MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db1de4d90808e799664e79be3591dc635da273dc934337af690f32c3b3644000. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	db1de4d90808e799664e79be3591dc635da273dc934337af690f32c3b3644000
SHA3-384 hash:	968ab9afa4c524ac99bcf366e7a4141e6ee0ff414d94b48ba4d4e7a1654475d4cee67144f9cd1a94a1a81156a20b7015
SHA1 hash:	84678dc89601fc70c585813d9191b261b4da906d
MD5 hash:	3204b67e8038e9ce23dcd273a4bafc7a
humanhash:	maryland-white-blue-ack
File name:	3204b67e8038e9ce23dcd273a4bafc7a.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	467'456 bytes
First seen:	2021-08-25 06:21:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bd3c9edf948deca79ee5e78523f1a042 (14 x RaccoonStealer, 2 x Smoke Loader, 1 x Stop)
ssdeep	12288:XU6rO5V0djDt2MiNqqJA6COevtP7BKTolNgCnODRvcF:X7+ejaNAJZ7ocy84S
Threatray	2'927 similar samples on MalwareBazaar
TLSH	T1B7A41290F7B0C87BC02A45325C92CBB09B7E79526DB0520377D88E9E5F667C0771A3A9
dhash icon	4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://185.234.247.35/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.234.247.35/	https://threatfox.abuse.ch/ioc/193640/

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3204b67e8038e9ce23dcd273a4bafc7a.exe

Verdict:

Malicious activity

Analysis date:

2021-08-25 06:33:15 UTC

Tags:

trojan stealer raccoon loader

Link:

https://app.any.run/tasks/1ddfe3a9-be17-434e-b0c8-2396b88c9a67

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/182181/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader41.27381.19540.20102.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Connection attempt to an infection source

Connection attempt

Sending an HTTP POST request

Sending an HTTP GET request

Creating a file

Deleting a recently created file

Reading critical registry keys

Delayed reading of the file

Creating a window

Running batch commands

Launching a process

Sending a UDP request

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2785257f-eb91-400d-965c-11d39d44ad41

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/db1de4d90808e799664e79be3591dc635da273dc934337af690f32c3b3644000/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-08-24 21:52:35 UTC

AV detection:

21 of 46 (45.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3mo6jwiibdtzszsopg7dleo4mno2e464snbtpl3jb4zmhm3eiaaa._file

Verdict:

malicious

RaccoonStealer

6977a2df32c4fc8b2db35f556fda16abfd724e1c72df6a145589a2158374444a

RaccoonStealer

7357b2864800050c1ad92e4447e1399127a5716fb9d4465d798a53ece929454c

RaccoonStealer

75b4dca03aac6933e4f2f22df735da98c918435c2d09677b183db5416744ecd3

RaccoonStealer

88d792c95b14d7c26498e191ef9ea809e857b56c34381c0c01caca7d3d9e162b

RaccoonStealer

948c35c2c7611793fcc9042c65ca6224829ee9c923efd4e9845ab32857727721

RaccoonStealer

bed57529997a2442dec9acba07587037955ab123d68723b215a3eb52d5ed79d4

RaccoonStealer

cc64a8243582378c46ab8b2f3c69a544fe522934856701756cb612492d59085d

RaccoonStealer

e9abbf811d367cf26f493d72ccd96749e534804ac27d36956dce0484b1440f25

RaccoonStealer

eb711eee5afe353053bb43ba1f4dc8f3892b471f16c79a28c9bef8f974019fd8

RaccoonStealer

+ 2'917 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:7ae9f477fd3c745797073700f8a38ebc14af615d discovery spyware stealer

Link:

https://tria.ge/reports/210825-sxxwldh9tn/

Behaviour

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Raccoon

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

2cd991d5d03983d442dd5c47081fed20d2e86f842fdc83b760a8037ac4e6b58e

MD5 hash:

96d44ad0296ee48619a02f74ca49edd7

SHA1 hash:

60954751570973def88de65732d67c8533a4715c

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/0e6ed7d5-5870-4574-b1d8-b08f3033bd86/

Parent samples :

db1de4d90808e799664e79be3591dc635da273dc934337af690f32c3b3644000
57158687581d1bb136eba0e77763cb2d91c3fe967456ac864c65590dc320b84a
06a4dfa73c8fd4a6444bd25d86083b05148674b9efd180e8dff70d4ef796bb5c
6166927dec8a133a202a8b67a57d59f8f9a26a59ab8ea46d0424f07f6df827be
7fae4ffb43200001f2f16a6a2b23a507370fb692c8fa659d3c335fb7a4002277
335331f8cb4fe7e15164289ae62645b31653cf563c61fe45591b5246479903b0
cdd15469adf504c208242ffa61c212b92eb387ddd259b625fa9326af2963e031
9d63d50505f69c1653c84333ea9e08974a740ce52be2626c39ac5f27565d765b
445308d32bb054d994e64af2cf8dd5012ab6de2101ff73fb056a693f8cabb7f7
cde6f548b217193df0994f2ffbc1548623f5f7e34752ce91ac39183dc4617844
e40ba58eddf9ffaa37b20785b54ce2e954eccaf79fc5fb1f6bbef8182762144f
5fb47e4db1c3cdc909383f269870ddbb14fe047ffd5ef2976a081682fdb95883

SH256 hash:

db1de4d90808e799664e79be3591dc635da273dc934337af690f32c3b3644000

MD5 hash:

3204b67e8038e9ce23dcd273a4bafc7a

SHA1 hash:

84678dc89601fc70c585813d9191b261b4da906d

Link:

https://www.unpac.me/results/0e6ed7d5-5870-4574-b1d8-b08f3033bd86/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/db1de4d90808/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/db1de4d90808e799664e79be3591dc635da273dc934337af690f32c3b3644000

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers