MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0c599b0dccc70c7a074b9f14f5da4b8503b87205ef9367a841f59e989d50e37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0c599b0dccc70c7a074b9f14f5da4b8503b87205ef9367a841f59e989d50e37
SHA3-384 hash: 892ceb09abc7c217c7f2798af258c2a012c2eb2fb78e3c6ca38c6a102a0afdb57b4fb38b890f0276c6c548bf586b5680
SHA1 hash: 52f283103448e55d3aae8a71bda58a663f808544
MD5 hash: b078e7d741ec323223e402ff27dac814
humanhash: papa-montana-coffee-foxtrot
File name:E0C599B0DCCC70C7A074B9F14F5DA4B8503B87205EF93.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'146'044 bytes
First seen:2021-08-20 13:10:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 81c79ff1893a0715043138f6858d7a77 (1 x RaccoonStealer)
ssdeep 24576:6OLb9ivWrXrrrBgMZneaXMkgeVBkl/rKp3w1I3BzyqmgvL4+UMr2Wqwz0Sy:Rbw2L6+UNnwz0
Threatray 2'684 similar samples on MalwareBazaar
TLSH T12135341719237919EB8681F1B78EC8BB742A6E401F904CC3270F4916EE99F2987D6FD1
dhash icon 64c4c4d4dcdcd4d0 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.140.147.35/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.140.147.35/ https://threatfox.abuse.ch/ioc/192382/

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E0C599B0DCCC70C7A074B9F14F5DA4B8503B87205EF93.exe
Verdict:
Malicious activity
Analysis date:
2021-08-20 13:11:51 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/0669bca3-5a17-415b-8c42-a6d1849cf298

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180948/
Detection(s):
Win.Malware.Racealer-9865800-0
Create hunting rule

Win.Malware.Racealer-9865801-0
Create hunting rule

Win.Malware.Racealer-9865802-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Running batch commands
Launching a process
Sending a UDP request
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f6db2ab-ef7d-4fc4-92c8-394b38efbc82
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/836417
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0c599b0dccc70c7a074b9f14f5da4b8503b87205ef9367a841f59e989d50e37/
Threat name:
Win32.Infostealer.RacoonStealer
Create hunting rule
Status:
Malicious
First seen:
2021-05-20 15:46:46 UTC
AV detection:
25 of 27 (92.59%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4dcztmg4zrympiduxhyu6xnexbidxbzal34tm6ued5m6tcovby3q._file
Verdict:
malicious
Similar samples:
03659dfd8c9a7f8b300972af15621b9d67b8854cfbf66ecab15f63b1686afa2c
RaccoonStealer
0b02739c5fd7a7fa53410bc2287c42cf66a3a6d51ecc9570e76e4f0f8129f2d7
RaccoonStealer
25635e943bef1181ce962f2294a131960b61c093159e197dabda485a88e9b069
RaccoonStealer
2884051cd64be98b26224c6cd9ba46bc6802242fdb2aabbb3dd4aa6b1eb16a78
RaccoonStealer
4169236e7560956d442207c2cc74a767f6470bcedf1d8022677e0aee8949d4f5
RaccoonStealer
45269d3d0fbf13c80d6c496d3ee36e13808e36063bc82e3247cfc291e0f9223c
RaccoonStealer
4960918e52dd7f7db806c36c9393ef8329e173c60d9f59de66474af874ba1e46
RaccoonStealer
4a8de772cb047939cbac796b1461b5276e418fb33249cb4d41785ef37fa91a35
RaccoonStealer
aa703fb814c6e09c409060654ea9b5798b6a99cb0ceb25bd31bf894dc60702f5
RaccoonStealer
c082ed88815d66ea1bf11f905d15a39faa502d4b458a15cf31d5cd5e7bc7156e
RaccoonStealer
+ 2'674 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:028c69d68bfabb3934ff6f9b39a14570b49bef2f discovery spyware stealer
Link:
https://tria.ge/reports/210820-d75e3ejezx/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Raccoon Stealer Payload
Unpacked files
SH256 hash:
6048c05336807a1edc73e9b7ddf197286347fa277beb90f898dfbbc7c280aaf2
MD5 hash:
8b8b42f1586aeae517e7612c3c0e2581
SHA1 hash:
499fba951e576b69e79a7d19fa1da944bf310273
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/1b102cea-90df-4200-a245-037e06bf36c8/
SH256 hash:
e0c599b0dccc70c7a074b9f14f5da4b8503b87205ef9367a841f59e989d50e37
MD5 hash:
b078e7d741ec323223e402ff27dac814
SHA1 hash:
52f283103448e55d3aae8a71bda58a663f808544
Link:
https://www.unpac.me/results/1b102cea-90df-4200-a245-037e06bf36c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0c599b0dccc70c7a074b9f14f5da4b8503b87205ef9367a841f59e989d50e37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:WIN32_MALWR_DROPPER_INJECTOR_RANSOMWARE
Create hunting rule
Author:Jesper Mikkelsen
Description:Detect Suspicous dropper injector - possible ransomware dropper
Reference:SHA-1:0feda1e7b0d4506270c85973826fa498e9ed0f5b
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180948/

Comments