MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8049eaaf077474109bad0b447367fdab49bf2339d3dbae95098c726a7f117cad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 10 File information Comments

SHA256 hash:	8049eaaf077474109bad0b447367fdab49bf2339d3dbae95098c726a7f117cad
SHA3-384 hash:	0da14e043e29eab4ded7caf7239f69c37c3fef094c161e0115e020383dd0425085f7c1c099957287ba4217a9ffe0e814
SHA1 hash:	4cc9c4c333d20616e81c8cd01f51bd8010f5826d
MD5 hash:	b6d9671df20580533a015600d37fbb3f
humanhash:	nine-eight-three-carpet
File name:	b6d9671df20580533a015600d37fbb3f.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	550'400 bytes
First seen:	2021-11-09 10:26:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61f5dd277d7d233f85b676d434ad016e (3 x RaccoonStealer)
ssdeep	12288:7+5AOSjgG54l4c/9rNLf9z3t/5itPoB6HdQz7KkXj:7PbPO4cRdVz3nMH6h
Threatray	4'104 similar samples on MalwareBazaar
TLSH	T18CC4E114AAE0C035F5BB12F48E799368B93F7EA1AB3591CF61D116DA56346E0EC30387
File icon (PE):
dhash icon	b2dacabecee6baa2 (33 x RedLineStealer, 30 x Smoke Loader, 28 x Stop)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://194.180.174.182/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://194.180.174.182/	https://threatfox.abuse.ch/ioc/245154/

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/204412/

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/618a4cf7175442ca93a8ef30/reports/097f56ae-2658-4af2-a120-b133833bdebc/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/01d0d3fe-5a18-4e9a-b369-feb1daf2cfb2

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/885868

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8049eaaf077474109bad0b447367fdab49bf2339d3dbae95098c726a7f117cad/

Threat name:

Win32.Trojan.Strab

Status:

Malicious

First seen:

2021-11-09 10:27:06 UTC

AV detection:

23 of 45 (51.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qbe6vlyhor2bbg5nbnchgz75vne36izz2pn25fijrrzgu7yrpswq._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

57127e39e8381f5008ef721023300501ff39b9018907a46a34b7e40d317d8f85

RaccoonStealer

58012e1bc38619a3a83b1b3742b066a7bc1ad2bceb622ed5603d7a0175489e54

RaccoonStealer

67a5471d59ca74d55eda2a899d27e0c650b4bd66747461f1bdda634dc96d0c18

RaccoonStealer

77e3f86564d1ad0f5e67e5d3619d9299bf669a9fce943c698dad9b3a46dadd35

RaccoonStealer

a6ef4df2da289c7494453df35117b375124fbe5b6dc7d6bc571f4218efc24e8e

RaccoonStealer

c0177c9922a4b6a95aef096fc5f39bef8412e7ee2fec4a21fe91f7ea03dfa951

RaccoonStealer

c288cd772d64fde2421fff6faac53e75a179ddb17029f5d4c5944fa7fb44cd63

RaccoonStealer

c67646ba071947726cb2420a03887901a79a762844862eeb61f2fa8349ea355f

RaccoonStealer

f0c6c81477938fcae74fe57391235d9128ef6b155052c78dcd18904ff702da80

RaccoonStealer

+ 4'094 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:d4d445f09abd00ad30681d6fb869e8ac910a67e2 stealer

Link:

https://tria.ge/reports/211109-mg376acaap/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Raccoon

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

f719a29a620b4192cd1624843571081c9f45c6fb30387717ca1c58c80e0be14b

MD5 hash:

c47bd894cfe54d357c1399599a1bd079

SHA1 hash:

c9ef62ffc92c3284c6d1e4613daeeaa90ad36b65

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/c3162651-16c2-4ea1-ac67-9d63b929eb9c/

Parent samples :

4ebc4d4af4365a232d1e5aeb7a60a89208abdf07e1dd2dbc0bb8e781737d119f
957f478ec5c3d5899ea0ccfab3ef2da9a1fce48432008505862cc38ecd21e579
f57b5ada8a44a9778b96620193572ee4282a61f5d9063532eb0e5b8db5086357
6d0bc7c4ee68531cf6c42617eacd69e9687412efc44b3930845f2d0c739cf6b5
c0fd99ab6898145593395343dfbd1b5afea781d37cbbccd72e6c9dd408cb36f1
b9a8beecc6ae77878cf4e4dadde0046abc8c823673e7231ead8707211da71990
2ddd23a3f10c202c4814ded80e326091c23be36f828c6e25e0a78ad34657a733
5bef66e78bc9dde4afd1e97c60615aa35ffe17e2f619b69f152153cb858bd769
ac11a8568f5ac13845c000c26fdb61ff8b15519fa02003b17d6285668ee7fef4
c25538e04bbb9084922f2bb39e5da7764716cd902ebead0052397fbe4912ee3d
983cee3f2f8bed3fe80d8072d55a2011d2734cc074c8de181f95023cdccad3e0
b91c2f43aabab59c3df28395ced9cb1a35bd914c053381ff2f9a9b48c56558a3
8049eaaf077474109bad0b447367fdab49bf2339d3dbae95098c726a7f117cad
ec2d8819fe0ecf31eac909a6f44e91b1ce662a965f67405ab21da63ab51cd1f4
9c1aa3258dc36abfd0cf8d90ad0b823d917ad1d24f6e19a499c5638690136aad
c288cd772d64fde2421fff6faac53e75a179ddb17029f5d4c5944fa7fb44cd63
50edf4a2c95ef6c29c69ab2c3590b94420c0c86c591b3213b11a85afb46d872a
f0c6c81477938fcae74fe57391235d9128ef6b155052c78dcd18904ff702da80
c0177c9922a4b6a95aef096fc5f39bef8412e7ee2fec4a21fe91f7ea03dfa951

SH256 hash:

8049eaaf077474109bad0b447367fdab49bf2339d3dbae95098c726a7f117cad

MD5 hash:

b6d9671df20580533a015600d37fbb3f

SHA1 hash:

4cc9c4c333d20616e81c8cd01f51bd8010f5826d

Link:

https://www.unpac.me/results/c3162651-16c2-4ea1-ac67-9d63b929eb9c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8049eaaf077474109bad0b447367fdab49bf2339d3dbae95098c726a7f117cad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_EXEPWSH_DLAgent Create hunting rule
Author:	ditekSHen
Description:	Detects SystemBC

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Raccoon stealer payload

Rule name:	Start2_net_bin Create hunting rule
Author:	James_inthe_box
Description:	SystemBC
Reference:	7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e

Rule name:	Start2_overlap_bin Create hunting rule
Author:	James_inthe_box
Description:	SystemBC
Reference:	7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e

Rule name:	Start2__bin Create hunting rule
Author:	James_inthe_box
Description:	SystemBC
Reference:	7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e

Rule name:	SystemBC_Config Create hunting rule
Author:	@bartblaze
Description:	Identifies SystemBC RAT, decrypted config.

Rule name:	SystemBC_Socks Create hunting rule
Author:	@bartblaze
Description:	Identifies SystemBC RAT, Socks proxy version.

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

Rule name:	win_systembc_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.systembc.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

exe 8049eaaf077474109bad0b447367fdab49bf2339d3dbae95098c726a7f117cad

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1584973/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/204412/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample