MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 694db8e54fde33867d2633b82199a3fd4a312a60988abe9dd7f24172f24b23ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 694db8e54fde33867d2633b82199a3fd4a312a60988abe9dd7f24172f24b23ab
SHA3-384 hash: a9254524e55e825bb66a7be8194ee68c6f09dfb89239064724d58edf58797663d1ca7174259621a475b2e97e6d355c48
SHA1 hash: 938a76601ce3be6225ad7fe89729dc932a75818c
MD5 hash: a2be581adbfed005b4620fea39d466f4
humanhash: high-early-ack-coffee
File name:a2be581adbfed005b4620fea39d466f4.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:553'984 bytes
First seen:2021-10-02 17:25:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b3447c394869d3e708c4373cd10a2b6b (5 x RaccoonStealer, 3 x ArkeiStealer, 2 x Smoke Loader)
ssdeep 12288:iof/P5pt+cGw0mzcscnlXfvKEs5Fg+cgReN:b/5pbGw0A7cqEIGL
Threatray 3'406 similar samples on MalwareBazaar
TLSH T16DC4F120B6E0C034F5B306F95979C2B9A53D7EB1AB2C51CF63D526EA52346E0AC31793
File icon (PE):PE icon
dhash icon a3b0f0b0b4f430a3 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://194.180.174.82/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.82/ https://threatfox.abuse.ch/ioc/229691/

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a2be581adbfed005b4620fea39d466f4.exe
Verdict:
Malicious activity
Analysis date:
2021-10-02 17:27:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/29aeb14f-376b-41ef-92d0-4ae4f8fa61c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194235/
Detection(s):
Win.Ransomware.Ulise-9897604-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1475e37-66b0-4a8c-a96f-2c21b830070e
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863252
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/694db8e54fde33867d2633b82199a3fd4a312a60988abe9dd7f24172f24b23ab/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 08:13:35 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nfg3rzkp3yzym7jggo4cdgnd7vfdcktatcfl5hox6jaxf4sleovq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
240ff23832abc300cef55adc3f5f10fffe8b617b1f4e83979bef40c82c03f244
RaccoonStealer
447ef561d540f7b87bc2c4d822994b35758e8e2fb6e5a37d92b5ed11be769ea6
RaccoonStealer
70d0690f7740be76d6c2b2f62ee5cbbe594337cda04254df881915c4f834dbfc
RaccoonStealer
71fbc9e3d7c98f5ceddefde011586483ad21b083ff19055de75edebf3966c248
RaccoonStealer
73b08e1c191193b1c71438d44a79db1cd62c9f3048f257b713f55e8699ea0aac
RaccoonStealer
a5766e6a48c9e60e922ab01339ef69544f1677759d2c4970a42641eda36ed04a
RaccoonStealer
b4b0d2468c23ab82e82ad967c641e703b623436f950b6a7be1c5ee7211deef15
RaccoonStealer
c169596df6ecb34d460a6012d943e8014befa2f160c5dd8497bfaed4170c7cce
RaccoonStealer
d00b481be4fa65ceba3125d6741e76792fd98fe4ed427dd498afda550c1927d1
RaccoonStealer
f099d1a0b66cc96504494723d26bf5db6a92218a39ff036cbc05b067c0f0ff6a
RaccoonStealer
+ 3'396 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1ea547c0a567138950af900718b7747d9f51d0cb discovery spyware stealer suricata
Link:
https://tria.ge/reports/211002-vzvmqseffm/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
Unpacked files
SH256 hash:
34f59f9e637e7b4cd7354402c127fa06a9b363da8aa44fd8eac77b1251d1a068
MD5 hash:
5e18f789dc606adf5de9be92fb74296b
SHA1 hash:
a7937de9a889890564da83bc5d3c18aad47c8299
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/3edc99bb-4fe0-4f7f-a1a3-3af67b2d7dcf/
Parent samples :
78436634a8f469fc338c271932840f9e2555050324c432b3398104784768d61b
b66ffdb7174f4c240e016033010d29a21ef2e083a62afe6275bf6bf9027b28c7
a5766e6a48c9e60e922ab01339ef69544f1677759d2c4970a42641eda36ed04a
694db8e54fde33867d2633b82199a3fd4a312a60988abe9dd7f24172f24b23ab
04e0c80f6ace3e8e01913bf43cce4d4ee8f01f42566fbac36b3e07fa8f8239ee
f8db29c84a111b0b48a7e4592aa1769db2ac25d069533392133d44f3906e7730
SH256 hash:
694db8e54fde33867d2633b82199a3fd4a312a60988abe9dd7f24172f24b23ab
MD5 hash:
a2be581adbfed005b4620fea39d466f4
SHA1 hash:
938a76601ce3be6225ad7fe89729dc932a75818c
Link:
https://www.unpac.me/results/3edc99bb-4fe0-4f7f-a1a3-3af67b2d7dcf/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/694db8e54fde/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/694db8e54fde33867d2633b82199a3fd4a312a60988abe9dd7f24172f24b23ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194235/

Comments