MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ac315d081c5f415b514924f875a97c8e7a74d94a2610a079e4ccb66f9251ea7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ac315d081c5f415b514924f875a97c8e7a74d94a2610a079e4ccb66f9251ea7
SHA3-384 hash: 65519c4bca381765dfa2b351456a98784b26ba9bf0347e5d7454a7b77d9ad84cda23854dece234c1c60299d0b137e0c1
SHA1 hash: 4d131741e773202e047962a96c596b1254935932
MD5 hash: 0ebed841879c82faf8bdc8b1f3980ae2
humanhash: network-zebra-grey-bravo
File name:0EBED841879C82FAF8BDC8B1F3980AE2.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:581'632 bytes
First seen:2021-06-26 04:25:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 76567453f097005b8c49393a915ef4ba (2 x Stop, 1 x RaccoonStealer)
ssdeep 12288:ZUT3hHJ1U5btAzESANlli+1rzvE8rYCpyg8LH9fEzTlG:ZA39JpzaNz/1rYiLU6A
Threatray 877 similar samples on MalwareBazaar
TLSH 9EC4D000A7A0C0B5F4F332F899BA9E65A5ED7EF0672550CF62D51AEA16345F0AC31327
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://35.184.88.98/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://35.184.88.98/ https://threatfox.abuse.ch/ioc/153758/

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0EBED841879C82FAF8BDC8B1F3980AE2.exe
Verdict:
Malicious activity
Analysis date:
2021-06-26 04:28:05 UTC
Tags:
trojan stealer raccoon
Link:
https://app.any.run/tasks/a31983dd-5bf2-455f-bba1-f5466736b59f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168415/
Detection(s):
Win.Malware.SmokeLoader-9871566-1
Create hunting rule

Win.Malware.Pwsx-9871572-0
Create hunting rule

Win.Dropper.SmokeLoader-9871586-1
Create hunting rule

Win.Malware.Pwsx-9871588-0
Create hunting rule

Win.Malware.Pwsx-9871633-0
Create hunting rule

Win.Dropper.SmokeLoader-9871648-1
Create hunting rule

Win.Malware.SmokeLoader-9871694-1
Create hunting rule

Win.Malware.Bandook-9871784-1
Create hunting rule

Win.Packed.Pwsx-9872818-0
Create hunting rule

Win.Dropper.Raccoon-9874076-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8818dcb8-5385-476d-9d29-097a4bb513dd
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/808381
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Infostealer behavior detected
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ac315d081c5f415b514924f875a97c8e7a74d94a2610a079e4ccb66f9251ea7/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 18:50:02 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlbrluebyx2blniusjhyowuxzdt2otmuujqqub46jtfwn6jfd2tq._file
Verdict:
malicious
Similar samples:
137026a259166724d41d797fc3a5fd8ba40c30e9eab4e71db7ab8ad54747a77a
RaccoonStealer
30b7b720ba1630d9824263b22c33e2096a6075cea04ec5bad6f4dddee6fe5daf
RaccoonStealer
4894737e39bed32d36471801a3169e5b4c8214aefa590823993ed75106b70066
RaccoonStealer
6cbdf9b7e12a7a43a809caf6750a896454c4d81212fc4444e11e2acd9f3b78ba
RaccoonStealer
70f2ed4c1b72485f588dfa0465242b10735ca5579b9d10d66043113b3dee4e11
RaccoonStealer
789e58502db7458fefcde8f8f920dfbf9299461146828ddba1b57d191b07e9c9
RaccoonStealer
9210151bfb27a527ae40037e48e5598f4029690d4f48a276fe895f012b2ba440
RaccoonStealer
a22ce71be55494c6df6acc23d6d90152d8a2f5f57a3b79d1d2347f71c43ff28c
RaccoonStealer
b751a245f558db84cf77e46e473073e2dd23fbde9f9d150d63e525bbf4b88e8c
RaccoonStealer
b82b210a1ead0d52042310991c59e3417ea2606f00591b7bd4440e8d23d31f88
RaccoonStealer
+ 867 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210626-v4lcx6nkn6/
Behaviour
Modifies system certificate store
Unpacked files
SH256 hash:
563e287fab45f375fe269fd3489f75da5aaf0f729a6bd6b9739b250939c6d340
MD5 hash:
067ee76aeed78295fbdb41a3332a6cc0
SHA1 hash:
9e76494fcc0955211b529ee93e3feeb1262242f8
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/bb4cd1a8-a3c0-41e6-87c2-5acbf624a32e/
Parent samples :
6cbdf9b7e12a7a43a809caf6750a896454c4d81212fc4444e11e2acd9f3b78ba
3ac315d081c5f415b514924f875a97c8e7a74d94a2610a079e4ccb66f9251ea7
SH256 hash:
3ac315d081c5f415b514924f875a97c8e7a74d94a2610a079e4ccb66f9251ea7
MD5 hash:
0ebed841879c82faf8bdc8b1f3980ae2
SHA1 hash:
4d131741e773202e047962a96c596b1254935932
Link:
https://www.unpac.me/results/bb4cd1a8-a3c0-41e6-87c2-5acbf624a32e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ac315d081c5f415b514924f875a97c8e7a74d94a2610a079e4ccb66f9251ea7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168415/

Comments