MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ebc4d4af4365a232d1e5aeb7a60a89208abdf07e1dd2dbc0bb8e781737d119f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ebc4d4af4365a232d1e5aeb7a60a89208abdf07e1dd2dbc0bb8e781737d119f
SHA3-384 hash: 1d3deecbc417d8cda41e736ec11dbbf3e0e289f35d8f6d3c9b6b8e37e436fc30de59e79bbae814169c2e0bfe14dfffcc
SHA1 hash: 58d235fe227369457ef1260e485c615b32cec165
MD5 hash: e7f437d3ebee9ef2755f2287a227b544
humanhash: foxtrot-ohio-summer-golf
File name:e7f437d3ebee9ef2755f2287a227b544.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:521'728 bytes
First seen:2021-11-08 13:41:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 60ab4a93298436a0ea920c16b7e59caa (8 x RaccoonStealer, 3 x RedLineStealer, 1 x Smoke Loader)
ssdeep 12288:g3npqUrL9H0eLwT+UiPmOzL0+l9Punn5:UQOLt0eLwCjPvL0wo5
Threatray 4'098 similar samples on MalwareBazaar
TLSH T13FB4F130A6E8D436E0633D30597196A11A77BD5255707046E380EBBF2E73E9C8AE631F
File icon (PE):PE icon
dhash icon fcfcb4d4d4dcd8c0 (14 x RedLineStealer, 11 x RaccoonStealer, 3 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://194.180.174.182/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.182/ https://threatfox.abuse.ch/ioc/245154/

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/203302/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6189292da00afa9663a0dac2/reports/246d6069-93a9-4726-99fa-ad8b6be6b378/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/898927c1-3044-46ba-91ba-57a08c5d065f
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/885280
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ebc4d4af4365a232d1e5aeb7a60a89208abdf07e1dd2dbc0bb8e781737d119f/
Threat name:
Win32.Trojan.Krypter
Create hunting rule
Status:
Malicious
First seen:
2021-11-08 13:42:06 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j26e2sxugzncgli6llvxuyfisiekxxyh4hos3palxdtyc435cgpq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
000a5351b371aded2fb7194910ee210cb029199eb65a4f755f23a4f904117607
RaccoonStealer
3d3bdfa63f14658e164027af06ac4728891f5025fadddac2f2f6debb4021d531
RaccoonStealer
5451dce2ce5d9e6b5f9ed22dd2b535b36557c73511b734134fa8877f064eb8d7
RaccoonStealer
58012e1bc38619a3a83b1b3742b066a7bc1ad2bceb622ed5603d7a0175489e54
RaccoonStealer
8136e992f634fec74c2c923edc4cf43ab8601dd3dc229bb3fde7d798e644beae
RaccoonStealer
8f4d56c333b5b0b743a6dcdc6d6954adfdde2fc5219b8c45987202445ecdfc9c
RaccoonStealer
c67646ba071947726cb2420a03887901a79a762844862eeb61f2fa8349ea355f
RaccoonStealer
d446ebd0bb5a6a33e8252ffda9084f2eb912bb6c2a461e96dcc3c317b3ef41ce
RaccoonStealer
eb33bd628ebeb2de4091f36ab518e658bfa7764822fea208e951e0364d711844
RaccoonStealer
fc6b841e6c753eeebf0d7cc8820cd3c6fcbeb40fc4d2c4d9a8bf9d3f0907fb76
RaccoonStealer
+ 4'088 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:d4d445f09abd00ad30681d6fb869e8ac910a67e2 stealer
Link:
https://tria.ge/reports/211108-qznrzacbc7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
f719a29a620b4192cd1624843571081c9f45c6fb30387717ca1c58c80e0be14b
MD5 hash:
c47bd894cfe54d357c1399599a1bd079
SHA1 hash:
c9ef62ffc92c3284c6d1e4613daeeaa90ad36b65
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/7b9e4e22-6fac-4373-8a08-8ce46fa5bb5e/
Parent samples :
4ebc4d4af4365a232d1e5aeb7a60a89208abdf07e1dd2dbc0bb8e781737d119f
957f478ec5c3d5899ea0ccfab3ef2da9a1fce48432008505862cc38ecd21e579
f57b5ada8a44a9778b96620193572ee4282a61f5d9063532eb0e5b8db5086357
6d0bc7c4ee68531cf6c42617eacd69e9687412efc44b3930845f2d0c739cf6b5
c0fd99ab6898145593395343dfbd1b5afea781d37cbbccd72e6c9dd408cb36f1
b9a8beecc6ae77878cf4e4dadde0046abc8c823673e7231ead8707211da71990
2ddd23a3f10c202c4814ded80e326091c23be36f828c6e25e0a78ad34657a733
5bef66e78bc9dde4afd1e97c60615aa35ffe17e2f619b69f152153cb858bd769
ac11a8568f5ac13845c000c26fdb61ff8b15519fa02003b17d6285668ee7fef4
c25538e04bbb9084922f2bb39e5da7764716cd902ebead0052397fbe4912ee3d
983cee3f2f8bed3fe80d8072d55a2011d2734cc074c8de181f95023cdccad3e0
b91c2f43aabab59c3df28395ced9cb1a35bd914c053381ff2f9a9b48c56558a3
8049eaaf077474109bad0b447367fdab49bf2339d3dbae95098c726a7f117cad
ec2d8819fe0ecf31eac909a6f44e91b1ce662a965f67405ab21da63ab51cd1f4
9c1aa3258dc36abfd0cf8d90ad0b823d917ad1d24f6e19a499c5638690136aad
c288cd772d64fde2421fff6faac53e75a179ddb17029f5d4c5944fa7fb44cd63
50edf4a2c95ef6c29c69ab2c3590b94420c0c86c591b3213b11a85afb46d872a
f0c6c81477938fcae74fe57391235d9128ef6b155052c78dcd18904ff702da80
c0177c9922a4b6a95aef096fc5f39bef8412e7ee2fec4a21fe91f7ea03dfa951
SH256 hash:
4ebc4d4af4365a232d1e5aeb7a60a89208abdf07e1dd2dbc0bb8e781737d119f
MD5 hash:
e7f437d3ebee9ef2755f2287a227b544
SHA1 hash:
58d235fe227369457ef1260e485c615b32cec165
Link:
https://www.unpac.me/results/7b9e4e22-6fac-4373-8a08-8ce46fa5bb5e/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4ebc4d4af436/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ebc4d4af4365a232d1e5aeb7a60a89208abdf07e1dd2dbc0bb8e781737d119f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 4ebc4d4af4365a232d1e5aeb7a60a89208abdf07e1dd2dbc0bb8e781737d119f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1584973/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/203302/

Comments