1d71230b58094b949a95bf1dd776130e5740b4e9325cf17e94efb
487f7c670fd41c29794ecf4577efba0790553a1b4895f85a54ac42d2e1f546bd
2ee558d27a472efd85b46f58f827de607e5e631cb1212065837a52c2f19c8f33
c9d25421600d74720606bb7dcdf48c94885f69a0c0228344a3af8652fb74f00d

SH256 hash:

d4a432f1248930343a999a11dbcf5c7790f7c0d4856200aba7d20f956455fa2e

MD5 hash:

3c20252381796353e6cf1abb3cfc6e11

SHA1 hash:

7bd5b208b489f3c2c1c5050d74aa6472e6c5750b

Link:

https://www.unpac.me/results/6c3d3626-ab99-4920-b1ac-73097c8f5d0a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d4a432f1248930343a999a11dbcf5c7790f7c0d4856200aba7d20f956455fa2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/188939/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample