MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a267e0d83b4ece8957283582de37e53a2d0d66938a29ca621592f5ccf0b416a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a267e0d83b4ece8957283582de37e53a2d0d66938a29ca621592f5ccf0b416a8
SHA3-384 hash: 282bc1293d6fbb5bda96bfe85915114bf3ec66fe061045f62e3a666178fcb44d3195f0396174ff32fa66e9c764f29813
SHA1 hash: c3831def50c14cf2f2bd8213e0746eeadbf5e8c0
MD5 hash: 2264ada61405b71a4463920c1a421f30
humanhash: south-zebra-thirteen-fillet
File name:2264ada61405b71a4463920c1a421f30.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:576'512 bytes
First seen:2021-08-14 12:01:31 UTC
Last seen:2021-08-14 12:51:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d090e103c03d6b0db4cbc0eca2b8a26 (3 x RaccoonStealer)
ssdeep 12288:9rbArX0I80f54ppGUjzlrxUeEBJLbNGC3XyoLE2pZ/BEY5h0:qrX0zpEjbsYnE2aYv
Threatray 2'804 similar samples on MalwareBazaar
TLSH T144C4E1316690D431F9F3D1F885AA837CB52D7EA19B3450CBA2D42AFE5A346E4AC31347
dhash icon d824e790c4e72158 (30 x RaccoonStealer, 18 x RedLineStealer, 16 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.153.230.19/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.153.230.19/ https://threatfox.abuse.ch/ioc/185490/

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2264ada61405b71a4463920c1a421f30.exe
Verdict:
Malicious activity
Analysis date:
2021-08-14 12:04:14 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/e11f9236-10c5-412a-bc19-0be98b63c892

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179230/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.30187.11550.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db71355a-e286-48bc-8196-e1f49a3402e9
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832872
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a267e0d83b4ece8957283582de37e53a2d0d66938a29ca621592f5ccf0b416a8/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-08-14 12:02:04 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ujt6bwb3j3hisvzigwbn4n7fhiwq2zutriu4uyqvsl24z4fuc2ua._file
Verdict:
malicious
Similar samples:
14e4824be0683d1089694045fb18bfef2da645ab2c4c8b07158894e9d9ec2a1b
RaccoonStealer
2884983044037369de29a626a68e63b23010e7840bc2af82f9f85510c283b597
RaccoonStealer
65a54e89f60b25715ee91d43b0ff2634e643de22a35af6c182b080a33778da85
RaccoonStealer
704ea934e75448ed30e38117fe27b81b6dfdeb0f2a498bd0ae5474ec3d5014d7
RaccoonStealer
764fde7f31d06b2abf47c6ebe506d0843d6188f8066bba84dd99235d9b3be8fa
RaccoonStealer
9dc0631ea1726b49d0e25b634b6e57253951088f4d007b00407118fcd82fa272
RaccoonStealer
acf073ae5f8b4e643367dc746674f1e228ecc8e94e9327a70b176b21a0dda604
RaccoonStealer
bdb12e8227f12fc06392f619e23e9bef8fef74dc637027bfad13b0e4ee02af8a
RaccoonStealer
e02eee1586a84d7d556d451ae08a9a0fb39d14e5f9dcc51102439e030fec3a70
RaccoonStealer
f5e61fcc4300b16d273ba8e0a957ad8cc89f757d5329409cfed0dea6ae64c322
RaccoonStealer
+ 2'794 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:93d3ccba4a3cbd5e268873fc1760b2335272e198 discovery spyware stealer
Link:
https://tria.ge/reports/210814-jbka1fmw1j/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Unpacked files
SH256 hash:
5dca9ace1e4653b9ecf1230d82ac264a95cedc3cae84293dab0c27aed4bc61ce
MD5 hash:
957f1f62f315614de9ae470d59cdc704
SHA1 hash:
005b508e4cf798e180c7b92c7061ed3f3ead0d42
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/f55ae015-bc63-4f7e-9f89-635be5427d04/
Parent samples :
da6edc1276fab7bfa04b08b6dfcea00e185aa8cefe53c2b1d11529067871ab44
f5e61fcc4300b16d273ba8e0a957ad8cc89f757d5329409cfed0dea6ae64c322
d0e8d7a631a88b4a1e213be9d37a104469fa2217df5853cc5070ed50a5790c7d
39804d887b31f48334e49bb8c285556c06bca9c9a9dfaec5d9f8fee609648bc6
14e4824be0683d1089694045fb18bfef2da645ab2c4c8b07158894e9d9ec2a1b
d1c619e1afe873b97c09c8068b30efcaafffbfdfb0dce63cad7f1a8394e260a8
5978984d7f8a80cba8b94b3e4e973eeb6218f82535ea8e55aca5deb8830afc2c
64c1dfd4d78c54982f2908ecb8a61479adb6dd75a68c2ace5617d9a8de482298
76c2e3afa7f0a8f45c84517763a838292b92768e88c7c801f2b8e8ef2381e907
e02eee1586a84d7d556d451ae08a9a0fb39d14e5f9dcc51102439e030fec3a70
806ed2c49bd059dced46432ab56ba22b0a79af0933d999ce86ee95507b9009b8
f2d87a0f7c8a4b36703946b849c0468e06005ddd3fcf2a6f8665e5c6447733c1
9dc0631ea1726b49d0e25b634b6e57253951088f4d007b00407118fcd82fa272
764fde7f31d06b2abf47c6ebe506d0843d6188f8066bba84dd99235d9b3be8fa
65a54e89f60b25715ee91d43b0ff2634e643de22a35af6c182b080a33778da85
2d54e0a38b0f02e204233f6a842d765fc7efb0e72f35302493e60bcdfd841a17
adf56d5514f9ff609943983010d3fc67ac0b29d5f92ac9adc25bafba79bad88a
2884983044037369de29a626a68e63b23010e7840bc2af82f9f85510c283b597
bdb12e8227f12fc06392f619e23e9bef8fef74dc637027bfad13b0e4ee02af8a
704ea934e75448ed30e38117fe27b81b6dfdeb0f2a498bd0ae5474ec3d5014d7
acf073ae5f8b4e643367dc746674f1e228ecc8e94e9327a70b176b21a0dda604
a267e0d83b4ece8957283582de37e53a2d0d66938a29ca621592f5ccf0b416a8
0a122a9c5b9ca7f66424aa64cdb7dc9c5d4093583e9afb89a26c6dd0f6587ea3
0eb888bce9b8004afc5ff570dda6538606cc9e76cc16c6b856e10172ac9300e8
dfe17befba0a9abd5a9f8db647be53e6a8dbfc8e2ba9b217088714a5eff7ed70
34033f216c83ba1f02e6e0150ed9d8b1b7322eddeead85da35f212635e389f01
eb521300b6ee49fdaad2d339f8389528bd676124d78b2490a238d8f439574635
89345900ae900c3173451251fd43261dc523c71a11ea8ceb189118274d76328e
8a4fbdcb745421e4126672995940c80e9e391bf10cac6fa29185bef7d38682d4
a7242d808b6dd1f25322513d2caa725c24c9f644b77cf29147574866aa9877f2
20737f14abb4e1ee87c383825e911f8043d285f5f8019609e620bf18a66ca72c
de3c93fe49775276393b43a5e39d71b9ade06756977134f2b7ec0204def6b374
fcbb50a296ee18e6b9faa18e6ccc93294d0068307e1e01d7edea2603d08add81
a154eb237db3b28b5c54b2d61304be223d4290d2a70ccb783578437f72f36dc1
3ef72c722e5a25479588a8f0460eb939dcff7b52e610a0c415bb8b562f421159
6a48934151f7e361955ce4a357042798ef3c12f5686eab6255910992770dad13
90acd1725a515f9f61d6c625dc5d347046f8160a87ec10282435eadffe9d7177
f69c70945360bf5512ffb5ecddf623001764b8218d486793c7daae1e7a0f281d
84dee83ee172871a49fbf587ecf00248690f11a32f9dff57dde1a84c84f2ea36
3de373b84c3ad1a48887e964bd0873b6a4e9f4107730a4d3c9204d87a4e0b5f4
03bd08dfdc557bf5a36855d4b9e5d364117804639e1486784a33e6d32800e368
4200a6c60752a877536a362b4964b66c55b43d8ade0c9e2f746c532968e3e507
SH256 hash:
a267e0d83b4ece8957283582de37e53a2d0d66938a29ca621592f5ccf0b416a8
MD5 hash:
2264ada61405b71a4463920c1a421f30
SHA1 hash:
c3831def50c14cf2f2bd8213e0746eeadbf5e8c0
Link:
https://www.unpac.me/results/f55ae015-bc63-4f7e-9f89-635be5427d04/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a267e0d83b4ece8957283582de37e53a2d0d66938a29ca621592f5ccf0b416a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe a267e0d83b4ece8957283582de37e53a2d0d66938a29ca621592f5ccf0b416a8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1524265/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/179230/

Comments