MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52034ff2764460d5cfb05b45b47d75fbb87c669814509f0699f02dafd869d871. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52034ff2764460d5cfb05b45b47d75fbb87c669814509f0699f02dafd869d871
SHA3-384 hash: a1897d7a28961522e8a9f8a09b03a86955f1c5bb9a8a1a20b76d8607ad392ea31cfbcd0bc714e8a92c259517979cf22d
SHA1 hash: 74d9f661f249e37364264d56c8563e2f7a16f953
MD5 hash: e54a585f8f4a3274802213ce217046ff
humanhash: johnny-chicken-uniform-whiskey
File name:e54a585f8f4a3274802213ce217046ff.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:568'832 bytes
First seen:2021-10-01 07:11:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ec7f7aedfe92c1b2393798c6fa1e0e0 (9 x RaccoonStealer, 3 x RedLineStealer, 2 x ArkeiStealer)
ssdeep 6144:kNQbRc7WQAtY1lUhuUZiAc/tYzOOnbsGhR3T1r6xkBqeTsYpFy5yYYVhJ11+3VMP:kzvRlUssO8xRexivzrv1S3L63zxd6L
Threatray 3'372 similar samples on MalwareBazaar
TLSH T117C4F00931A2DFF2D27505F1AB27C7E1452E3E2C5E2A769A3B98361E3E3C391DA11345
File icon (PE):PE icon
dhash icon 4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://91.219.236.63/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.63/ https://threatfox.abuse.ch/ioc/229384/

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e54a585f8f4a3274802213ce217046ff.exe
Verdict:
Malicious activity
Analysis date:
2021-10-01 07:17:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c40f79a5-6ee3-43f7-b8b8-342a45850d4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193907/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.21975.17117.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c41b2267-2667-4d4a-b523-b2fd7f8462ac
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862542
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 494981 Sample: zO5nKETMUB.exe Startdate: 01/10/2021 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Antivirus detection for URL or domain 2->61 63 6 other signatures 2->63 8 zO5nKETMUB.exe 84 2->8         started        13 sihost.exe 2->13         started        process3 dnsIp4 43 91.219.236.63, 49753, 80 SERVERASTRA-ASHU Hungary 8->43 45 t.me 149.154.167.99, 443, 49751 TELEGRAMRU United Kingdom 8->45 47 jqueri-web.at 194.61.25.77, 443, 49756 ERAHOST-ASNL Netherlands 8->47 33 C:\Users\user\AppData\...\Lc5XXryUaI.exe, PE32 8->33 dropped 35 C:\Users\user\AppData\...\vcruntime140.dll, PE32 8->35 dropped 37 C:\Users\user\AppData\...\ucrtbase.dll, PE32 8->37 dropped 39 57 other files (none is malicious) 8->39 dropped 65 Detected unpacking (changes PE section rights) 8->65 67 Detected unpacking (overwrites its own PE header) 8->67 69 Tries to steal Mail credentials (via file access) 8->69 73 2 other signatures 8->73 15 Lc5XXryUaI.exe 1 8->15         started        19 cmd.exe 1 8->19         started        71 Contains functionality to compare user and computer (likely to detect sandboxes) 13->71 21 schtasks.exe 1 13->21         started        file5 signatures6 process7 file8 41 C:\Users\user\AppData\Roaming\...\sihost.exe, PE32 15->41 dropped 49 Detected unpacking (changes PE section rights) 15->49 51 Detected unpacking (overwrites its own PE header) 15->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 15->53 55 Contains functionality to compare user and computer (likely to detect sandboxes) 15->55 23 schtasks.exe 1 15->23         started        25 conhost.exe 19->25         started        27 timeout.exe 1 19->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 23->31         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/52034ff2764460d5cfb05b45b47d75fbb87c669814509f0699f02dafd869d871/
Threat name:
Win32.Ransomware.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 07:12:07 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kibu74twirqnlt5qlnc3i7lv7o4hyzuycrij6buz6aw27wdj3byq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
011f4d4636e0cb4cc857f7f87fc005315abaa07b17e2f5df2987c52f5bac2f32
RaccoonStealer
02670aeb90e985cc7428c4eebe72fbc7057aba7186d1634d65e3061a94b27fb5
RaccoonStealer
45f484796386d8ed9f53fc28a9d75dbec1c00594dafc8166e79bdae07737ebbb
RaccoonStealer
4a1a1c30c4af89809f10fee23f239f2c591efd4fbd80e55a016c4cc88b762c71
RaccoonStealer
626999cdbd44d491c59a9fd35b302f3c18d4c0599c08b53b80716661b0e803ff
RaccoonStealer
70c9a50508878a796816729106789b3d58451adaf76d7dc77e2a29eba07c3706
RaccoonStealer
8c14e545be830a7ea4d0c816f9a4bfd6984020f5da1725cf0ba8f2b7c86a9aba
RaccoonStealer
8f39a55bac3dd179742fd700126feaba77ad66b5e4666cb81d9fc9a561396e52
RaccoonStealer
d9f65ba858b895b3b899ed93950ad1fcc2f3af8c2bb7840d4774bf46384d05ad
RaccoonStealer
de220a17fe7293c1a1f5b23758213e0de3e3bd77cc7c0de4ebda64f140982fdf
RaccoonStealer
+ 3'362 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:f6d7183c9e82d2a9b81e6c0608450aa66cefb51f discovery spyware stealer suricata
Link:
https://tria.ge/reports/211001-h1hy4sbbem/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
Unpacked files
SH256 hash:
59efed500f10cb712e56fdc49ec0dac2925b40a012f4905bebfdcf9cfc1bf0c2
MD5 hash:
5b73b7c319a3c0dabf27493e473df60d
SHA1 hash:
71824d401d85500ac00b61e933092394794079c5
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/86e54362-c08c-4510-b6ce-be1f1a57fa46/
Parent samples :
8b91d61b5c38c43b40912a0b5c6d85e9554065603a6383e073874e67c52ed1cc
ab52a71b3ffb4a0af77fb8d4bc687f9c296e20f78bac27e05e69ddd0e54446c7
25e9cccce341abac8cb2c2ea0aa426ebb6ce8e4f6bf41e95634067da50b090ba
ddc293e024821f0870ae59a138e5b9b78047fa2d109e954e18bdfdd6c3ac4c41
1493fc3f03016cd9d1c43c5e2e37ed2a618e0eadfcd35d4aff12f42e2e443813
5f15172014d5b28a6ef018dff8e184f8ccf6820720fac2c49114451255d89530
9cf88fe1e26029814e2d6877bd98604c88350d1899cd8adaa40dd7bf4b0303c7
c3f1a7f8584a3ace53e97f4b6289e13d3a41753364f12ae169c9fd4de2704610
6d0abd2378cf7fa2853d1b190c359ef7b256c83144b1aeae3af3036a6418554a
3e929304dd13990cc2fdb0673a8eac7387fac96052f76f9fd432c3fc7f04fd1d
485743b58458601c1947f2ef8d25cdca62b87ad6bbfda4841f7d49b31512cc8b
97a681f3d9aa34f1975a5ebf188ce6a1de9089f52a29d9dd912bc8dd61cb9d33
9a1d08d8158e5278734fc0a434e73ca6279e7586b0c1dfc3f7d71c6c76a9de0d
68c8034c163f04c237fae46f45b55ec1799f6305aa8bf3b2cc477a403c44fc17
00a0b4335a8d59371783a615f8c27dfba248ef0f393151935fc6ea6dbceeec6e
6aceac14e068c53ebe3a0dd3f0e1a8bcc34b39ce31ef96f3dfcfcfc2308d23eb
c4566f27e470e760bfe142ff7b8108e7f9b5e3203b01074ef98871bc559a9d5c
8eeada0e16192841fe64eef80bf8b10aaf2e8067b20b8f3e0b1835b2e8b92112
41a566737968422b7a43363b421dce92d5863004a360cbaaaa66a781b3faea5d
603405c0c3b8b1ff41052f7937e10d6bd82852a6e556c41d1d5d2d29bc309335
198cd83ea6deafe4d242e7707c47ebbbec04c5debc90cc94f58fe0b2a60f723b
ebfc2335b28375c29d6a1423b5251a2ff91af8da24400fa341cb44d0ef906404
f2003d2fa7f7d22caee50d4c6f4c8aa4ff9a8ab6010c94d1629a86ce57a52a76
9087412ce39a9f4988bb6d7e50018d3f1154e29f4edfc9d4f1d7b87609402bc0
2f289065f7cc6427f609df03d336c1e9626229ba90deb3bc37166c12851bde96
dec0265226f1b0fcbcd3570d1fabb2b97a26b0fa575026782f169e7d1d282df5
b801d034286a43912a28ec748b3c9f423f1b601e0e0a46d80cce30aa9eba021e
b178ddb0e5a5d3bc285ac8ef18f5d46c2e706780b7e2a656d697352a99cbfc60
e6f3e1291f3494f364778772237bdbf4a3c943c64cde34b53a2ab6d809fd5ae8
8254c31e4d719d26ca5d6991907bb0f84f394d03f33ae37aba1e8fd430edc786
37ce68189b52816d655532e2723304771fcb89ea074b8af94c34e1062d581397
6f59f808e8e8d2a2d8f6c771ac2270800cd02abbc7ea4274b896e1b72143aab2
a6fd5456fcd9d23bebc37c813f0208c7187a9e39263c197b3faae0d56ee60c33
03e733b945ade5db2e556118d728a9e1b88b8d2e53b6151ca78ef84aebdb0906
70d0690f7740be76d6c2b2f62ee5cbbe594337cda04254df881915c4f834dbfc
cefc15cd378028ea0655c1783c84b4a08a17bf5e9439bb3acb9b9f6f0199d603
671d36b162c116fd9d3276fc9010e4b39062a4f48bc47ab980059eef1b375a12
eed9f58f3d2334ac8297cfa62548cd9dbdb05f13d92fb86fa4ed77d1cd35889d
3481a1686a8c1b76d6b8e2b4c1663761dfccb13fb69e74a8767b1dd5dd7186e0
8f39a55bac3dd179742fd700126feaba77ad66b5e4666cb81d9fc9a561396e52
18c798282da89986a2aeaf8b9d85e4f3d70e991dc5186937f40e6802be3da549
5cd6d407701a56e39d3419a3b0eed380ec7a4949987471294dff731d7827dffa
13a34940ea842b8115ea03a8ed84f8af6dc0b9f1808b95f275025007c4367bae
658232b7dc41c07c874649e2c83ed12a1db65473e73eb4a1beea82aaea2abb49
76a6295a7b1e6854ab42e24d1ecca629d45203fb759575dad0fdb5e2e3150ee9
d9f65ba858b895b3b899ed93950ad1fcc2f3af8c2bb7840d4774bf46384d05ad
e9abda09ff147a91ceacf0184069126f12fab01933ddda7a99357035a3108dc8
e3195b8479376b3fa5a9f0d75a4d602abcb9ab66b0ff72cc8359a9db3d430e12
8a50273435f6be7e9a3260ee25ef07ec04c856c239d39830a12145daec79371e
52034ff2764460d5cfb05b45b47d75fbb87c669814509f0699f02dafd869d871
030fb78d33341248ef601687348219db846b7fc453af8cb96384c523e9cfa6e4
e108e203e4b31615afcf88bddfed51dd499f6a1628fa93b7d9072400259ecc5b
e12ddd7e3b609ead47bc67b97ab84d69bf1a4889bd99c10e43bd32676b4bf7d2
fdb27f7102e4d832324d6ac9288a08b762d86cb5641d39786969409056a28a9e
8110f71c730733b4b70ef735eaff8a5c2014f50bc0d509cad5914f339fd2fead
8d1291bb7b68fc7be0b6b189da47d3bb709230c0c3e0658f4a30687e32ef3f1e
SH256 hash:
52034ff2764460d5cfb05b45b47d75fbb87c669814509f0699f02dafd869d871
MD5 hash:
e54a585f8f4a3274802213ce217046ff
SHA1 hash:
74d9f661f249e37364264d56c8563e2f7a16f953
Link:
https://www.unpac.me/results/86e54362-c08c-4510-b6ce-be1f1a57fa46/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/52034ff27644/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52034ff2764460d5cfb05b45b47d75fbb87c669814509f0699f02dafd869d871

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 52034ff2764460d5cfb05b45b47d75fbb87c669814509f0699f02dafd869d871

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1642512/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193907/

Comments