MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 539ae706e5d4571ae319f202e8e70023b07ce2a7f8da909cf427a1214fd38f05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 539ae706e5d4571ae319f202e8e70023b07ce2a7f8da909cf427a1214fd38f05
SHA3-384 hash: 8af8ab5e76ebd8da3834a7bb17e104d6b00018f0706265a64959df58d80276f61b922a991632874dc27bc0b1d9198a58
SHA1 hash: 44534ef82a99b3268f9158f9b60339945ddb8c2c
MD5 hash: ed7340cc328461d2ea8f634d1f248bbb
humanhash: glucose-chicken-oregon-finch
File name:ed7340cc328461d2ea8f634d1f248bbb.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:551'936 bytes
First seen:2021-09-23 06:23:58 UTC
Last seen:2021-09-23 07:23:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f74a0f3da1e112835a6ac32552c0a4d2 (9 x RedLineStealer, 5 x ArkeiStealer, 4 x RaccoonStealer)
ssdeep 12288:UbohAoDCLbZi6SOMKo0pTYmJ4XRlBXlvT6EMGi5:YoDUbXvoyYlhDlvT6Uw
Threatray 3'225 similar samples on MalwareBazaar
TLSH T1DDC4E000B7F1C034F6F312BA59B983B8A53ABDB1A77486CF22D01AEA56647D49C31357
File icon (PE):PE icon
dhash icon ead8ac9cc6a68ee0 (93 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ed7340cc328461d2ea8f634d1f248bbb.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 06:26:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3dd49a81-8e47-46eb-abe4-a11eb8465bec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190512/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37630114.6984.13532.UNOFFICIAL
Create hunting rule

Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e707e481-d6fa-45d2-b845-e8108d54378c
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856203
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488631 Sample: dNdM6DudEe.exe Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Antivirus detection for URL or domain 2->61 63 6 other signatures 2->63 8 dNdM6DudEe.exe 82 2->8         started        13 sihost.exe 2->13         started        process3 dnsIp4 43 185.163.45.42, 49746, 80 MIVOCLOUDMD Moldova Republic of 8->43 45 45.159.188.204, 49747, 80 HOSTING-SOLUTIONSUS Netherlands 8->45 47 2 other IPs or domains 8->47 33 C:\Users\user\AppData\...\U3TE63eqbV.exe, PE32 8->33 dropped 35 C:\Users\user\AppData\...\vcruntime140.dll, PE32 8->35 dropped 37 C:\Users\user\AppData\...\ucrtbase.dll, PE32 8->37 dropped 39 57 other files (none is malicious) 8->39 dropped 65 Detected unpacking (changes PE section rights) 8->65 67 Detected unpacking (overwrites its own PE header) 8->67 69 Tries to steal Mail credentials (via file access) 8->69 73 2 other signatures 8->73 15 U3TE63eqbV.exe 1 8->15         started        19 cmd.exe 1 8->19         started        71 Contains functionality to compare user and computer (likely to detect sandboxes) 13->71 21 schtasks.exe 1 13->21         started        file5 signatures6 process7 file8 41 C:\Users\user\AppData\Roaming\...\sihost.exe, PE32 15->41 dropped 49 Detected unpacking (changes PE section rights) 15->49 51 Detected unpacking (overwrites its own PE header) 15->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 15->53 55 Contains functionality to compare user and computer (likely to detect sandboxes) 15->55 23 schtasks.exe 1 15->23         started        25 conhost.exe 19->25         started        27 timeout.exe 1 19->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 23->31         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/539ae706e5d4571ae319f202e8e70023b07ce2a7f8da909cf427a1214fd38f05/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-23 02:46:00 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=konoobxf2rlrvyyz6iborzyaeoyhzyvh7dnjbhhue6qsct6tr4cq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0f342c0f781368f35e15cb470962b7eda145f6861417b1f687d6eb03878401fe
RaccoonStealer
0fa94fb3399528ee6652f3852baac8c399f267ed82ff74730881400494477a83
RaccoonStealer
29d0aa9684c47ac2f631f1929f6dc271fb7ddc6f0a3d31396aa1709ea00c9937
RaccoonStealer
79df67c7efab39b9b413c0844b58b8597c32ff7870225bbc1d2e300416ec5b4e
RaccoonStealer
80a4368647ea647206896e0bf47e3340ad3b8cb21d54005b151f1975086ec615
RaccoonStealer
a98b37b337927ef6cea8a053a4ea676646de4dfbf6ce9619593246a1ecc362b6
RaccoonStealer
acee4513b8bf1f640277c408964419edb362ea216e2401a21761f1b7a572a18b
RaccoonStealer
df1f97bc36b16e89492eac798745c9427681c448aad6bc5398cb32d1f3c96891
RaccoonStealer
f72e3a0623b194f7cb8134f6c13f08a4eb048b98a7a2aa34ff1a193ec1041822
RaccoonStealer
fe7e25d0fd410494f9d8299439faf7d89edb627b494c882d2b33c94625c7c35c
RaccoonStealer
+ 3'215 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon discovery spyware stealer suricata
Link:
https://tria.ge/reports/210923-g53cwahfgm/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
Unpacked files
SH256 hash:
d40a3af447ab9271c785a1b1726309f39408e9cf5d882dd203892bba63fe5c67
MD5 hash:
6d2427453c9a3b54eb2f7eeedc9fa7d7
SHA1 hash:
41f2598d71fec20aabe5aedd541e6798fb84a5c2
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/2021446d-f16f-4e85-9289-69427d13163a/
SH256 hash:
539ae706e5d4571ae319f202e8e70023b07ce2a7f8da909cf427a1214fd38f05
MD5 hash:
ed7340cc328461d2ea8f634d1f248bbb
SHA1 hash:
44534ef82a99b3268f9158f9b60339945ddb8c2c
Link:
https://www.unpac.me/results/2021446d-f16f-4e85-9289-69427d13163a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/539ae706e5d4571ae319f202e8e70023b07ce2a7f8da909cf427a1214fd38f05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 539ae706e5d4571ae319f202e8e70023b07ce2a7f8da909cf427a1214fd38f05

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1634218/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190512/

Comments