MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e11ca103543381353beac9daac75beb13a4186fa3470bf90550ee6467270a66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e11ca103543381353beac9daac75beb13a4186fa3470bf90550ee6467270a66
SHA3-384 hash: c5dbcd9065405687418d16526046fc964b7c9b1a8fa77f459e09ecd9eec01caff88417046a720b295c076d21651b2aa4
SHA1 hash: 1411e702d2d14e2578cb1e6bfc70c1d42cc80bf2
MD5 hash: bc6bcd6e668a744fa25be36f93ac75bf
humanhash: six-alabama-summer-whiskey
File name:bc6bcd6e668a744fa25be36f93ac75bf.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'065'920 bytes
First seen:2021-10-04 18:10:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:YQEPpjUP3w7Mq58T+iF0GipV8s+4VHxFLjaTEAeVrM+vh8uyMGAksuqmd554qXg+:HElhL6zKU
Threatray 3'452 similar samples on MalwareBazaar
TLSH T1DFA53C18697FE01960E3FE916EDCA8FADADE55D3240D743B106163274F22B81DE8B439
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://91.219.236.81/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.81/ https://threatfox.abuse.ch/ioc/230118/

Intelligence

File Origin
# of uploads :
1
# of downloads :
557
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194767/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.972-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615c1091e3d213d202b76fe9/reports/59fcda12-98fd-48c6-8eaf-3e21f55b0d8d/overview
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a9704bbc-2b33-4726-86b4-8ab5a43cd652
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864245
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Contains functionality to steal Internet Explorer form passwords
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 496671 Sample: 4BChcXvJnq.exe Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 4 other signatures 2->45 8 4BChcXvJnq.exe 2 2->8         started        process3 file4 25 C:\Users\user\AppData\...\4BChcXvJnq.exe.log, ASCII 8->25 dropped 47 Self deletion via cmd delete 8->47 49 Contains functionality to steal Internet Explorer form passwords 8->49 12 4BChcXvJnq.exe 80 8->12         started        17 conhost.exe 8->17         started        signatures5 process6 dnsIp7 35 91.219.236.81, 49748, 80 SERVERASTRA-ASHU Hungary 12->35 37 teletop.top 172.67.176.216, 49747, 80 CLOUDFLARENETUS United States 12->37 27 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 12->27 dropped 29 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->29 dropped 31 C:\Users\user\AppData\...\ucrtbase.dll, PE32 12->31 dropped 33 56 other files (none is malicious) 12->33 dropped 51 Tries to steal Mail credentials (via file access) 12->51 53 Self deletion via cmd delete 12->53 55 Tries to harvest and steal browser information (history, passwords, etc) 12->55 19 cmd.exe 1 12->19         started        file8 signatures9 process10 process11 21 conhost.exe 19->21         started        23 timeout.exe 1 19->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e11ca103543381353beac9daac75beb13a4186fa3470bf90550ee6467270a66/
Threat name:
ByteCode-MSIL.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 18:11:07 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lyi4uebvim4bgu56vso2vr235mj2igdpundqx6ifkdxgizzhbjta._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1e89e268686b120ae6e58ebfc87c5a532d227a54c35bc3b01ed1b992503f64e2
RaccoonStealer
25f0da89dfe9a691b9cd1b684d152e51796e90dda51b7bf9a962abd1d7a9fcb1
RaccoonStealer
354efc97e4a680e6b6fceb03d31ead926205efda8d5e0f28abe1c3381aa1991a
RaccoonStealer
586e63037f6297075b488aad3e8b3c2760a1c63852cea2286f89b6ee2617f0c6
RaccoonStealer
7cd0e04ae6cb26444707130e0d56860e56345c9a2153078621eb7bd511ed1f29
RaccoonStealer
89b3ed9d4b3daa09b18db0ee62d8c7b652f3101299a6fc9ca0245bb6a6ded9b9
RaccoonStealer
9fbc2a32b58c53043d6697e93642837cd2b6ab5571794149736741a4ed208a9f
RaccoonStealer
ad7a43d349196fcd55f26cafda2ed1907288aff6200e0348718cdc94373d84b9
RaccoonStealer
af37877133e6e656c670126e562f53e50be8867239e7e0b2beb88072ec6ea76e
RaccoonStealer
f45b444b6e8d66dc8d97e8ec397a4ffbf1545bef57d783ec906d2c7695b25ac5
RaccoonStealer
+ 3'442 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:�#w;ef�b\ �����+k)џ�d��b`~6�2�2g�1�-� discovery spyware stealer suricata
Link:
https://tria.ge/reports/211004-wsla6ahbaj/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
Unpacked files
SH256 hash:
2b7b125c3a2d4f031e4dbb82d7ad86234f15509cc188ab4c42bd89ea237dd76d
MD5 hash:
5b4be4ececc414546d919879115a9533
SHA1 hash:
216986157d700cf97dd18eea4305cd59ecddd47e
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/8253b488-ec2d-442a-b8b2-c4b50d8b8577/
SH256 hash:
5e11ca103543381353beac9daac75beb13a4186fa3470bf90550ee6467270a66
MD5 hash:
bc6bcd6e668a744fa25be36f93ac75bf
SHA1 hash:
1411e702d2d14e2578cb1e6bfc70c1d42cc80bf2
Link:
https://www.unpac.me/results/8253b488-ec2d-442a-b8b2-c4b50d8b8577/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5e11ca103543/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Raccoon
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e11ca103543381353beac9daac75beb13a4186fa3470bf90550ee6467270a66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 5e11ca103543381353beac9daac75beb13a4186fa3470bf90550ee6467270a66

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1644572/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194767/

Comments