MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1eb4b2a30f7d2822fc91b6ead0a0524d381a17cf0cba9603fa3779aff8894e6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 2 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1eb4b2a30f7d2822fc91b6ead0a0524d381a17cf0cba9603fa3779aff8894e6d
SHA3-384 hash: 85a95778ef73a9e06dcf646d697982db09721bdd1637d79b2abcb5fbfc45f923ab1cc68fd5c13d71704eb7fb67e7b80a
SHA1 hash: cdec9c7bad714149e6a5b10a9f5931fea457ac32
MD5 hash: eb4c908bf4649374644662ac2e50f7e9
humanhash: seventeen-hot-tango-floor
File name:eb4c908bf4649374644662ac2e50f7e9.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:326'144 bytes
First seen:2021-06-07 05:40:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae370f16f6a6d27930c9e57eb3cdd8c7 (1 x RaccoonStealer, 1 x CryptBot)
ssdeep 6144:GCoXy+nmbTTODbnlNLpodnF2e9VtGt9AO/6Dwk6qtaE2pi:GCoXy+nmbvuNLpefRGtK2wwtY
Threatray 41 similar samples on MalwareBazaar
TLSH 3E64AE01A7E0C034F6F326B4497593B9A93E7EA06F24D1CF62C52AEA56746E0EC70717
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://nimcqe72.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://nimcqe72.top/index.php https://threatfox.abuse.ch/ioc/72117/
http://morzcm07.top/index.php https://threatfox.abuse.ch/ioc/72118/

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payload Dropper.exe
Verdict:
Malicious activity
Analysis date:
2021-06-06 17:31:30 UTC
Tags:
evasion opendir loader trojan rat redline phishing
Link:
https://app.any.run/tasks/78fc4257-4bbf-46ae-9042-c2b2771bb1e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164816/
Detection(s):
Win.Packed.Filerepmalware-9869115-0
Create hunting rule

Win.Packed.Filerepmalware-9869146-0
Create hunting rule

Win.Packed.Ransomx-9869238-0
Create hunting rule

Win.Malware.Filerepmetagen-9869269-0
Create hunting rule

Win.Malware.Generic-9869276-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/797964
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1eb4b2a30f7d2822fc91b6ead0a0524d381a17cf0cba9603fa3779aff8894e6d/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-06 17:15:41 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d22lfiyppuucf7erw3vnbicsju4buf6pbs5jma72g54276ejjzwq._file
Verdict:
unknown
Similar samples:
081d46c9eae290ad95937c1e87ac2fbae0b345ca7d00a4fe7d5ed8384d200ac7
RaccoonStealer
418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
RaccoonStealer
43eb032fa36ff0b40420df7d5fa121910ec02ba7ba03581a5a7188939ddc24ee
RaccoonStealer
533ae8a3da85287304c89e2758f9bd5e54c586b2c13a152e34033d1884eb7d16
RaccoonStealer
604d21a93ab88cdc9d0b609e73766a13e5959644eb35c7bc4fa8967378846004
RaccoonStealer
9459c29cbd2a32118375f6476421a3df233c80c289a163793d560f8b7c693848
RaccoonStealer
9c8057521a53904ce86837434f6ca9075fea66d1c31914db6a6b49f68649191f
RaccoonStealer
a17bb3e305532ac8e6dd2785ae50cf5f18a3de6a9ea2a4b75ea841b66ba94509
RaccoonStealer
a5e79ae2f930e6ae8ba7057f14c5b96a7962c0720ddd040a655e59c8dae4b959
RaccoonStealer
c70a67a13b5977d741ed50e16b2a6817b8280cd28254ad01a562e0c114757652
RaccoonStealer
+ 31 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:raccoon family:redline botnet:28198d4512d0cf31c204eddceb4471d79950b588 botnet:mix 07.06 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210607-pxw968qrmx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Raccoon
RedLine
RedLine Payload
Malware Config
C2 Extraction:
olmrso12.top
morleg01.top
185.215.113.17:18597
Unpacked files
SH256 hash:
dadd86d1728d11492e1d9f0551505ec390a2d1a5c2e85895a23f908cf552b5e5
MD5 hash:
3ca0eb6b633d515e9769d107e7997c41
SHA1 hash:
165d3b8e0584ac5eafda622b516467ddf1e16429
Link:
https://www.unpac.me/results/ce494dc9-3034-43c0-aa46-b5c288873b08/
SH256 hash:
1eb4b2a30f7d2822fc91b6ead0a0524d381a17cf0cba9603fa3779aff8894e6d
MD5 hash:
eb4c908bf4649374644662ac2e50f7e9
SHA1 hash:
cdec9c7bad714149e6a5b10a9f5931fea457ac32
Link:
https://www.unpac.me/results/ce494dc9-3034-43c0-aa46-b5c288873b08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1eb4b2a30f7d2822fc91b6ead0a0524d381a17cf0cba9603fa3779aff8894e6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 1eb4b2a30f7d2822fc91b6ead0a0524d381a17cf0cba9603fa3779aff8894e6d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1288301/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/164816/

Comments