MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d06e335a2ae5ec650f1272bdb4c780ee859c6ebe54b2d0948b6f9cd8db6b316e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d06e335a2ae5ec650f1272bdb4c780ee859c6ebe54b2d0948b6f9cd8db6b316e
SHA3-384 hash: a1dd9f741de4b36d1167d048111473356dd429bc3618623f03326b679162f4560d52ff86237f9d96c040258b357f1e1a
SHA1 hash: 98173f9eaf1a8b3a12116f27a957f05aa2c8481b
MD5 hash: aa1954a90a54f0a55cd7dae5a283ff1e
humanhash: monkey-south-johnny-freddie
File name:aa1954a90a54f0a55cd7dae5a283ff1e.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'116'672 bytes
First seen:2021-11-23 17:51:26 UTC
Last seen:2021-11-23 20:43:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b8b949414a1cbbc9af7d834ae8be805f (11 x RedLineStealer, 5 x RaccoonStealer, 4 x ArkeiStealer)
ssdeep 24576:4//aCMpwCVQiE/EZxyR3rpJ4J+fjTC8LXqFcz:4//a1pxV/UTrpoGv6Fcz
Threatray 1'957 similar samples on MalwareBazaar
TLSH T1B7353332E900B416D80052F0E6175DB73C50EBFA6EF677A971EAB81F6F34252215F928
File icon (PE):PE icon
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://91.219.236.69/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.69/ https://threatfox.abuse.ch/ioc/253491/

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aa1954a90a54f0a55cd7dae5a283ff1e.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-23 18:02:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e47592ea-0b54-4c1d-819f-50510658fd1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
PUA.Win.Packer.AsprotectSke-3
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed racealer
Link:
https://www.filescan.io/uploads/619d2a4502c80febc2a74fab/reports/437fb632-ba0b-481d-8d23-29cec328ea16/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b8bad48-e8f4-4f16-bbc6-2552fec0d0f2
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894948
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 527426 Sample: oKY1oBcWbg.exe Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Antivirus detection for URL or domain 2->48 50 6 other signatures 2->50 7 oKY1oBcWbg.exe 84 2->7         started        process3 dnsIp4 34 91.219.236.207, 49760, 80 SERVERASTRA-ASHU Hungary 7->34 36 91.219.236.27, 80 SERVERASTRA-ASHU Hungary 7->36 38 3 other IPs or domains 7->38 26 C:\Users\user\AppData\...\maooSzBgKK.exe, PE32+ 7->26 dropped 28 C:\Users\user\AppData\...\4uHSoEIrlH.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 7->30 dropped 32 58 other files (none is malicious) 7->32 dropped 52 Detected unpacking (creates a PE file in dynamic memory) 7->52 54 Tries to steal Mail credentials (via file / registry access) 7->54 56 Self deletion via cmd delete 7->56 58 Tries to harvest and steal browser information (history, passwords, etc) 7->58 12 4uHSoEIrlH.exe 15 7->12         started        16 maooSzBgKK.exe 14 3 7->16         started        18 cmd.exe 1 7->18         started        file5 signatures6 process7 dnsIp8 40 ccf9ba3695b15b4f0787e6290e0f63allcomejroo839jxi13.xyz 207.244.237.176, 49772, 80 CONTABOUS United States 12->40 60 Performs DNS queries to domains with low reputation 12->60 20 conhost.exe 12->20         started        42 www.google.com 172.217.168.68, 49814, 80 GOOGLEUS United States 16->42 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->62 22 conhost.exe 18->22         started        24 timeout.exe 1 18->24         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d06e335a2ae5ec650f1272bdb4c780ee859c6ebe54b2d0948b6f9cd8db6b316e/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-11-20 23:11:16 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
23 of 44 (52.27%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2bxdgwrk4xwgkdysok63jr4a52czy3v6ksznbfeln6onrw3lgfxa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
07741f444f37245f829e5b349f34d923f64c2af50d0e69ebf247adfb20e70979
RaccoonStealer
3e820217037e312b739d6514547da6a7afd3d9e3b92dc90e6c30c35808fb5214
RaccoonStealer
57127e39e8381f5008ef721023300501ff39b9018907a46a34b7e40d317d8f85
RaccoonStealer
67ad7348d5bfbb13a98697962b46a7a833137b636b49c6eac2829c2d425e9dfa
RaccoonStealer
723d15ca0fcc0b04a5b3f25a2fb8a30d3676929d3672b2274dd7e82e1974cfb4
RaccoonStealer
888b7c0da59de4fb96352a4db14b1674881eea78028100bd8ffd8757f21fffdc
RaccoonStealer
ce231785f06d7c6b33b20dded67b62f759ec23b23bee89b01fcb00953f7028c9
RaccoonStealer
de074784466375ef8258b4dbea4dd579fd9edf0c0e0f2b97afa39d00659f6763
RaccoonStealer
e26fe6535f9ec57538d49515fdf98b1a925fa26dd28040a96a5bc1c94a691975
RaccoonStealer
fe3d7939166e8e6ae965d66d98f6ee5583e535b575ba194aef038c6c1ea15ae4
RaccoonStealer
+ 1'947 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:fe1f102f3334068962b64125bcb00816dba46087 stealer
Link:
https://tria.ge/reports/211123-wfqp4sahbj/
Behaviour
Raccoon
Unpacked files
SH256 hash:
dcd463c67de9151a355962620bf86202c4ddb0814ac314279a34a432cee908f8
MD5 hash:
b83d8c5333e779740be1a115e1b320d6
SHA1 hash:
2137edc2d54e12ca2a1c8eaf9b84572d000c5c51
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/7c6eec5f-bd9b-428e-96b4-4b2676e4f953/
SH256 hash:
a567c26e93c86bf2802ba998ab4488144553c0f661e8e4276b62aafa9b9e80eb
MD5 hash:
331876a6163152326366a29c02199c09
SHA1 hash:
8995e0cd6235a64c5f8afdc1425f63f78b0e246e
Link:
https://www.unpac.me/results/7c6eec5f-bd9b-428e-96b4-4b2676e4f953/
SH256 hash:
d06e335a2ae5ec650f1272bdb4c780ee859c6ebe54b2d0948b6f9cd8db6b316e
MD5 hash:
aa1954a90a54f0a55cd7dae5a283ff1e
SHA1 hash:
98173f9eaf1a8b3a12116f27a957f05aa2c8481b
Link:
https://www.unpac.me/results/7c6eec5f-bd9b-428e-96b4-4b2676e4f953/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d06e335a2ae5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d06e335a2ae5ec650f1272bdb4c780ee859c6ebe54b2d0948b6f9cd8db6b316e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe d06e335a2ae5ec650f1272bdb4c780ee859c6ebe54b2d0948b6f9cd8db6b316e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/208774/
  
URLhaus
https://urlhaus.abuse.ch/url/1809826/
  
Delivery method
Distributed via web download

Comments