MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f2db91b5b581e397e793cbfa45436ea0a13a4cb9aa734cb820208f8bf9a51af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f2db91b5b581e397e793cbfa45436ea0a13a4cb9aa734cb820208f8bf9a51af
SHA3-384 hash: 6909d73b89435be228dadf729c1999c290c2b9fec60c121562a55625ccc811e971617e13c2b554f5148255fefde3fac1
SHA1 hash: 1ca5d77915290794f73bb521a0ff0734bffcdce5
MD5 hash: 887192b1fd38962b73f3fb1d0d765d71
humanhash: one-oscar-purple-papa
File name:887192b1fd38962b73f3fb1d0d765d71.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:547'328 bytes
First seen:2021-11-08 12:16:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b1d7987a638c820f79c0e265e27eaa61 (4 x RedLineStealer, 4 x RaccoonStealer)
ssdeep 12288:Pcl7FS/g+xU+gD7LCWeFtzeBu3Oo1qpoy9TfBqagunnn7s:eZ0e56tzeM3OoizRrA
Threatray 4'098 similar samples on MalwareBazaar
TLSH T1AFC4E1F1B6A8D834D0532E3888658AA11A377C61D7209126F774779F2E73BCC95E231E
File icon (PE):PE icon
dhash icon fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://194.180.174.182/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.182/ https://threatfox.abuse.ch/ioc/245154/

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/203276/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.2957.1554.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61891540a00afa9663a0c1ac/reports/25c345cc-91d2-4c7f-ad0e-4e0b6ebadecc/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d54503b5-7327-4b33-bc42-c6ca8f582166
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885229
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found detection on Joe Sandbox Cloud Basic with higher score
Machine Learning detection for sample
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f2db91b5b581e397e793cbfa45436ea0a13a4cb9aa734cb820208f8bf9a51af/
Threat name:
Win32.Trojan.Krypter
Create hunting rule
Status:
Malicious
First seen:
2021-11-08 12:17:05 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b4w3sg23lapds7tzhs72ivbw5ifbhjgltkttjs4caieprp42kgxq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
3bd87df107b7f796664419c54716ea4dc9a2c6a4b34efa85eb1eb75f6458b13b
RaccoonStealer
3d3bdfa63f14658e164027af06ac4728891f5025fadddac2f2f6debb4021d531
RaccoonStealer
545e5ac7b0c4568049dd33037de46e8a006845563bda516818ad4e4464d580fe
RaccoonStealer
71c8ba3bff2028ae1586c04850560d0d11711f166b4713604c65bb68db07e03a
RaccoonStealer
8136e992f634fec74c2c923edc4cf43ab8601dd3dc229bb3fde7d798e644beae
RaccoonStealer
8f4d56c333b5b0b743a6dcdc6d6954adfdde2fc5219b8c45987202445ecdfc9c
RaccoonStealer
ab9a992f805bce47b17d65b705612b2c88d55beafd9714c5a278be7ee09e1d58
RaccoonStealer
b7b037355cc6e9dc7f9c665f1ea987bafed82a4825409a5d05cde15c6d243dff
RaccoonStealer
dded956a99823dc3d87aafa2764e9a561eb9df6b571251f118468052143d76cc
RaccoonStealer
fc6b841e6c753eeebf0d7cc8820cd3c6fcbeb40fc4d2c4d9a8bf9d3f0907fb76
RaccoonStealer
+ 4'088 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:243f5e3056753d9f9706258dce4f79e57c3a9c44 stealer
Link:
https://tria.ge/reports/211108-pf2daahbgj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
181bbb28e9335af8d92e0faf0da7ae19ad664f9c855841d6bc89d73f3d125027
MD5 hash:
a5a90453b002438070f319627cfe374e
SHA1 hash:
65adabe7ea17a30c6a701abe3515bd2ca8ff6757
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/200206f4-253d-4c85-b12b-e96c86e28f98/
Parent samples :
6373657d8707b7051ba7f51ad64cf4f609fa9f3f724767d90c6c925d68b19f5f
406e554133aaa471bbb6fee0d5de06a937a53073d2a97117a768612388bdeefd
51ec139872ee667e1b93e579dec1f76ca58aad1da36e5f4ca331100a34cc1e9d
18766c4e4e8161f71cfcb98a700ad53866a75d29fb67898e866e0bbc0d95bba8
b7a9dde08c301151706450934b914bfdbbffe7743847551dcd36fc1e5780652b
0f2db91b5b581e397e793cbfa45436ea0a13a4cb9aa734cb820208f8bf9a51af
596e838294aa3618fd5a6e8d71ae615f549a9df857745c41515134f748f68ef3
SH256 hash:
0f2db91b5b581e397e793cbfa45436ea0a13a4cb9aa734cb820208f8bf9a51af
MD5 hash:
887192b1fd38962b73f3fb1d0d765d71
SHA1 hash:
1ca5d77915290794f73bb521a0ff0734bffcdce5
Link:
https://www.unpac.me/results/200206f4-253d-4c85-b12b-e96c86e28f98/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f2db91b5b581e397e793cbfa45436ea0a13a4cb9aa734cb820208f8bf9a51af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 0f2db91b5b581e397e793cbfa45436ea0a13a4cb9aa734cb820208f8bf9a51af

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1738451/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/203276/

Comments