MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e1fa85c2c73b975c261d1e26ca1765932dbac790dd5519dc8cc48a869d56d91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e1fa85c2c73b975c261d1e26ca1765932dbac790dd5519dc8cc48a869d56d91
SHA3-384 hash: 5bea2be19b605b435eb4ee72b3798c266944c27b789aab6019448dd068855749c87ca0491550db9917f01daa49ab0de3
SHA1 hash: 43f02b21a3f49a7cce30c662b76e2eec07af0173
MD5 hash: c226c5dc2b63899b8851aca8c932cc80
humanhash: early-king-cola-one
File name:c226c5dc2b63899b8851aca8c932cc80
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:527'360 bytes
First seen:2021-09-18 02:09:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 493d9235e00e760cd832c2d6518be9c0 (2 x RaccoonStealer, 1 x DanaBot, 1 x ArkeiStealer)
ssdeep 12288:0zDbaNos4yO4D0+Q9+0aM5ZTqUv1uccei0YtcLH10:0zHs4yOX9+0asG0/LH
Threatray 3'321 similar samples on MalwareBazaar
TLSH T1A1B4E024ABA0C039E0B711F759BA93B8E5397971FB2090CBA2C616EE46356F4DD30357
dhash icon 5012b0e068696c46 (8 x RaccoonStealer, 8 x RedLineStealer, 6 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.95/ https://threatfox.abuse.ch/ioc/223257/

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c226c5dc2b63899b8851aca8c932cc80
Verdict:
Malicious activity
Analysis date:
2021-09-18 02:12:23 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/5e923fb1-daa3-4be8-8706-905355619e93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/188861/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.3146.16610.14889.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0805dfbb-9759-4af4-b5cb-a87a5d0b7cef
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853106
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4e1fa85c2c73b975c261d1e26ca1765932dbac790dd5519dc8cc48a869d56d91/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 14:40:20 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jyp2qxbmoo4xlqtb2hrgzilwleznxldzbxkvdhoizrekq2ovnwiq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0c791330b6c9714529cf845649a17339f96df293f02bf550e6c4e007faf6a9e8
RaccoonStealer
148c2ff6c877196d1bbdb73f1dc956f5a7dccbab86037648e235c149a3f4eef2
RaccoonStealer
3255394172556a89378c6a369e4d88fcd1992017cf1eeb7ee2794495758bf785
RaccoonStealer
395a803ba3e091e6ac2629c5591e6cd874f68332a436287d0121f5f21b3524e6
RaccoonStealer
769e6fac3f7be0c7278bf32ec84b6e96690e06c4ed2c4d06df1f790fc97165e5
RaccoonStealer
88663e1a68a0c23a6b4e3bbdf5a274a374422aed105f52b236e58acd45050677
RaccoonStealer
b349af407e596fa823ca28d516ac7ce5481550003d45195e26ea535944cc7f5e
RaccoonStealer
be54f94776405673d2e6d5c453d540dc93c8f4057d4abb0e046b77f926ed9db2
RaccoonStealer
bfb1e4895a98b83a61f405199730fea989dc84ab8acf6e6234e4264db179cc84
RaccoonStealer
c28e190666a5967096f8c8e3ecd3a62e502fe84eb300113faa3fe06575ea118b
RaccoonStealer
+ 3'311 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon discovery spyware stealer
Link:
https://tria.ge/reports/210918-clqgrabeen/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Unpacked files
SH256 hash:
891e615c3c074e9677bf07e44904e753f9c2ee5f22b244765772a6fec01572e4
MD5 hash:
1a5bb66c4cc9ad5673b9a97ae3a838c2
SHA1 hash:
c86c31d5b88b9ab1b08393316f9124a47a90000b
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/8dae2763-0e66-4aa2-b67d-28621bbac224/
SH256 hash:
4e1fa85c2c73b975c261d1e26ca1765932dbac790dd5519dc8cc48a869d56d91
MD5 hash:
c226c5dc2b63899b8851aca8c932cc80
SHA1 hash:
43f02b21a3f49a7cce30c662b76e2eec07af0173
Link:
https://www.unpac.me/results/8dae2763-0e66-4aa2-b67d-28621bbac224/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e1fa85c2c73b975c261d1e26ca1765932dbac790dd5519dc8cc48a869d56d91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 4e1fa85c2c73b975c261d1e26ca1765932dbac790dd5519dc8cc48a869d56d91

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/188861/
  
URLhaus
https://urlhaus.abuse.ch/url/1629173/

Comments


Avatar
zbet commented on 2021-09-18 02:09:33 UTC

url : hxxp://shangrilaregency.com/file.exe