MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1913b6aaeed7f9995e367a45bf37de622afe7f9cb796f23c7b5be6d7d4092d2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1913b6aaeed7f9995e367a45bf37de622afe7f9cb796f23c7b5be6d7d4092d2e
SHA3-384 hash: f2a21d0c924cf04b589c4945f7c7e429ecb2117efbfe45000503ae06c1f825679feb2ec710f4819161ec9619995f19e9
SHA1 hash: 345c86dbb704cc57be733c157fa6b55a36736440
MD5 hash: a8760316322c1bd7a8e784b38121e957
humanhash: freddie-india-table-south
File name:a8760316322c1bd7a8e784b38121e957.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:510'976 bytes
First seen:2021-07-23 18:40:49 UTC
Last seen:2021-07-23 20:00:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 77ea83f3db2bce57a4cf8f786a999acd (10 x RaccoonStealer, 6 x RedLineStealer, 4 x Smoke Loader)
ssdeep 12288:OIi4abPz1NQ1H4qbuHVg0C0W78NHJunBPA:OIvsBNQ1gDm87SBPA
Threatray 2'427 similar samples on MalwareBazaar
TLSH T114B40121F870C871D4940A314CE5C2B476EDBC227E75DD07368B3B2E7E712D2A66929E
dhash icon 48b9b2b4e8c18c90 (8 x RaccoonStealer, 3 x DanaBot, 1 x CryptBot)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.234.247.50/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.234.247.50/ https://threatfox.abuse.ch/ioc/162348/

Intelligence

File Origin
# of uploads :
2
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a8760316322c1bd7a8e784b38121e957.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 18:42:56 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/af4eccfe-85cd-496a-9c09-5be291b794f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173764/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.2922.32505.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/63fa830e-adb5-426a-bcdd-b2d17c002cb2
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821014
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453425 Sample: mhlmEIby75.exe Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 Antivirus detection for URL or domain 2->63 65 4 other signatures 2->65 8 mhlmEIby75.exe 82 2->8         started        13 sqlcmd.exe 2->13         started        process3 dnsIp4 45 telete.in 195.201.225.248, 443, 49707 HETZNER-ASDE Germany 8->45 47 google-analitics91.com 8.208.12.147, 49725, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 8->47 49 185.234.247.50, 49708, 80 INTERKONEKT-ASPL Russian Federation 8->49 35 C:\Users\user\AppData\...\kUC5Wevyek.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\...\vcruntime140.dll, PE32 8->37 dropped 39 C:\Users\user\AppData\...\ucrtbase.dll, PE32 8->39 dropped 41 57 other files (none is malicious) 8->41 dropped 67 Detected unpacking (changes PE section rights) 8->67 69 Detected unpacking (overwrites its own PE header) 8->69 71 Tries to steal Mail credentials (via file access) 8->71 73 Tries to harvest and steal browser information (history, passwords, etc) 8->73 15 kUC5Wevyek.exe 1 8->15         started        19 cmd.exe 1 8->19         started        21 schtasks.exe 1 13->21         started        file5 signatures6 process7 file8 43 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 15->43 dropped 51 Detected unpacking (changes PE section rights) 15->51 53 Detected unpacking (overwrites its own PE header) 15->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 15->55 57 Contains functionality to compare user and computer (likely to detect sandboxes) 15->57 23 schtasks.exe 1 15->23         started        25 conhost.exe 19->25         started        27 timeout.exe 1 19->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1913b6aaeed7f9995e367a45bf37de622afe7f9cb796f23c7b5be6d7d4092d2e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-23 18:41:06 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dej3nkxo274zsxrwpjc36n66mivp4744w6lpepd3lptnpvajfuxa._file
Verdict:
malicious
Similar samples:
2542930821438d2ea9aa9b34ad96a1b23118e5c2987990d6608df7271879f6b4
RaccoonStealer
2d7abc6173feb17ef4223fc045f35ed18607680b1844dfffcba70351d92626ce
RaccoonStealer
662f58f0eb62731f52cf2cd2ffaa0933e175611f24e1d5f8e734d04dadc553ff
RaccoonStealer
6c8131fc986f9477582f43530e0bdc660887285c83360c52e6b68876a57dc9b0
RaccoonStealer
7c4ecadd70e6c4f82dd598949634e1b6a50bebd658cec4b8489a9302a95c03fb
RaccoonStealer
878549ab9af1535e0791b8203d3d4baf96ee1e2e1f7925687092741f1014070d
RaccoonStealer
87ac7b615a6bdc6ec0877f4c49ac696a8c782551d719586195d822cbecc8e0f9
RaccoonStealer
c45613b7ffdb689a3510eaa680613b97c0e89a22a83271a87130a6abeb55c782
RaccoonStealer
f160d5f2005b0d5a260e5a29f6b2c40a3caa53ce813ed92e62eb67ea92099acb
RaccoonStealer
fa0f85a012c1ad0242bad1ab65f236656c4a6198616d3a6163a6087483733cd6
RaccoonStealer
+ 2'417 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210723-6vpjvarjne/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
10db9fbf9d30f257b7b341b60764f92205d216b091d7e996b390e56e27fb2452
MD5 hash:
fe718ffbfbb671216cbb600108aeed8e
SHA1 hash:
d9bc3c168e0c8760dacf98e808060eb60ae493e4
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/86efae1e-123d-4602-b4ad-debc2807238d/
Parent samples :
c45613b7ffdb689a3510eaa680613b97c0e89a22a83271a87130a6abeb55c782
7c4ecadd70e6c4f82dd598949634e1b6a50bebd658cec4b8489a9302a95c03fb
662f58f0eb62731f52cf2cd2ffaa0933e175611f24e1d5f8e734d04dadc553ff
2542930821438d2ea9aa9b34ad96a1b23118e5c2987990d6608df7271879f6b4
f160d5f2005b0d5a260e5a29f6b2c40a3caa53ce813ed92e62eb67ea92099acb
fa0f85a012c1ad0242bad1ab65f236656c4a6198616d3a6163a6087483733cd6
2d7abc6173feb17ef4223fc045f35ed18607680b1844dfffcba70351d92626ce
878549ab9af1535e0791b8203d3d4baf96ee1e2e1f7925687092741f1014070d
87ac7b615a6bdc6ec0877f4c49ac696a8c782551d719586195d822cbecc8e0f9
1913b6aaeed7f9995e367a45bf37de622afe7f9cb796f23c7b5be6d7d4092d2e
7d5cb7b56d0f4a11cd2c5049552c0f06bb03a743f44fdffa47339e204fd9ff26
3cfe9f3d91956b6add8406f6824bcd6a6249eebcbfa3ed7cfd6f49ee7ab9c226
b11448ac4d9b70314836a2ebb59b545594693d148428ddedeed27ef3949cdb87
1a98ccd8e95f58b3d1bacf63d45303790f59594f7c362b6f220e7a40e92117b6
ed7f141aa53017f734f508ee23f427fc7ecac0f6bfa6278907c1fce6f4bac252
8e7b9993e8f860c3d0d68243fb65a22fb6163da6c7590998bef1fac286ea81a5
3a15a152dbd9dc30d0be526b565adb8d795d931dd1f5ea5c2e31fba91142ad8f
a0a3b26f50b5519b8f86f8648236bd0ac70ff42ad83ecbfd97b33383e9442f16
bf04c8a42f5e657b0391f725f98ceeadd88ed61a5056671ca54c65215b06a5bf
659b32b98b48e30f28ab64f2922d869d26061a6ac8ebbbe33def7c8fc532e27a
0fa70b582aa0b10107a3fdfd5e70a6e9c225ac0db07c9787c745d2ebfc75fb5d
e024cdc86e86ed70ee832fa2b123cf89c6c78bac46337e2738b12b2b03399661
7f5978cbfacc13c939f7db5e1c810b9ad85d2c3b0354ac00690ead5c072d9a8e
d6fa5792513209ba28e2fa45374b5792f6d4bdd1f87bc5f042c61294f01702d9
b1e70a6920b93d6df9e7bf189d43378b5e449beedcf65fe7d282338e57452c83
a6b60d3eaf83eb41ef1a22617ce085d5560f0768728a474a8a0219785ec7ff9d
63a6e0d05c8e1c029794b68e5ddb935d5bbb15f348c3730206cd654e3101c000
2c553b20f3bf02e2232880909f38135b8ae39ad58dcf18046aefebb0944fb650
04b056d5d948580c6d55fe04754bea00aa5a75b608bbbcb6be955effee032de9
920c41d8452f38863c3aef0d289b63c5919ba1ad30d58e31382d797f1d4bbe9a
6b01154004b3baac2cc7701d8319f4cc7a7ef361e02937989849ccdbd35b3e88
00c50c96fd2b57f718d98eb68cbcfa47c01f585a05babdf1b2cbf8c6491cd39a
7d5a52529f559487fc8b8f960b9427fa75e71d33a7e88d682700ec095dd8158e
bf53b4b404f09c51fc30b4e683f5258b8172e0698ec61837da1e88a9704b37e8
5bdacdc106dccb1068826353c41ec72f533718cf09a398a0b5966f40d9863165
SH256 hash:
1913b6aaeed7f9995e367a45bf37de622afe7f9cb796f23c7b5be6d7d4092d2e
MD5 hash:
a8760316322c1bd7a8e784b38121e957
SHA1 hash:
345c86dbb704cc57be733c157fa6b55a36736440
Link:
https://www.unpac.me/results/86efae1e-123d-4602-b4ad-debc2807238d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1913b6aaeed7f9995e367a45bf37de622afe7f9cb796f23c7b5be6d7d4092d2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 1913b6aaeed7f9995e367a45bf37de622afe7f9cb796f23c7b5be6d7d4092d2e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1476033/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173764/

Comments