MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a814a1f3ef52e8379da69712873c881699ead13f7ab737f875638313123d181. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a814a1f3ef52e8379da69712873c881699ead13f7ab737f875638313123d181
SHA3-384 hash: d31d3de87064e56cd0e33e2a8ffa3b0715f38aa9f7692bd0d8855774cdc29f46b50b7d4571831f82536c0c71f06c8222
SHA1 hash: 07cc5b1fdc0f607183ccc506e835800ee4985228
MD5 hash: 52a66d7cf126d1274107350e43f4337b
humanhash: red-oven-bluebird-nevada
File name:0A814A1F3EF52E8379DA69712873C881699EAD13F7AB7.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:12'639'119 bytes
First seen:2021-09-05 11:06:18 UTC
Last seen:2021-09-05 12:17:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (54 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 196608:5utpW72KEhMq2zUS+Wdr+qPYoatl0+t/7I9K6Td+70oeQNEZhp7LdCQMGjwQM7lt:Y62HhM9JXdKqPQzcY6k7uQEF7Ejlrcs
Threatray 6'194 similar samples on MalwareBazaar
TLSH T1CBD62317F398553EC4AA27354673A25068FBFAA9F417AE1A67F0C54CCF351C00E3A6A4
dhash icon cc30f0f4b0b2d070 (2 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://94.158.245.173/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.173/ https://threatfox.abuse.ch/ioc/215894/

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0A814A1F3EF52E8379DA69712873C881699EAD13F7AB7.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-05 11:09:06 UTC
Tags:
installer
Link:
https://app.any.run/tasks/73913bca-865b-48c3-83da-1ac3890a4369

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185438/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
DNS request
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file
Moving a recently created file
Sending a UDP request
Deleting a recently created file
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Enabling the 'hidden' option for files in the %temp% directory
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/096fd00e-2c16-4eb1-8e5e-0c2e4c25725d
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845528
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477959 Sample: 0A814A1F3EF52E8379DA6971287... Startdate: 05/09/2021 Architecture: WINDOWS Score: 100 71 www.ytddownloader.com 2->71 73 elb-web-prod-800824085.eu-central-1.elb.amazonaws.com 2->73 99 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->99 101 Multi AV Scanner detection for domain / URL 2->101 103 Found malware configuration 2->103 105 6 other signatures 2->105 11 0A814A1F3EF52E8379DA69712873C881699EAD13F7AB7.exe 2 2->11         started        14 explorer.exe 12 2->14         started        16 explorer.exe 2->16         started        signatures3 process4 file5 69 0A814A1F3EF52E8379...81699EAD13F7AB7.tmp, PE32 11->69 dropped 18 0A814A1F3EF52E8379DA69712873C881699EAD13F7AB7.tmp 5 14 11->18         started        21 chrome.exe 14->21         started        24 ytd.exe 16->24         started        process6 dnsIp7 51 C:\...\is-KIS10.tmp, PE32 18->51 dropped 53 C:\...\aFCDKiW1DOxXjGm.exe (copy), PE32 18->53 dropped 55 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->55 dropped 57 2 other files (none is malicious) 18->57 dropped 26 aFCDKiW1DOxXjGm.exe 7 18->26         started        30 YTDSetup.exe 19 119 18->30         started        75 192.168.2.1 unknown unknown 21->75 77 239.255.255.250 unknown Reserved 21->77 33 chrome.exe 21->33         started        79 www.ytddownloader.com 24->79 81 www.google.com 24->81 83 5 other IPs or domains 24->83 file8 process9 dnsIp10 59 C:\Users\user\AppData\Local\...behaviorgraphuiHelper.exe, PE32 26->59 dropped 111 Contains functionality to register a low level keyboard hook 26->111 35 GuiHelper.exe 13 26->35         started        38 cmd.exe 1 26->38         started        89 elb-web-prod-800824085.eu-central-1.elb.amazonaws.com 35.158.225.62, 443, 49706, 49710 AMAZON-02US United States 30->89 91 www.ytddownloader.com 30->91 61 C:\Program Files (x86)\...\Uninstall.exe, PE32 30->61 dropped 63 C:\Users\user\AppData\Local\...\nsisdl.dll, PE32 30->63 dropped 65 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 30->65 dropped 67 21 other files (none is malicious) 30->67 dropped 40 explorer.exe 1 30->40         started        42 explorer.exe 30->42         started        93 stats.l.doubleclick.net 108.177.119.155, 443, 49732, 49772 GOOGLEUS United States 33->93 95 clients.l.google.com 142.250.203.110, 443, 49713, 56583 GOOGLEUS United States 33->95 97 16 other IPs or domains 33->97 file11 signatures12 process13 signatures14 107 Contains functionality to steal Internet Explorer form passwords 35->107 109 Maps a DLL or memory area into another process 35->109 44 GuiHelper.exe 35->44         started        47 conhost.exe 38->47         started        process15 dnsIp16 85 telete.in 195.201.225.248, 443, 49778 HETZNER-ASDE Germany 44->85 87 94.158.245.173, 49779, 49784, 49785 MIVOCLOUDMD Moldova Republic of 44->87 49 WerFault.exe 44->49         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a814a1f3ef52e8379da69712873c881699ead13f7ab737f875638313123d181/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-06-26 05:09:59 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bkauuhz66uxig6o2nfysq46iqfuz5lit66vxg74hky4dcmjd2gaq._file
Verdict:
malicious
Similar samples:
00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9
RaccoonStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RaccoonStealer
7a6a24f9bc07388b4a27beba0b2c25c4c7800d3e707e0959ff667b431722ad17
RaccoonStealer
7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026
RaccoonStealer
8b1c960881fc789460b5b274abd43baddb1c92e1a942d3a1080a4adb1f545e50
RaccoonStealer
90ca9c7f8b656d2104a812ce9ba2625c1ab3b6ae346df7e6f01c838bf8990bda
RaccoonStealer
cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269
RaccoonStealer
e6b35d9156c1b830d000926b8dd12fe13185fa2e910692969215bf707686b595
RaccoonStealer
+ 6'184 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:e2b58b2c24d80fcfd249021c5a21ac97c09e40a1 stealer
Link:
https://tria.ge/reports/210905-m7zyesheh4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Raccoon
Raccoon Stealer Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
7233ac619175e5cfd0fd286d70bd3f9d240acc89f53cb715f5c2574d971c4bc4
MD5 hash:
2d1bc64ba2041aab72fe14ecb7335983
SHA1 hash:
68ecbbf1e5e60e97248c1852ceea132ee796f3eb
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/da4b958b-12b0-4071-abbc-dbe3341cbbc8/
Parent samples :
7a6a24f9bc07388b4a27beba0b2c25c4c7800d3e707e0959ff667b431722ad17
90ca9c7f8b656d2104a812ce9ba2625c1ab3b6ae346df7e6f01c838bf8990bda
0a814a1f3ef52e8379da69712873c881699ead13f7ab737f875638313123d181
SH256 hash:
9a4bd2803c7f45d7384f5b7bf93512badd59ff266071eb5a1900b09895121716
MD5 hash:
a7100326ce454c6756f007a2ea8ea85d
SHA1 hash:
d5444417e1c4fcd83c710498d4c240292577f690
Link:
https://www.unpac.me/results/da4b958b-12b0-4071-abbc-dbe3341cbbc8/
SH256 hash:
d7f8e6800f2c87fec75824e2adf9f366dea1f25dcf3bf6259d54de14491227ee
MD5 hash:
2e60f28b8b3e8e148fc5b19e65c70056
SHA1 hash:
d12e1b540e5d4498c7cded85f5d8f9433ea5508e
Link:
https://www.unpac.me/results/da4b958b-12b0-4071-abbc-dbe3341cbbc8/
SH256 hash:
960bc049970c738fbec8c408d34d8076879f15d799cfee36e2593ce81e3dd5a4
MD5 hash:
a673d2ce0cd846fcd34e93c856b8e705
SHA1 hash:
98f0a32a3679b71ae1d7be232be7be5551e97dfb
Link:
https://www.unpac.me/results/da4b958b-12b0-4071-abbc-dbe3341cbbc8/
SH256 hash:
a084a021d7c3a669a752ed124f004b2d8e5a3d546468cbae1acef4845028a454
MD5 hash:
8304305931f0168119fbf272537cefbf
SHA1 hash:
d5773ad9e53e39453a8c09e4c063627c3f31563c
Link:
https://www.unpac.me/results/da4b958b-12b0-4071-abbc-dbe3341cbbc8/
SH256 hash:
13f383aad2abc20d21e8696691c9a41ecd8510d15ae1a259bfd8d8f82b2b3b6c
MD5 hash:
daac3b058093a8d671ad7d87b705b871
SHA1 hash:
eb2666374c2c894cf14b6be5ce417c954c06ba19
Link:
https://www.unpac.me/results/da4b958b-12b0-4071-abbc-dbe3341cbbc8/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/da4b958b-12b0-4071-abbc-dbe3341cbbc8/
SH256 hash:
67e1f4f25e05f2c6caa1e18914716e13069c2e73579a28896b5988d3add5d0e0
MD5 hash:
acd4f074c6b0ba18dd5e42232c9cb675
SHA1 hash:
567a3d3380ca1aba9268ed48d23697eb5dc1f9b5
Link:
https://www.unpac.me/results/da4b958b-12b0-4071-abbc-dbe3341cbbc8/
SH256 hash:
83f8ce3cf6df382c79c35516a7da9aa95dea45622c9226ff550cb73536bdd8dc
MD5 hash:
c617ce8406f48d165c0ae447fcaf3137
SHA1 hash:
0ce45a93ccbafc0df63d72d78c5f47883ad4f594
Link:
https://www.unpac.me/results/da4b958b-12b0-4071-abbc-dbe3341cbbc8/
SH256 hash:
0a814a1f3ef52e8379da69712873c881699ead13f7ab737f875638313123d181
MD5 hash:
52a66d7cf126d1274107350e43f4337b
SHA1 hash:
07cc5b1fdc0f607183ccc506e835800ee4985228
Link:
https://www.unpac.me/results/da4b958b-12b0-4071-abbc-dbe3341cbbc8/
Malware family:
Raccoon v1.7
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0a814a1f3ef5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a814a1f3ef52e8379da69712873c881699ead13f7ab737f875638313123d181

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185438/

Comments