MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd2db9bfa45002375af028ac00ca1b5e0c1db30a116c21cac2b4c75cb4ff9aec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd2db9bfa45002375af028ac00ca1b5e0c1db30a116c21cac2b4c75cb4ff9aec
SHA3-384 hash: ca69032098789ee5449b3f3c8dbb0e85932de2ca477a43fc6d6aaa7450edd1f1d90279a8f87dc2fc7ae43e06ca7969ee
SHA1 hash: ab041e3d61f2a0e2547540c954bc92a414549fca
MD5 hash: 8df4e4b82a003763fef62bc117198ace
humanhash: earth-october-emma-spaghetti
File name:8df4e4b82a003763fef62bc117198ace.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:525'824 bytes
First seen:2022-03-23 07:21:02 UTC
Last seen:2022-03-23 09:17:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e9e661dd76e5830aa3e10f8bf0c4c (5 x Stop, 2 x RaccoonStealer)
ssdeep 12288:8nGlJOXElSXwElS3EZu8BJEnxvv770sq8ibNAzJvn:8ngJWAElnZVAxvXiBQl
Threatray 6'474 similar samples on MalwareBazaar
TLSH T183B412127A40C537C81618302565C3622BAE7C7F166384837F98A71E6F317E6E5BEB4B
File icon (PE):PE icon
dhash icon 5c59da3ce0c1c850 (36 x Stop, 33 x Smoke Loader, 26 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://103.155.93.229/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://103.155.93.229/ https://threatfox.abuse.ch/ioc/440087/

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/255388/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39322894.15794.7752.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/10695/overview
Behaviour
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/623aca6ab94fb38cb4d73cbd/reports/207fd466-794f-432c-9a9d-8e12c9091dd2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bb46b469-80fe-4354-b57e-dccb2e096028
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962458
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd2db9bfa45002375af028ac00ca1b5e0c1db30a116c21cac2b4c75cb4ff9aec/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 23:13:58 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
27 of 42 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3uw3tp5ekabdowxqfcwabsq3lygb3mykcfwcdswcwtdvznh7tlwa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
14eb78c6d9f873f43e453ca56c4d9d1ffbb03ee79fddb87cadeef59626299b6a
RaccoonStealer
20cdfc02c239254853f4915308b81aa9823916b8cd6eaa02b3c1a19b67b36e38
RaccoonStealer
2631bb84e6e34dd72aca532864d09e51d161c687ae3f5e495c16a2fded1213aa
RaccoonStealer
2f4d23f1d9f7cc7f090eeb0c6a9c459cdf94db5739cff072f848f9bc9f7358f7
RaccoonStealer
3c072e8447a090783007f41a0293c619b455742d4d1b35011eb112a1b8cc2e12
RaccoonStealer
9d30503fc799e14b88937b30600aef9ab65b8bd9a4b9707f1135b3292a5a2b9d
RaccoonStealer
bab33596106fd683cb7190eedfb32a219fffc5691bed72c151893b3270f06c09
RaccoonStealer
bd0f4b38b5f2edfdaf836e9d4642488de3fe04f3e855826408cbc31f1bda138a
RaccoonStealer
c9894dc1091f69ddf411b90853eaf2a4447e20b5a3f7dae5a6997c5c03b470fc
RaccoonStealer
+ 6'464 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:4b8853263bfbfde368561fd97dd96c93b6b91e4f stealer
Link:
https://tria.ge/reports/220323-h6qk5shde6/
Behaviour
Modifies data under HKEY_USERS
Raccoon
Unpacked files
SH256 hash:
a35a7bc0683a747b96e34d35346f6357dfcec7fa883a7f3d9c1270a44119400a
MD5 hash:
6f82e26086f750bd745a35601efa6451
SHA1 hash:
404efb41831c48d76bc92e8763a51e4055f4b9ae
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/f59936a1-2581-41f3-acdd-ee238497e9bf/
Parent samples :
3c072e8447a090783007f41a0293c619b455742d4d1b35011eb112a1b8cc2e12
2631bb84e6e34dd72aca532864d09e51d161c687ae3f5e495c16a2fded1213aa
e14e3ba37274e5efe932d789e8e24e20c7c21ad852978df80bb9392f5acf238e
0a7dcaf9e64345aeb5abd12728983253beacd114e4dbe2b3f5addfb7f198d854
cdc3c8092da2ff6ac49b6097aea6afb00439eb1638150042f78b561b6fa2d512
dbe977eb38b4307dcadcc923553535f94f762b91dd28eb11d27cdd6b8f9eab4f
84862dd214cf92e7ba589fda632e1a7d1748341da19ed2d4cc56029f8a1bb6ce
65fa28bc56a1b8132aede30afcb70685f90cfccd32f899ffda736b1b4f46144c
c9894dc1091f69ddf411b90853eaf2a4447e20b5a3f7dae5a6997c5c03b470fc
772b0096bf5c9bb9c71a7ea2ba9a631a80b115134f1d480c08af549fb6f90d87
bd0f4b38b5f2edfdaf836e9d4642488de3fe04f3e855826408cbc31f1bda138a
bab33596106fd683cb7190eedfb32a219fffc5691bed72c151893b3270f06c09
dd2db9bfa45002375af028ac00ca1b5e0c1db30a116c21cac2b4c75cb4ff9aec
3816d18b6f051f046a039ee937185509c8c3326f2842ba04de9d81e4e6ca7de5
bdff4c55eb7dd5a7d125a3629189c26ad2a3f1145a1801c4ba871e144a520895
f09393a0c14c0c4560743e75e59a025aff474c1f27eddd08f19d0ecea80b0988
8406f862c281a32094311d40f1cc275666ea3c368b9607db4ebb91b9cf9b5d3b
6c58e340f883a4f80f9fb47658671fecfd6bb2db2766326e6e360f8e495896c1
329cb82245c769af6159fde26e4bdb1831a0c0a7d16b9be24501fbe973563463
bdb06abce0a193e24ecb55cbda52963d6fbeb5b4c9efb8b45d588aef2ba7b943
d381f45d013f6b50a2be84d5d21f4743bf4271b789e3e81d5cf3b6fd3071ea20
353057209b0d75d63612db91a802368735d5954667946584e1ad0f6f84a892d2
17e503aef3804c0513838fb4ae3e00f323b1260bf753d99dbf0ae415ba54de11
90608df647f490150050db8a8cbcc66d15166957f53882a732699f78a939656b
SH256 hash:
dd2db9bfa45002375af028ac00ca1b5e0c1db30a116c21cac2b4c75cb4ff9aec
MD5 hash:
8df4e4b82a003763fef62bc117198ace
SHA1 hash:
ab041e3d61f2a0e2547540c954bc92a414549fca
Link:
https://www.unpac.me/results/f59936a1-2581-41f3-acdd-ee238497e9bf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd2db9bfa45002375af028ac00ca1b5e0c1db30a116c21cac2b4c75cb4ff9aec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe dd2db9bfa45002375af028ac00ca1b5e0c1db30a116c21cac2b4c75cb4ff9aec

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2110505/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/255388/

Comments