MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc10619c7cb6b5de6ba8f58fd3ff889045ef77ea4cde4de7c5f313dbef1a7bc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 5 File information Comments

SHA256 hash:	fc10619c7cb6b5de6ba8f58fd3ff889045ef77ea4cde4de7c5f313dbef1a7bc3
SHA3-384 hash:	87b4585628e414470f94171d403704994e50bf9eb0cc0e067920d4595a59a291a034e1c59474ddfdbddb26ce23e4a6ac
SHA1 hash:	9d67400fb5818a6c573c36eac8650458d7f1d07e
MD5 hash:	af175128a823db1274fc244d8f5a46bd
humanhash:	pizza-mississippi-avocado-princess
File name:	fc10619c7cb6b5de6ba8f58fd3ff889045ef77ea4cde4.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	17'433'353 bytes
First seen:	2021-08-24 19:02:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3abe302b6d9a1256e6a915429af4ffd2 (277 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep	393216:7Q4l1FoGr1o4X3LKq/LnF+aOeuKAxt9zpaz3y6Jqx5mDsLOVEi:7Q4l1Fo455LnVupJpa2ADsKVT
TLSH	T1F80733E14230E26EE3796C7C3CA5953FFB785CE25A4E37170F84B4C6A6786C92A14493
dhash icon	da39309a9891d1d9 (1 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://185.234.247.35/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.234.247.35/	https://threatfox.abuse.ch/ioc/193640/

Intelligence

File Origin

# of uploads :

# of downloads :

154

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

fc10619c7cb6b5de6ba8f58fd3ff889045ef77ea4cde4.exe

Verdict:

Malicious activity

Analysis date:

2021-08-24 19:03:06 UTC

Tags:

trojan stealer raccoon

Link:

https://app.any.run/tasks/c5b6e791-fcee-4f84-a9fb-fb7001f8c917

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Troj.Inject-EAO.957.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Sending a custom TCP request

Sending a UDP request

Creating a file in the %AppData% subdirectories

Unauthorized injection to a recently created process

Connection attempt to an infection source

Connection attempt

Sending an HTTP POST request

Query of malicious DNS domain

Sending a TCP request to an infection source

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/21d855d7-401d-4c2d-9656-99d825850f96

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/838545

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Detected VMProtect packer

Found malware configuration

Hides threads from debuggers

Injects a PE file into a foreign processes

Multi AV Scanner detection for domain / URL

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction which cause usermode exception

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/fc10619c7cb6b5de6ba8f58fd3ff889045ef77ea4cde4de7c5f313dbef1a7bc3/

Threat name:

Win32.Infostealer.Racealer

Status:

Malicious

First seen:

2021-08-23 20:45:00 UTC

AV detection:

4 of 28 (14.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7qigdhd4w225425i6wh5h74isbc6657kjtpe3z6f6mj5x3y2ppbq._file

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:6f477b98912ea3958a37585999397f4fbda5dc46 stealer vmprotect

Link:

https://tria.ge/reports/210824-t9vmyb2smx/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

NSIS installer

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Loads dropped DLL

VMProtect packed file

Raccoon

Raccoon Stealer Payload

Unpacked files

SH256 hash:

95f1ceb978718dc6172701c3490508c7c5392f4812d8a47edc6193cead8e30bf

MD5 hash:

08f37819ed3bfbc36072e66e1bb3556d

SHA1 hash:

7a8c95bd14be06fdd683390bff41f744d5e5f481

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/d48d9daf-2100-4d92-a223-4987e5cf04e1/

SH256 hash:

26436acc3c48a8c5cd765a9ee36f510235818f016c13e31946f6713a56569cfc

MD5 hash:

07bfef1c974aa64cb6300ffea0cdf50c

SHA1 hash:

78fa3b94c8c1619d1525c8f9b58ff474910fb144

Link:

https://www.unpac.me/results/d48d9daf-2100-4d92-a223-4987e5cf04e1/

SH256 hash:

fc10619c7cb6b5de6ba8f58fd3ff889045ef77ea4cde4de7c5f313dbef1a7bc3

MD5 hash:

af175128a823db1274fc244d8f5a46bd

SHA1 hash:

9d67400fb5818a6c573c36eac8650458d7f1d07e

Link:

https://www.unpac.me/results/d48d9daf-2100-4d92-a223-4987e5cf04e1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fc10619c7cb6b5de6ba8f58fd3ff889045ef77ea4cde4de7c5f313dbef1a7bc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon/Racealer infostealer

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample