MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 451f91c53fae29fef9d405b9b0125ea1bd561c20f2b90b26f609a0adb4aea9a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 451f91c53fae29fef9d405b9b0125ea1bd561c20f2b90b26f609a0adb4aea9a8
SHA3-384 hash: 2517df35cb48bc1a65dfacb16e8f2ebcaa31de1ec370ad417d1637b6b2bdb0798de106386bd986daf41615902bc42d1b
SHA1 hash: e8f9c998e9ec5e4360461c89c993caf566d08164
MD5 hash: 85a913fc008f6f650e9160157552af88
humanhash: fix-social-pluto-utah
File name:85a913fc008f6f650e9160157552af88.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:459'776 bytes
First seen:2021-03-25 11:03:21 UTC
Last seen:2021-03-25 12:42:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d0fb6a9cd0350f8c1dc179cb6c71fe47 (5 x DanaBot, 2 x Loki, 2 x RaccoonStealer)
ssdeep 12288:N1hm1xjmPp5l1TajVHADMaoT3CTVKZ0IoL:NX3l1TajVKMNCTVKWN
Threatray 685 similar samples on MalwareBazaar
TLSH D3A4F111B6B1C037E96246794459C2B14F3AFCB65B3457C737D16BAC6E322E28B32392
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
85a913fc008f6f650e9160157552af88.exe
Verdict:
Malicious activity
Analysis date:
2021-03-25 11:11:49 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/4be5f2f4-513c-48b1-a69d-e8143bcbc5d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Raccoon-9846892-1
Create hunting rule

Win.Malware.Glupteba-9846893-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Running batch commands
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/653786
Signature
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/451f91c53fae29fef9d405b9b0125ea1bd561c20f2b90b26f609a0adb4aea9a8/
Threat name:
Win32.Trojan.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-03-25 11:04:07 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iupzdrj7vyu756ouaw43aes6ug6vmhba6k4qwjxwbgqk3nfovgua._file
Verdict:
malicious
Similar samples:
40aa3ed3056a334717d50933026aace5847a379b8179178d00928ef1faf55f3d
RaccoonStealer
58813f984233cfb9eef1c9abefa7f58e96989dd9d6ebd903d40dc2cf3d56c5e8
RaccoonStealer
596ab1ddff660a3cd00e14f5e43d5af6a0ad03a41d07a51344b8eb61a594d27f
RaccoonStealer
6c6ab740e7d1e69bb05349e3b27b1a52a4e0bad10ef8b019147c9d87755f95cb
RaccoonStealer
7ca4eb9602b54dd5a1003cc83c39d0cc07aeb041cf8be6562f656675a40e4ee8
RaccoonStealer
8c9604ea096cd0a680d183f1f9b2a53d2cce276c7d86efdf21d3dd6bffead1f5
RaccoonStealer
a9d0121ba9783e14f8ac72cce2cbce7e330d0b7f29e5311f497b86d286f2d5d1
RaccoonStealer
dcb02549ffe1d2212dbddc97bf48fc57965ca634ff30665cdeb085e60ae73690
RaccoonStealer
e80db3924627a7961f6bbb34a4d6849546d544620ea77f12b1b3dd8ed024ef4d
RaccoonStealer
fac9410d22c0e26ebfb6aa70649656a38685924cfb37638f95f35eb46b0cb71a
RaccoonStealer
+ 675 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:4e7a9762983a78c1fe5adf2c3a95ebcbdee314a8 discovery spyware stealer
Link:
https://tria.ge/reports/210325-3x31t3a3hn/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Raccoon
Unpacked files
SH256 hash:
0fc38f553594f635d314fe3dcb8bade7e660cec5f8a5eba77aeb84d3594a239f
MD5 hash:
878b7befe157731d85fae2e9059db5e4
SHA1 hash:
91a2127ef55f6f1a42ad1da85fddfde0ee1795b9
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/e9529785-c89c-440a-b245-f413b40a430b/
SH256 hash:
451f91c53fae29fef9d405b9b0125ea1bd561c20f2b90b26f609a0adb4aea9a8
MD5 hash:
85a913fc008f6f650e9160157552af88
SHA1 hash:
e8f9c998e9ec5e4360461c89c993caf566d08164
Link:
https://www.unpac.me/results/e9529785-c89c-440a-b245-f413b40a430b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/451f91c53fae29fef9d405b9b0125ea1bd561c20f2b90b26f609a0adb4aea9a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 451f91c53fae29fef9d405b9b0125ea1bd561c20f2b90b26f609a0adb4aea9a8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1090511/
  
Delivery method
Distributed via web download

Comments