MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0ddefa2d8101c3602f8186aa02c5b770e928a162bc3483dc85f605a4e0d03a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 3 File information Comments

SHA256 hash:	e0ddefa2d8101c3602f8186aa02c5b770e928a162bc3483dc85f605a4e0d03a3
SHA3-384 hash:	750d41f039b2cfeea44fd1ecd0ab244dc36394d53512e49aa58c4b1fe35ef1999b4f801f3dc11ff1940fe10e443131f7
SHA1 hash:	5f191f0200babefcbd32c5f3f7e16571640ed354
MD5 hash:	1853e380fad30fa75165d4621d6132ac
humanhash:	montana-cola-nitrogen-foxtrot
File name:	1853e380fad30fa75165d4621d6132ac.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	475'648 bytes
First seen:	2021-10-29 21:05:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fa148d0c70a978454538a9c9c0513fc1 (4 x RedLineStealer, 2 x RaccoonStealer, 1 x Smoke Loader)
ssdeep	12288:06oDTkR5CFSyXFYhlIxgvwgzSuZoAqvYNS:0tPXFYwxgvHSuZo6w
Threatray	3'997 similar samples on MalwareBazaar
TLSH	T197A401117B90C075E076957D4C32CA924B6A7DC7D97CC58B3B973A6E1E303C0AE2A35A
File icon (PE):
dhash icon	fcfcb4d4d4d4d8c0 (70 x RedLineStealer, 59 x RaccoonStealer, 24 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://91.219.236.97/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://91.219.236.97/	https://threatfox.abuse.ch/ioc/239602/

Intelligence

File Origin

# of uploads :

# of downloads :

199

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1853e380fad30fa75165d4621d6132ac.exe

Verdict:

Malicious activity

Analysis date:

2021-10-29 21:11:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8c817d33-751d-4812-8715-fbb0f451618a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.Generic-9904327-0

Win.Trojan.Generic-9904328-0

Win.Dropper.Raccoon-9904713-0

Win.Trojan.Generic-9904992-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eff1e25b-4cac-447a-b4d3-16a5dda35f54

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/879619

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to steal Internet Explorer form passwords

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/e0ddefa2d8101c3602f8186aa02c5b770e928a162bc3483dc85f605a4e0d03a3/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-10-26 18:59:46 UTC

AV detection:

35 of 44 (79.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4do67iwycaodmaxydbvkalc3o4hjfcqwfpbuqpoil5qfutqnaorq._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

6e18d84c27f27d9dc452c01662fae71e04622f57864d12b12de12b52784b4eac

RaccoonStealer

6fb3db4c15de9f7e366c868bb805275d0d94a8ea8c1566ac7819044023ae5c34

RaccoonStealer

937626d18f1e68354b43aefc092e7833333b219fce7648ca28b94f2f46f13b10

RaccoonStealer

97dbb2b9d161dd2b5f26eb48acef6ef70701b75a75b2d281e3dbb7fd946de319

RaccoonStealer

ca30cae9fee835a2a12b111864d52a15f92a5a8b0e6fa7ae189833654bff712e

RaccoonStealer

ee72d76436717cfab41a33950d641e7e6820d23369b21fe937cc2fc2549c6869

RaccoonStealer

+ 3'987 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:8dec62c1db2959619dca43e02fa46ad7bd606400 stealer

Link:

https://tria.ge/reports/211029-zxqyzsagfm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Raccoon

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

e82323179c6aa25296935c2c0bb2cccc31cbdd6a1e6d5d07cca7cb39ba0e8ecd

MD5 hash:

12c5a03c855eef802d4acc9a88de4b13

SHA1 hash:

9b3277b88cd96f680cf247f8d7dc5bfcc08a0ccb

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/aec2c5ed-4e89-4856-922f-dd5c62318a97/

Parent samples :

e0ddefa2d8101c3602f8186aa02c5b770e928a162bc3483dc85f605a4e0d03a3
a6b03de6f9e8eadbd3ad94084b19fbed87a070ef21e2baf63c338790b2ae24e9
2b8b768eeffd26b5aee05c3e1d309c6c9f94a62d2ba8a230695305008cbfb985
8abe4bc33112ce5bc9ce4ef8b33187c33a537cf540a63eb9562b4a0622f634aa
d17dadc2bb57905c88308f79228810b1f7fd28dfafe07717e2b4bf0d8e014f86
72f0a495127d1b3e3bbab9ab771ed6adeb94ca7663c282679b9d115e0de1af30

SH256 hash:

e0ddefa2d8101c3602f8186aa02c5b770e928a162bc3483dc85f605a4e0d03a3

MD5 hash:

1853e380fad30fa75165d4621d6132ac

SHA1 hash:

5f191f0200babefcbd32c5f3f7e16571640ed354

Link:

https://www.unpac.me/results/aec2c5ed-4e89-4856-922f-dd5c62318a97/

Malware family:

Raccoon v1.7.2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/e0ddefa2d810/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e0ddefa2d8101c3602f8186aa02c5b770e928a162bc3483dc85f605a4e0d03a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Raccoon stealer payload

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample