MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5
SHA3-384 hash: 2f8480345872a2f6faba9df2e291b924e736e17fdc0b7c2eefae854f54685d8c9f9926af74892ad17b95ebeae1ffc831
SHA1 hash: 141e7b7b2a4a31b2a7e599b2d2064239fcc66707
MD5 hash: 0f9d1f2e3aaad601bb95a039b0aedcfb
humanhash: glucose-utah-paris-hawaii
File name:0f9d1f2e3aaad601bb95a039b0aedcfb
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:580'608 bytes
First seen:2021-11-14 11:02:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ed1b1d17b38d0dd027b889df8df37758 (10 x RaccoonStealer, 4 x Smoke Loader)
ssdeep 12288:yYwM38J59NGoCVB/UWhqNjuW0FwI02A9LFbo277FWcmJXkzsrmviikJW:yY138J5yNVB7LVwI0Hu2mm/q
Threatray 4'170 similar samples on MalwareBazaar
TLSH T16CC4D000B6B0C035F5B266F94DB69268A43FBDA1AB3591CF61D536EE4634AE0EC31317
File icon (PE):PE icon
dhash icon eae8e8e8aa66a499 (1 x DanaBot, 1 x Stop, 1 x DCRat)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205670/
Detection(s):
Win.Packed.Generic-9909532-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6190ece83edf00a722d387e3/reports/ab79977a-d810-4e6b-b842-ba20a3d0e43b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2adc3127-8ff4-4dc0-af13-37ddc2adc142
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888863
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2021-11-13 23:03:04 UTC
AV detection:
26 of 27 (96.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3nhmgbxkglabznegkzwgtg43raatx2zgykbqgglylp22j3shgw2q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
50edf4a2c95ef6c29c69ab2c3590b94420c0c86c591b3213b11a85afb46d872a
RaccoonStealer
a6ef4df2da289c7494453df35117b375124fbe5b6dc7d6bc571f4218efc24e8e
RaccoonStealer
c0177c9922a4b6a95aef096fc5f39bef8412e7ee2fec4a21fe91f7ea03dfa951
RaccoonStealer
c288cd772d64fde2421fff6faac53e75a179ddb17029f5d4c5944fa7fb44cd63
RaccoonStealer
dd342468231a6e7e5cd08f7003da4185736c258be4cd0ecd61ff119d664c6b9b
RaccoonStealer
f0c6c81477938fcae74fe57391235d9128ef6b155052c78dcd18904ff702da80
RaccoonStealer
+ 4'160 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:ddf183af4241e3172885cf1b2c4c1fb4ee03d05a stealer
Link:
https://tria.ge/reports/211114-m5ppnsdbhr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
4fd3fb38a76d5ed85d5638f74edc572ff86503ca28e6d68d6e13a5e4e54d8209
MD5 hash:
3ae7bfb6478c0bcd2c0e2f54b97f7ea0
SHA1 hash:
2cff331a8dcddb34d7e30a078ffa772c6c2ef4be
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/39e2a650-70e4-4e92-9725-21cb922c47bc/
Parent samples :
db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5
bf5031c61e39f9dfb379eba03181bfc5bdc63527c25588279fc9e2684e462c11
fa30571b12211c46fc47639a9d4df6fdeacc8ea6ecffd0a3022f82ffe43d50b1
f106e2efb90c57289bbe57b3be618c063c1bc70f3eaabd2afa73e53c2168a54d
SH256 hash:
db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5
MD5 hash:
0f9d1f2e3aaad601bb95a039b0aedcfb
SHA1 hash:
141e7b7b2a4a31b2a7e599b2d2064239fcc66707
Link:
https://www.unpac.me/results/39e2a650-70e4-4e92-9725-21cb922c47bc/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/db4ec306ea32/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1785316/
Cape
Cape
https://www.capesandbox.com/analysis/205670/

Comments


Avatar
zbet commented on 2021-11-14 11:02:45 UTC

url : hxxp://host-file-host0.com/files/2267_1636828447_4225.exe