MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5766e6a48c9e60e922ab01339ef69544f1677759d2c4970a42641eda36ed04a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5766e6a48c9e60e922ab01339ef69544f1677759d2c4970a42641eda36ed04a
SHA3-384 hash: 2ff34119a11e9d5b31577c90834d52cf69238e84b219c3e721a2fa8c8f292b0fac5df20f041c506f70e70b6113bf4dca
SHA1 hash: c9dff39d67d6fb2ec41fef17e8f34430566ffd1c
MD5 hash: 943e6e2be5b62632dd3b01189a5626c7
humanhash: sad-virginia-stairway-lima
File name:943e6e2be5b62632dd3b01189a5626c7.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:431'104 bytes
First seen:2021-10-01 21:00:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3cd0350cb20713093b4eb51a8785dabd (3 x ArkeiStealer, 2 x RaccoonStealer, 2 x Stop)
ssdeep 12288:rIlLGPv5jUzb5hfhAZos+JMfmgW7gRPnYUD4oRGhFf:rW6yH5RPJgpjgUs4AF
Threatray 3'388 similar samples on MalwareBazaar
TLSH T1BB94125EAD11C07AE4121E344C948A50A17A7C5BB52CDE477F893BFB1E322C5BA77283
File icon (PE):PE icon
dhash icon b130f8b2d2f83087 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://91.219.236.63/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.63/ https://threatfox.abuse.ch/ioc/229384/

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
943e6e2be5b62632dd3b01189a5626c7.exe
Verdict:
Malicious activity
Analysis date:
2021-10-01 21:01:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c37c3d98-a2e7-49e7-895f-80ed5c63dc83

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194055/
Detection(s):
Win.Packed.Filerepmalware-9897102-0
Create hunting rule

Win.Packed.Generic-9897127-0
Create hunting rule

Win.Packed.Generic-9897302-0
Create hunting rule

Win.Packed.Generic-9897371-0
Create hunting rule

Win.Packed.Generic-9897548-0
Create hunting rule

Win.Packed.Generic-9897607-0
Create hunting rule

Win.Packed.Generic-9897628-0
Create hunting rule

Win.Packed.Fragtor-9897699-0
Create hunting rule

Win.Packed.Generic-9898145-0
Create hunting rule

Win.Packed.Generic-9898156-0
Create hunting rule

Win.Packed.Generic-9898162-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/226615d3-8bad-4c8c-a1ef-3e93643d3ca6
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862919
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a5766e6a48c9e60e922ab01339ef69544f1677759d2c4970a42641eda36ed04a/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-27 12:06:41 UTC
AV detection:
32 of 45 (71.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uv3g42sizhta5erkwajtt33jkrhrm53vtuwes4feeza63i3o2bfa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
13d6a16d6626f7c0967e4dfb75112b136eb97a56f50e2239adcfa4f97dad8a1e
RaccoonStealer
2472f36cc2f885d0f48931e39d5bd6156e3e23a3072df77b5248afb668c16410
RaccoonStealer
4536b4f09029d0abdc6d7b2fac07d6df06b6a7f3ba38e8f8de143ad3f24098a5
RaccoonStealer
6d031a249c2f9115082e8f511514bc4fd5bc1fa20d6a5ebf525c7d51fed5ffd5
RaccoonStealer
70d0690f7740be76d6c2b2f62ee5cbbe594337cda04254df881915c4f834dbfc
RaccoonStealer
a10988cafea84ff676e2f8a3c24f9a4f6af043e30437a0673bbfed5034c764f2
RaccoonStealer
c1545e4cff8b74630cf80b0631d197dacedbd3b65725153913c9ebc83e8b9420
RaccoonStealer
c169596df6ecb34d460a6012d943e8014befa2f160c5dd8497bfaed4170c7cce
RaccoonStealer
e43a9203ce9b7398946020198e343d697bb2dd9190fe9c36b209a3db35872d7b
RaccoonStealer
f2d3836aef9771efe1fa4b1a3fad5488c2d3511cd536f5ee4cd29c8a3d2b5399
RaccoonStealer
+ 3'378 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1ea547c0a567138950af900718b7747d9f51d0cb discovery spyware stealer
Link:
https://tria.ge/reports/211001-ztvg1adbf6/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Unpacked files
SH256 hash:
34f59f9e637e7b4cd7354402c127fa06a9b363da8aa44fd8eac77b1251d1a068
MD5 hash:
5e18f789dc606adf5de9be92fb74296b
SHA1 hash:
a7937de9a889890564da83bc5d3c18aad47c8299
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/15e2d60c-3fd8-4f3c-94a8-7f44ae98a8b2/
Parent samples :
78436634a8f469fc338c271932840f9e2555050324c432b3398104784768d61b
b66ffdb7174f4c240e016033010d29a21ef2e083a62afe6275bf6bf9027b28c7
a5766e6a48c9e60e922ab01339ef69544f1677759d2c4970a42641eda36ed04a
694db8e54fde33867d2633b82199a3fd4a312a60988abe9dd7f24172f24b23ab
04e0c80f6ace3e8e01913bf43cce4d4ee8f01f42566fbac36b3e07fa8f8239ee
f8db29c84a111b0b48a7e4592aa1769db2ac25d069533392133d44f3906e7730
SH256 hash:
a5766e6a48c9e60e922ab01339ef69544f1677759d2c4970a42641eda36ed04a
MD5 hash:
943e6e2be5b62632dd3b01189a5626c7
SHA1 hash:
c9dff39d67d6fb2ec41fef17e8f34430566ffd1c
Link:
https://www.unpac.me/results/15e2d60c-3fd8-4f3c-94a8-7f44ae98a8b2/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a5766e6a48c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5766e6a48c9e60e922ab01339ef69544f1677759d2c4970a42641eda36ed04a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194055/

Comments