MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87df9f2a4cfce131acf28eb02e7a12c19758050657cc5860722fb521f97ee2b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87df9f2a4cfce131acf28eb02e7a12c19758050657cc5860722fb521f97ee2b6
SHA3-384 hash: 2c7551132f509508016ac9d25b95da597853c8e2f6ed88591a2c1ac79f7f58889b5a791073773ce86d0e5d3dc6107841
SHA1 hash: afce3d602c009053e0dc84f6e834d063e76e033f
MD5 hash: 75a65727a803ab560f97d99454f3371a
humanhash: mississippi-uniform-kansas-bravo
File name:d0be4707cab9461c51f4d3d2be0cec8dfaa06e2d2021-.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:439'296 bytes
First seen:2021-08-24 08:36:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 02fed18d5788c3d9bcc1897631bb2a01 (8 x RaccoonStealer, 2 x DanaBot, 2 x RedLineStealer)
ssdeep 6144:o2awVzguUzM4EU3flTrTi3R6aAUKlPpfaDFB85pT8Lmb/f9StI3iTPWbV:o2asE/MSflTH1bVaza2LoX9IIijA
Threatray 2'512 similar samples on MalwareBazaar
TLSH T19F941202B922C133CA5544B58CE2D7D0FE7EBE41DE6521C73BE42A9E5EB12D1B616322
dhash icon 1072c093b0381906 (22 x RedLineStealer, 22 x RaccoonStealer, 20 x Stop)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://188.119.112.104/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://188.119.112.104/ https://threatfox.abuse.ch/ioc/193472/

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d0be4707cab9461c51f4d3d2be0cec8dfaa06e2d2021-.exe
Verdict:
Malicious activity
Analysis date:
2021-08-24 08:39:10 UTC
Tags:
trojan stealer raccoon
Link:
https://app.any.run/tasks/a2fbe3e5-ba9b-46ca-b290-470dc1543ac0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181790/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader41.26620.14783.17112.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/914b8c9c-9dc9-4394-bb60-c1a176292ede
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/838089
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/87df9f2a4cfce131acf28eb02e7a12c19758050657cc5860722fb521f97ee2b6/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 08:37:08 UTC
AV detection:
24 of 46 (52.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q7pz6ksm7tqtdlhsr2yc46qsyglvqbigk7gfqydsf62sd6l64k3a._file
Verdict:
malicious
Similar samples:
1b4d4888df7a07d7a2d2f9f6701b834c254548a0ed9f4602ecb114e1a92eacd4
RaccoonStealer
2fb28bf59adc3f11c4643a43bd7583df849c22e59c0185efde750a354a9aadf3
RaccoonStealer
33c1310b2f87420819dce65ad5804b459650076580e9780f7a8c755ce994968d
RaccoonStealer
51d876460fa02bb32eb2d66e36702327a1a76e3e89ad4ad60d1cde1e47382c98
RaccoonStealer
5ec701c3f9cbe0d01bfe160d9346f77579c6eaa3acbfcd206b9b463db03820b6
RaccoonStealer
67c798fa66f431640bbe46c525ac2de543a2c2e7b6cc59e5967d8bc5d37b01cb
RaccoonStealer
7de4221ec5d702eb52286c59b5e63f8637cb4bdde5ab7bbac8b66b5bcbca2a3f
RaccoonStealer
858aa76a13406d52444536560c091e23e1e36577ac764deb88f4f454c099b97b
RaccoonStealer
eb6ac5caf1ad01b01f9f32b4aa60a27c97d24b1b77903ae407641dfd149a715e
RaccoonStealer
f2dc381b529cbc75c03ca8bf1886b0ee6b1e2622f8918a27a876c50889e2ae7e
RaccoonStealer
+ 2'502 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:e67d6f72c13b070266a3aea1152c815082c9b024 discovery spyware stealer
Link:
https://tria.ge/reports/210824-pe7nmmzpde/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
acbf437acc3960b4f0c82a0529cb5c83dfb5c61e0b174c5e8e1816deb24bd81c
MD5 hash:
f0a2bf4c88bf761f0026e9881b4435c9
SHA1 hash:
1ab1c7474b0ef3fa59cfb8706e2f5be8c2bcc462
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/d5b874ce-e367-4d6b-9fef-8ea1324c36d7/
SH256 hash:
87df9f2a4cfce131acf28eb02e7a12c19758050657cc5860722fb521f97ee2b6
MD5 hash:
75a65727a803ab560f97d99454f3371a
SHA1 hash:
afce3d602c009053e0dc84f6e834d063e76e033f
Link:
https://www.unpac.me/results/d5b874ce-e367-4d6b-9fef-8ea1324c36d7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/87df9f2a4cfc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87df9f2a4cfce131acf28eb02e7a12c19758050657cc5860722fb521f97ee2b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/181790/

Comments