MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4e96ae6829639366a4f4ecad2a0783cbe4dae67dd27bf91e525c742a2bc19f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 2 File information Comments

SHA256 hash:	a4e96ae6829639366a4f4ecad2a0783cbe4dae67dd27bf91e525c742a2bc19f3
SHA3-384 hash:	6e1eb8e177e82b14a4851f3e9bafe1971e182346361720e80932545201a9d2bd3e680fdfe843ca13ec4160651ecc557d
SHA1 hash:	8d7446c82bdfe514b51b9a5c4f9f3da60e7dd268
MD5 hash:	c6af8f29ae58334bc6aacf4f4d7e2401
humanhash:	ten-nebraska-video-pluto
File name:	c6af8f29ae58334bc6aacf4f4d7e2401.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	568'570 bytes
First seen:	2021-10-05 05:06:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	658c49f2b142429657b3337ed8c9de9e (4 x RaccoonStealer, 3 x RedLineStealer, 1 x DanaBot)
ssdeep	12288:TXcOGDw1/6qtZ/U/nydI8lZROBPZx9jFr9j:wDw1//Z/6kISROtF
Threatray	3'448 similar samples on MalwareBazaar
TLSH	T14DC4F111BBE0C430E6B722B594F99378AA39BDB06B74C5CB63C545DA07A4AE0DC30397
File icon (PE):
dhash icon	ead8ac9cc6e68ea0 (38 x RaccoonStealer, 18 x RedLineStealer, 12 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://194.180.174.80/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://194.180.174.80/	https://threatfox.abuse.ch/ioc/230436/

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c6af8f29ae58334bc6aacf4f4d7e2401.exe

Verdict:

Malicious activity

Analysis date:

2021-10-05 05:08:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7578706c-435c-47a1-bc80-b814ea3fc0c2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/194820/

Detection(s):

Win.Packed.Generic-9896112-0

Win.Packed.Fragtor-9896447-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/615c061a98a6280f39324c38/reports/ddd2430a-9e60-469c-a02a-e20549104173/overview

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/defeffd9-4249-4d81-8f4f-5cb35f7518a1

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/864406

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/a4e96ae6829639366a4f4ecad2a0783cbe4dae67dd27bf91e525c742a2bc19f3/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-09-27 22:52:54 UTC

AV detection:

33 of 45 (73.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=utuwvzucsy4tm2spj3fnfidyhs7e3lth3ut37epfexdufiv4dhzq._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

2762f83a68c4f2c6c2248000fc0071f3c39565e8fef8239e085fe71a7b5a0a57

RaccoonStealer

54cad21bb34cbd9e336e95a0d9cac3bf53fbb94d1f053f16d040d5d8ed996e6e

RaccoonStealer

67d16a17f27f15cf21671ccb406e1e8b647aaf90c72c9b276bdbc7eb788ab0c3

RaccoonStealer

6fba94fad3e01d57b5405b62aefc567342445131e99681532bf16d691953959f

RaccoonStealer

7cfa34e7f6ea3ee53ef9911983581f2c8865363d1e8de9d40ea42775de0f9e7e

RaccoonStealer

9f60a157b1a91cc18125825a286baaf011e65b0808be4adda258c3180f0be3ac

RaccoonStealer

b8fa5db247142aeb5f090fe861606d46dbcd50cf36249b0e422384a32d1dfc2b

RaccoonStealer

e4a17e7fabd31dca0c8ffa32fdb6ffbe1d4a696e2a6636186787b8259b95eb54

RaccoonStealer

f4e89acd2fe686f7b8006dec8326057703ce9ae4c2636a6119ae48ef4db1fdcb

RaccoonStealer

+ 3'438 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:b9905b767dbd1678bb046cbc1696faa3058ae6ba discovery spyware stealer

Link:

https://tria.ge/reports/211005-fr1fpahca9/

Behaviour

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Raccoon

Unpacked files

SH256 hash:

9985750072ab0aef4db0e2d26fdde78384c72083b8c445e67ec7c70c80b5ce7e

MD5 hash:

f187a2bdc6e41e2e497cb1ac1482e9d2

SHA1 hash:

c8c7fac7aad65f06b3886f7f3b68f7f57685e6de

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/02836e5a-a049-4539-9c07-9b15c5d5b7f0/

Parent samples :

54cad21bb34cbd9e336e95a0d9cac3bf53fbb94d1f053f16d040d5d8ed996e6e
6fba94fad3e01d57b5405b62aefc567342445131e99681532bf16d691953959f
2762f83a68c4f2c6c2248000fc0071f3c39565e8fef8239e085fe71a7b5a0a57
a4e96ae6829639366a4f4ecad2a0783cbe4dae67dd27bf91e525c742a2bc19f3

SH256 hash:

a4e96ae6829639366a4f4ecad2a0783cbe4dae67dd27bf91e525c742a2bc19f3

MD5 hash:

c6af8f29ae58334bc6aacf4f4d7e2401

SHA1 hash:

8d7446c82bdfe514b51b9a5c4f9f3da60e7dd268

Link:

https://www.unpac.me/results/02836e5a-a049-4539-9c07-9b15c5d5b7f0/

Malware family:

Raccoon v1.7.2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a4e96ae68296/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/a4e96ae6829639366a4f4ecad2a0783cbe4dae67dd27bf91e525c742a2bc19f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/194820/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample