MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6289fa1e20c13069794193bcf2db96b592a2e9384d85e07ba000a381ec987a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6289fa1e20c13069794193bcf2db96b592a2e9384d85e07ba000a381ec987a4
SHA3-384 hash: a54643a7b1c47bc024154b434d7daa059d9258fff80ce28015bd5762bb487858c4ec90a1436fb852f5a9a02875f82aa3
SHA1 hash: 455cb59fd448202d8c704ea8916f39bd3ce26cb3
MD5 hash: 7ba272b66afecf9598168090d6f79f72
humanhash: football-bakerloo-snake-london
File name:7ba272b66afecf9598168090d6f79f72.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:469'504 bytes
First seen:2021-10-30 13:46:37 UTC
Last seen:2021-10-30 15:23:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c0df013463ae9c6441312a1218343a59 (12 x RaccoonStealer, 2 x RedLineStealer, 1 x Smoke Loader)
ssdeep 12288:bxFFOE3WK/mUV0UK58CMV8wN3mR87unn:AE3yax08h5N2ec
Threatray 4'072 similar samples on MalwareBazaar
TLSH T193A40230777AC0B2C8A346B06934C7B549B67D226536458B2B54DB2E2E70ECC5BED34E
File icon (PE):PE icon
dhash icon fcfc94f4d4dcd8c0 (3 x RaccoonStealer, 2 x RedLineStealer, 1 x DanaBot)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://91.219.236.97/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.97/ https://threatfox.abuse.ch/ioc/239602/

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7ba272b66afecf9598168090d6f79f72.exe
Verdict:
Malicious activity
Analysis date:
2021-10-30 14:01:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2a24936c-77bf-4e10-9aa2-96d297271643

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Fragtor.36577.30612.8771.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53f8adab-6f08-425e-b098-366a2bfd186f
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879819
Signature
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a6289fa1e20c13069794193bcf2db96b592a2e9384d85e07ba000a381ec987a4/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-10-30 13:47:06 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uyuj7ipcbqjqnf4ude546lnznnmsulutqtmf4b52aafdqhwjq6sa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
42a1fdea9b33a2063e50bc4f0c7ac31fcc08ee7d070632f2921a5482a29ba870
RaccoonStealer
642c488a6447d1db50f322359bb2cca33ea1e8f4c71f14ae4b81930020c5fb2d
RaccoonStealer
665044e68300e3da42a2dbbf0a64861290e50503a47b32b11a36d7e0b3dee594
RaccoonStealer
937626d18f1e68354b43aefc092e7833333b219fce7648ca28b94f2f46f13b10
RaccoonStealer
97dbb2b9d161dd2b5f26eb48acef6ef70701b75a75b2d281e3dbb7fd946de319
RaccoonStealer
c614fd9a439ee18db9156e3b8d5033137690e386f0cf7d028037fa3cf3503499
RaccoonStealer
e90b0a0def952b70f4dd4d5ca9cd873e2b0fb4aa6f84b05b6056591c91bab4ad
RaccoonStealer
ee72d76436717cfab41a33950d641e7e6820d23369b21fe937cc2fc2549c6869
RaccoonStealer
+ 4'062 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:9be4351fe388e9415fffad9d67a83ceff5dcd43a stealer
Link:
https://tria.ge/reports/211030-q3jbnabgcp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
ce001fe38be9c384c12522b57e501e59b13588ec1074c0714beedc59c7a49c05
MD5 hash:
cfb32d32dcc5a0084c595501b76aa359
SHA1 hash:
6798276444bb76f7408ce365f9a9fdd947200b67
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/a724b002-4ab8-4e93-98ce-03462580c797/
Parent samples :
4bde3d5a9fa931f8349af0512237db307760ea6a264351e4bfab3f66cf81a06e
3afaf87525ac2bbcc1a82d67fa3906d82ed0a22ad46514cee2ce471e6e3da11f
198600eba43dec4149a643372eafa618f9a87eb5b5f5bc0c5b8f77eaec97b295
87405f0c17c7ccda1c89b260266217bebcc2f77cfa8bde35b90984af0f0b28a1
494a9acdbf459f552a136a263ddd7ccb8e5df1530f1244c621a3b4f0d90a799e
2faa05bc4d669ac2e5dafb2071ff12480c8f554f1746683722545fe2b07db981
fdafc1997596b14d4597e5a611d419e73344f202bb49f51501aa03f7c5039572
13e3967b15ad45bccb23beb1f651aaea47d63a6e8ae0b53a4f9f5968e8a0bc1e
9cd5cb0aca7d94e27e3e440d9e78efda374a61fab79c1df78747c448660deec7
47f6bb4e926484b7abe0ed7353f8a88b685f7d43bc265ef4c86a1b7c3b2abde3
873475ed4caac36bd543b7e8ca094aff8bb7b5389f753ba1defb4eab0ac6fd3b
dac00e60859b7a56f943ca7ccf8d33f0686a2b35ad76acd7327e494228991b98
ba4c47ef28d74d86e56945e5d9fe41a780707e828290e05d93b23ba9f0a6abef
47059697bdfbb3366a739a6f2c0e298ce1246bf81b98ab2e10fb7f049d627618
e027ff78d56c5581cc1744eeb2215617af4f1b80ad2e6716b30bbcde5d82fc58
3a2f83d66838e275b1d788a7e20d618dfd66cc804cf5565f2886c6b9d27e3410
b08f0e4dad45693b7203619c1f56a3d995fc63f9f95465fe8f22761752b99afe
783b8f27837c52c2a25673e9302ee716046e65dcc6f2ad3478e81e0ec745d841
454c6911d9c1366004780ba02560dd9d9cafb4b211b604143629320b6a990c66
898956bbc678f1b2156d3146a4fcefb447865610ffef7fc2dd13062b2d435210
80f84b8875a68aa2b9ba982f4cd898881021be7e9a1b8df76cd8ccb46af98357
b57a5b8c5bdb6f8bc619260754370022458c1d25da455e553dac5a783804b59c
67811b8b62a8783edc59e66c290bca8ea50a958ee828558c97ea820fcc6fca34
898a8b393ba6cce23265687a7347bea58e0e973f638c091ca04a152908427211
5eaeb210121bcd5be88ca42022bb31a29d7a59b5dfde80ea57088f17f23dbafe
978079504daafe2dd8e87257014312e1a9feee7577e2238b524c3ff70ae94b3c
27f4d3cf0e58c693683b238df8b9e83e7d4545ab63012f874b614f7ddb117700
6102a4bde8d14f7e5de7b73a8aea5c4880e298928a11a3a60c22c97dffcae473
8f50e119ea2ca2bb94735c6d83138252b200ce6dcda443dbe8599a991bef320d
d8954e41c48d31ed2ba00ff97fc184cbf0a7621f7c387ad6a74b6e746bf034dd
88528d9c937298a60f831e75aa132d9d4034a69377d2b25b28b7a1624bb0c73b
88271b4249717df1f08acbbbda7adafc9d146706f5727ab5b347537f89942e1b
0ee7876b55f958fc7ca68bad76a5560778873b11d3032988c3ccbf88218cbe87
ec7fca439341d3be46598be4074a577773294fba0739b50e7972180b2f90cc78
e8a6c88c1335a8d257be28f7fa1e84d6c6eb30a64ab99ce1bd640c10345e77cb
e90b0a0def952b70f4dd4d5ca9cd873e2b0fb4aa6f84b05b6056591c91bab4ad
4e7ede2a8e9ba58a7668aa5db19c84de24ce15c0cee75ef81252fca535acc342
03bb44bd4c121b40ee99b17897c870ff5de70c4457513858dbab88387c8c6a3b
f78ee8e713355bd26b3131a9d79c8cf92bf9c219a60611a1615e118023b72ab6
5bc33b7c76d34545c2471034a51748a498f2f4dbedb21b27139bc8ea93a8579d
a6289fa1e20c13069794193bcf2db96b592a2e9384d85e07ba000a381ec987a4
736247f2ef637a55b9262da1c7852e13917fe12262d61bb15990f2f1a7263d38
212fed27b43794eb8f1cea75209a473983f40d39c9b5e5196c2a2088e5e3a25e
bd2b9e6fa933ca7cc60f7a55a29c1cac182a67292e9cd9ef79ba8f29f90e66c5
380333c69d4098606f85de4c10f578d74e2ab981a1943031b7fc4a64abeb1fa8
fdf35843d43d508eeb708a3ebe2e636e8af09cc723db0327db6e55c54507c73d
d2a07e7a557c56a1c447047eeede05f63c9018e453ae50d3a42f33a38ab7404c
4d7b3088a56d0d9019df80bbfed0ff3c115a995cd3eb17145959f893770cfe99
d6001655c8a81f14b419dd0db6ef64767a36da0ad2c34920e01ade9d007ac76d
f6029d0784b4e31957c8f086acf3748e27e63f517cae08f8ae56b64fe7e4a2ff
ad76940753b6a6e7f4e1f4105f9369aa4ed30f3d6e9a3822b5b860465a75bfd6
SH256 hash:
a6289fa1e20c13069794193bcf2db96b592a2e9384d85e07ba000a381ec987a4
MD5 hash:
7ba272b66afecf9598168090d6f79f72
SHA1 hash:
455cb59fd448202d8c704ea8916f39bd3ce26cb3
Link:
https://www.unpac.me/results/a724b002-4ab8-4e93-98ce-03462580c797/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a6289fa1e20c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6289fa1e20c13069794193bcf2db96b592a2e9384d85e07ba000a381ec987a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe a6289fa1e20c13069794193bcf2db96b592a2e9384d85e07ba000a381ec987a4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1584973/
  
Delivery method
Distributed via web download

Comments