MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e04613a0c40b79eb6e846ee73e585aafa78236685eff5dd1ad2b0c5ccc9e6a83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e04613a0c40b79eb6e846ee73e585aafa78236685eff5dd1ad2b0c5ccc9e6a83
SHA3-384 hash: 5fe51d1cd8f13819f20d2bc5891465edb08fde51f2c53850fe9a2ebfa99aaad6fec1093d0a2bfc45c443e2dafce93ad5
SHA1 hash: 7eca2da89323239e30189cd97fe9c09bcc012165
MD5 hash: 71031e3ddcb293074cd825d58e6ab022
humanhash: fix-virginia-green-july
File name:E04613A0C40B79EB6E846EE73E585AAFA78236685EFF5.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:652'472 bytes
First seen:2021-09-01 13:20:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'700 x AgentTesla, 19'522 x Formbook, 12'222 x SnakeKeylogger)
ssdeep 12288:IR4X+Qzyor+UNzjdc3Eiy+iW5mfeTdiydKIolBCd9:J+Qzz+UNzjdc0ZY5Hld9
Threatray 3'797 similar samples on MalwareBazaar
TLSH T10AD4022C3BD61AD0E4F92EBDB8D1F2350B36BD5A8615CB163D55158A0C207CA6C4BF27
dhash icon 800048d1a3a24082 (1 x RaccoonStealer, 1 x CoinMiner)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.142.215.144/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.144/ https://threatfox.abuse.ch/ioc/204183/

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E04613A0C40B79EB6E846EE73E585AAFA78236685EFF5.exe
Verdict:
Malicious activity
Analysis date:
2021-09-01 16:30:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c7fab691-e048-4593-9506-f77e88432f17

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184465/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP POST request
Sending an HTTP GET request
Deleting a recently created file
Reading critical registry keys
Sending a UDP request
Delayed reading of the file
Creating a window
Running batch commands
Launching a process
Stealing user critical data
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f084a59b-2701-4c73-9ecb-fb02346cae55
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/843337
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 475768 Sample: E04613A0C40B79EB6E846EE73E5... Startdate: 01/09/2021 Architecture: WINDOWS Score: 96 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Raccoon Stealer 2->41 43 3 other signatures 2->43 8 E04613A0C40B79EB6E846EE73E585AAFA78236685EFF5.exe 3 2->8         started        process3 file4 23 E04613A0C40B79EB6E...8236685EFF5.exe.log, ASCII 8->23 dropped 45 Self deletion via cmd delete 8->45 47 Contains functionality to steal Internet Explorer form passwords 8->47 49 Injects a PE file into a foreign processes 8->49 12 E04613A0C40B79EB6E846EE73E585AAFA78236685EFF5.exe 84 8->12         started        signatures5 process6 dnsIp7 33 tttttt.me 95.216.186.40, 443, 49705 HETZNER-ASDE Germany 12->33 35 45.142.215.144, 49706, 80 CLOUDSOLUTIONSRU Russian Federation 12->35 25 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 12->25 dropped 27 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->27 dropped 29 C:\Users\user\AppData\...\ucrtbase.dll, PE32 12->29 dropped 31 56 other files (none is malicious) 12->31 dropped 51 Tries to steal Mail credentials (via file access) 12->51 53 Self deletion via cmd delete 12->53 55 Tries to harvest and steal browser information (history, passwords, etc) 12->55 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e04613a0c40b79eb6e846ee73e585aafa78236685eff5dd1ad2b0c5ccc9e6a83/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 08:15:42 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4bdbhigebn46w3uen3tt4wc2v6tyentil37v3unnfmgfzte6nkbq._file
Verdict:
malicious
Similar samples:
08fd20d116a64a8e132dee3f603b07bb0050434cfe3f494678a00a2ea50f025e
RaccoonStealer
56d389a215fd102eecb65009b5681642a66232e8b68aaa029b377554e1db7689
RaccoonStealer
65a471e7b1376b3977ee1a322bc8dd818ea617851f2704f635a6df644bc42f84
RaccoonStealer
7fa8300652f1b8c48e6ac25203994e388acb14ffc29393da5175de05ec1614d8
RaccoonStealer
89200f68a4e1f756e7d3ce7616fe95a34586179e4029d541751a9645a6ac9582
RaccoonStealer
aeeabbefb0ce4cc909ebc3c7d36d3272d55c09db77a162b7e607936e126d05c0
RaccoonStealer
ccb48c19dab11418d38d63afbbf75556ca75531ed4a8947bcc5f3e35dc2b700a
RaccoonStealer
d5b9b72950395ae3b512f96e87184429b9744c514ed14891cce9f5972764a296
RaccoonStealer
d7b0af7c27ad1013e5edb42078590f6060a210ce48b460e6fd50616a4278295d
RaccoonStealer
+ 3'787 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:acea59368e29f7d93dfe48ea398ec6c9146816d7 discovery spyware stealer
Link:
https://tria.ge/reports/210901-95xh2x5dta/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Raccoon Stealer Payload
Unpacked files
SH256 hash:
6899b3d6a0206b57bdb4e89a967036accbd0cedf1dd70f5d936682dd157f798b
MD5 hash:
6ba0b90c0e08b04ed5e6c68125a1a7da
SHA1 hash:
78275a6378095f6140126406f08394d4a07386d8
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/49b44699-3c7b-4e24-9796-dcdb776b03e9/
SH256 hash:
3d6f3ad6e3a7d82148a6666b4a6231bc3ad32d209b97c4859df4f2604bdbfda3
MD5 hash:
fb0ed1437642b181bb3daa66f49d4957
SHA1 hash:
299d6ac09d7452c931d0378ccb9b3c827e22f30b
Link:
https://www.unpac.me/results/49b44699-3c7b-4e24-9796-dcdb776b03e9/
SH256 hash:
e04613a0c40b79eb6e846ee73e585aafa78236685eff5dd1ad2b0c5ccc9e6a83
MD5 hash:
71031e3ddcb293074cd825d58e6ab022
SHA1 hash:
7eca2da89323239e30189cd97fe9c09bcc012165
Link:
https://www.unpac.me/results/49b44699-3c7b-4e24-9796-dcdb776b03e9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e04613a0c40b79eb6e846ee73e585aafa78236685eff5dd1ad2b0c5ccc9e6a83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184465/

Comments