MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9eafc2a0a992162261c3da6ae7206ed2d1466d3280149469ff323402a7dc09f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9eafc2a0a992162261c3da6ae7206ed2d1466d3280149469ff323402a7dc09f9
SHA3-384 hash: 71219eed04f75f98ebdd1be0745b578dc25dd256d923a35a200e87fc0abcd0c72b24533b27a9b65e5e1a523a326434ce
SHA1 hash: dce6202cbb00e6e50b0caced9da0ebe2884eb3a2
MD5 hash: f94b1c83e0fdc0527f73a4219ed73125
humanhash: helium-jersey-october-kentucky
File name:f94b1c83e0fdc0527f73a4219ed73125.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:484'352 bytes
First seen:2021-08-03 15:32:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 41772127f978069b9f399090f08eba15 (4 x Smoke Loader, 3 x RaccoonStealer, 1 x DanaBot)
ssdeep 6144:JmvS4ju5FFdemPWW6vlA8zHS1p/njgY0deBkpmp9G4QAIT3lQ019L0qtisggfRwh:I7u5YwS4/jgYI2p5ITVQ019/tpxZwoO
Threatray 2'102 similar samples on MalwareBazaar
TLSH T11FA4011075D1CA33E16186F58C76CAB47A2B78741D7466C33BB46A797F32393AB22342
dhash icon 1272d292105c5c03 (31 x RaccoonStealer, 6 x Smoke Loader, 4 x Loki)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f94b1c83e0fdc0527f73a4219ed73125.exe
Verdict:
Malicious activity
Analysis date:
2021-08-03 15:32:59 UTC
Tags:
trojan stealer raccoon
Link:
https://app.any.run/tasks/54275571-d189-496b-b877-aab34d09477c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176115/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51ede796-7b6c-44c0-87ba-ce492947948a
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826328
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9eafc2a0a992162261c3da6ae7206ed2d1466d3280149469ff323402a7dc09f9/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 15:33:15 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t2x4fifjsilceyod3jvooido2lium3jsqakji2p7gi2afj64bh4q._file
Verdict:
malicious
Similar samples:
0b138671b6b534306994daf163d36498a7b2dff3969931ac9b84d3eb6d1cc460
RaccoonStealer
0f520e19f5601f23c1bf783ac0ded333f68fd1a171a0529fb5051505e30a0add
RaccoonStealer
90ace75b5040a02eaf0c7999a687e995d1a11a591a34867374af33c50cb77daa
RaccoonStealer
96705f492ccbba730a3745b9c27c836ff7b877c78f59d08b797a57faaebcd6ed
RaccoonStealer
9cbe6a166cd361a2b224b06f93d77a13c63cb14b1429d47db2f8f1003c655c34
RaccoonStealer
b3095e407bf94331957f4b3725dd9cde35d5881afce2bf76e57f1400a4e0ab73
RaccoonStealer
ccb48c19dab11418d38d63afbbf75556ca75531ed4a8947bcc5f3e35dc2b700a
RaccoonStealer
d5b9b72950395ae3b512f96e87184429b9744c514ed14891cce9f5972764a296
RaccoonStealer
d7b0af7c27ad1013e5edb42078590f6060a210ce48b460e6fd50616a4278295d
RaccoonStealer
+ 2'092 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:cd8dc1031358b1aec55cc6bc447df1018b068607 discovery spyware stealer
Link:
https://tria.ge/reports/210803-zcdtps6fjx/
Behaviour
Modifies system certificate store
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Raccoon Stealer Payload
Unpacked files
SH256 hash:
de9b89296afb64b88604461cc4d9c9934db0262af4f292523640801d20a7862c
MD5 hash:
196ae7e52394cd10aa5622c2a4648e3a
SHA1 hash:
cd1dab19173048b3a13c86e38e48ec0df7096c32
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/7729230c-899b-4c3d-9ca2-ef64963fa27b/
Parent samples :
93778624b7006cd4697db31c259a21d3b14231bf979244c41d8468845eeaaf43
c317497533e17391aa3e1d4c9d8f67620f9a6381900a13b125eaa76947ea36de
e7c889e1a0979d946b83eadf8b53326d4711d142ec8f6e5c2aa42f3ac0263303
b61998322190573353437177fd9a48263cae5d867055800d86b5fcf006253fdc
9edd2b570127b6af299d9325d46ec63944de11ed3ae177a8a82d8fc7572d4980
0b138671b6b534306994daf163d36498a7b2dff3969931ac9b84d3eb6d1cc460
925ec2c86ef50496d7400fa29a960b9547ad21ae2bb57907549368e4bd27cc43
7fa8300652f1b8c48e6ac25203994e388acb14ffc29393da5175de05ec1614d8
aeeabbefb0ce4cc909ebc3c7d36d3272d55c09db77a162b7e607936e126d05c0
56d389a215fd102eecb65009b5681642a66232e8b68aaa029b377554e1db7689
d5b9b72950395ae3b512f96e87184429b9744c514ed14891cce9f5972764a296
d7b0af7c27ad1013e5edb42078590f6060a210ce48b460e6fd50616a4278295d
89200f68a4e1f756e7d3ce7616fe95a34586179e4029d541751a9645a6ac9582
3e5c0a3309b7e9818fa4e062fc66525fd550eebf6e23f1f11882b4e391160367
9cbe6a166cd361a2b224b06f93d77a13c63cb14b1429d47db2f8f1003c655c34
c0a2a3ce3b4d633a25e139b8929ebb2ee008f176a24f5a06168debd646acb004
b3095e407bf94331957f4b3725dd9cde35d5881afce2bf76e57f1400a4e0ab73
0f520e19f5601f23c1bf783ac0ded333f68fd1a171a0529fb5051505e30a0add
478a078d2ce9e5a92ebe3f686de46e79285b17d41cfaa6eda5a0ee5dce66cc18
d9d4e5718a63c9ef3c1234369e4306914f0cee944033559fb645fea5528367fc
33cddca45556c8d172417ca96ec5e5619ba91e6ef3a16a8e0ad184712dfbfd0e
0b6b3741fe781467920f4ba023637c18c349ab94af0540a8c13f8cfb22b409c1
ccb48c19dab11418d38d63afbbf75556ca75531ed4a8947bcc5f3e35dc2b700a
f28d53d25d6d0e29acb896ba83a6d178b736571e34b5e4d221473baeb7ed31d0
68323f23d9504e36cfc5591f2f35b33d623dc11d6cec4ae195771693afb650a5
586d4807fdaf4d060a7449c9b8ac1c692b9562fff037bb769feadc3ad048cb85
9d1035f8469c82606d348e48ba313fc4b0e1702d3039b3d6cfb8c1f1ab459ea3
1e5af81addfc071d6cd69df9070c01aafa5adcaaa2cc96b4bd0e6b00f945d603
ebc020b59a6cec9c2f765dad4f785f5baba5def84592cc12a6f5c51856f53aef
4ca07e1ce4b152adbf53bd5cfc041d86f1d9ed5cbdebc535561dcc3e8785b235
936269dc735718d97f5af0116b24242e4af26e1480cc2f97a75832a73960597f
2c78da5b4d0cd5c5f61b7540aaff879d8e0b1a0e8f36a9f913b52c1e642f16ca
118d44fd4c35351e0a58585243d340ff72df450f975f40f976318460c0292d93
f60210bd49575cf497ce40cdfea1470d4c1dd334dba4d0ef22a0845f2a8593c5
88b149d93a7d463f5e604235060c0701037195551715e0f5298a81d2f6c5436a
eec717d51d1ff0b030d06044f4377bff362c75e4fc7b89dad08c3410d71fba5d
1b8a0ec3d3a8adeba4c71d3c5290da0b519966059a68d526a066c6f6d45214cd
a0c654e839bf2c531403b01515b0c464c0a3e5881879a11fe535e5f5fa382e1b
88cc29efc27c983a785fb665f9a55b1c03846f2a9cdc5db48c7b0bf9a4317e37
c3da65fded89c1b6e0ea8ed263eb3f381e374389de6617ba3f21165ab1cf005d
7f74f36952503e1686edd46a2987fd0a540f18cccc9732e9814620983b2df7b8
7d488eb1040f11cfdf31e5cc017f253bc9050bae1cfd474492018c314504c9bd
d61aa30773692c8573e9f1fa776ba99eeb89800bde45663582ee2d3bec5ceb70
214701ab0a4b8589212eb4fcd2870f8b795ce9be588a138d7219c1e2c49a588b
ab4554366f37456ac0115a7df3b4114711fb8310ccc5754bfa10c474a0453210
fe19953fa73480f26d90f259d58c971eea3ad61cac7b15782c6648cc106cab29
a4bad40f6d7c48e8e824534d17504b1797cc9e9293ac02ce0dfbc3f24de3e836
90ace75b5040a02eaf0c7999a687e995d1a11a591a34867374af33c50cb77daa
28b5df8bc8cea41221950c255ad421c2b3de3098077e18ee3a6a37af3b1e4c33
7172788ee9968d2917a450248ea25656cb81e6e3e4c31e697131c934a9dfda11
22c10989047a4816f8f8620cdf8527840d8dd3ebe5d403f02b05a162e55c058c
1d8d7f589d48c077b141f84ecc81c1a357eab1f2effe36a180ad1d7edb677867
07cdd7d64add11a95be69de6b9bc0ef28dd2e70250eecca0d617fcc13008fec9
3052bc6f9859ed631df2df7323b56b31f62de3c07b68701df4b71dd6770b0d6c
7f37b96d97568e47bff74551efc46e0a8dcacc415c0f996b47a32e26b09873c5
85c01034f8f001668bd4369676f335560b08ceddf60257373071c9a7dff8e8a1
5dfe545e24fa397d7bcdf415b3f6fb95305904f48d7efe1862293472430ecd23
80a5441ea18b6a4aafd896639a9e5e1b63b8c484cb370abbb04faf107f8be473
36190110f257ab263d66d20cf771ea654be341b89ec4734a78224e8d522a5315
274114d51a9ea000691dd5c63f7a7ef6b381742b1e4abba2d25b14433800cd3c
de6e9ac0818fe9898edd254ae054d12a223b2d73da09d2e4a92f16dee6d4f349
4e56e96be0f26bbe3180489413f88077585c231f13bafa169dd8c1149b51d075
40b8bf18cf5ee2c7aef99a384859097a392329f97d8c8978e22a5c3e9ad5bedd
1e342ff32c8b56bb081cb52f9b97f7518f71a6be5c33f51e46860f3bf1dee56f
f476d4f77c0dc9ec9c2278e0e7a44866f83b2bdb1467e0574ef316fb027fd235
b8098995e2e27686984a3c1a39b895fecf0e92ecec99541ff36a463e10b054a4
ae0593e6bb67c8f0b9be1e613375944f35719bee50f2a79dfb6fde190de92dcd
aeffd038c96cc13f2ea67b32bab2b0bf50ccda317804ef2ae64c79fc170bbd7e
cf5834b020521cfed422447e02b69f3b1efb0f692fdaf2879ea85f1c70377867
55a37e33f6629f72348feb2e5152ac06f66f5fa9e50ae840aa1f37a8e57c4714
799681dad39fec9ad2392e981960c35227bd6a7f225e4c83d4b8b71ab68afbfc
d8ca0f951ce813217da5ba80013f3a2b3b78417a1ede6ca93925b91c39ca7425
862d67397e362a03338237b1c10d5d5f737f151fb3681bbddc08141add11247a
96705f492ccbba730a3745b9c27c836ff7b877c78f59d08b797a57faaebcd6ed
9eafc2a0a992162261c3da6ae7206ed2d1466d3280149469ff323402a7dc09f9
9f900d8fa07652fef51b583c5422ce011ce0940c59de8487d90ee0cabaeba530
6d0270e231953172e8198f15026e001fc0a16de639277d52bf7a6c5e160f6328
a48d9547f8dc9ab6cfec2146b866e33c2e90845073d2b62c287e2c90a6ee26ac
7431c7f7d0ce18470f23d85043284156d472e80533be5f603cf843c2cc9893d3
62f31bf28843faa60292357068ca542ceb3b3c25b09671f2424eddac7f4f7580
d489a5b3327174793246c0fd569a8d40bfa111371ed2d62c41ddf97a13602e63
b99ac8755a34cdc21e89c7a82544a12ab2e03e9b2af4d9ea45ad04d6f90b1144
4148f8ef1b4ab6c8095ce0d6fe4c84916ee5ca47ff680582122b90a869b4f356
8f38528290abbf2c5806d1e33f0a9a8b22aaa76506fa2320b366758e39efcfbb
4996c9ad4cd049fa9a9bb83eb8592aa03b53cf668b527e148ab8d513df506f60
31f6d017624cf893c0c4f5a5b1876ed37c9ee2302e414f05110ad186a74bf4d2
4fad7861f4a199220da542b448292e9d2c88f4c0b465fcd89899c00a8a435051
a8b913ce201179d8e302d9924fed2cb40508d23741fa11554420cccce9caa772
9f0f7b15e5cd48c237301893d63eca7635639d221ff853d829625007200f4041
4bf0a958bf731e67495df5bb0daffa049404d94d1138b0af8b6544fa69d1688e
867208617c2dc209e5c6866cb963612b81b7b2d2e95abd6cf9615e1232ece5e8
0fb7ffc5ccc6a4250153508f8af38b9f70aa06516164c441aa2ef81cf1289cd5
d0d1589456c533d045c0b5a67c1145a5d80cc675273e200fb0a915be07bed591
6c53a9857e069a36ee9ec56da0073a158f0350ef43a6537ea821dfa4fbaa3932
a3ca7396af2d3551e5582f20eb52db82a72f6bca8f1bcc93b738dc2d4026aec7
a2f1c5af04a6f8e79461bdaa3847ba47c7a7bb03d2689c9577035a4f49b6f133
b1f38f5cd07a1eb5ba0af0be636be2d3414e54c51d673044a3626b257249f39d
ddbbe8bc8c80c1dff8bcbef62de67eea791cb00ffd9839b0b12319218fc2359a
06354a4c57fe091f471c92cc648e6fa88aab354127bb8cecaf6ddae358805782
19c61914925e59e3bab08f3fa457de8064bab1e48b61d15af350734a3abcfc69
624a60d00b8ca1fc45c0d83235eed131c13ca9cd9f89423229666952d1722beb
8703d4c714e624ffc12e2b5b0fdf5a351c7c3055a0f1b38457e54b46741d2f4e
3117e765891dbd1bcbb36e186b76f3da40777afc9f09448f78588aac63230fbb
ff49da1cdc28732a213b0f5ba477e0e2337ac9631e07d3d114b813f09e48dcf0
07c4e57ec7a5cee875b35fc78c4e54a89a27718a6a843ffa104f564698201ec3
93d4d046663b350bf32334655dffb6c722a7090be0fcef8c637f73eec1bb81f8
ad6241f710aaf56d3275da0b06cca0d90989c0626e96bccd98a211d461dec9e9
67a911fbc6ee2ccf62001fd54f453b64fa54c9bc65770e998b609fecf523242f
87079def2a674ee9e669d3d5c22780513540ed32c814c4a8b64569a9d96ea5ab
45136f543d7a65603e860d5c6a2287086abe0e3a6333f8e405da044a95451ad5
ba82f00041a9a6532de2ef36c3b39e0dde065b97b9c36f24baf9dcc57a7f9180
7b5c65ae580d887398957fdeb574f54427e5dccdd0ab8cb7a9e6f91074e28b17
9dab2a8cd79a947c700da1f58f7e967fd81cc321414d4cb512ab65b483834798
50b9bd3aea9355d60bb03f5d0cbcf3f601f1ec3d1b3c6e160bd0984d62baf15a
2ccd7ab3d5b911882769035ac56869c31e63b5ca55c8b89c41a3ff84d9600eff
3b543f2c89bb16b6aae67b95f5a91e87872ac31bab30495db76f70f560156cf9
48ba5b838792bed9d4194a750ffe6ec30df56b27973d3572fa0f7bd1c6cfa470
6add18a5c5caf334240dab675cfcad4b82d94bc333f46bdb7c09e84676ec85d2
5bc02ebc009910c9625991d64f2170d0c1ddd2b403d34674e3b48e8fd0f22242
86c85206d1b307d93a14394cb78d1910f9dcfd0c4c134bcec227df7ae8cc2b0d
08fd20d116a64a8e132dee3f603b07bb0050434cfe3f494678a00a2ea50f025e
02d10afbff16c32ed12c722b0deb50a33f949c2e9da50daf69cd624cbabb201d
d260c05305ca6eda79e4aa38377a16df0bc5861ee1f79187c8838d93a06f2175
1780d48983335a99ff7054cae2740df7b87e3412d46e99e6a1160769946ff2f8
a5316932344a3c83e2e2bddb6cb19d73ce03fc820c20a573d5e7866071a84a5e
3e138230bd00c8d0878ffa7b5dc5e8827aa65f8f5a3d96450f0bd048d771b4a0
SH256 hash:
9eafc2a0a992162261c3da6ae7206ed2d1466d3280149469ff323402a7dc09f9
MD5 hash:
f94b1c83e0fdc0527f73a4219ed73125
SHA1 hash:
dce6202cbb00e6e50b0caced9da0ebe2884eb3a2
Link:
https://www.unpac.me/results/7729230c-899b-4c3d-9ca2-ef64963fa27b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9eafc2a0a992162261c3da6ae7206ed2d1466d3280149469ff323402a7dc09f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 9eafc2a0a992162261c3da6ae7206ed2d1466d3280149469ff323402a7dc09f9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1488066/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/176115/

Comments