MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1188d327931485523c83b1e16af6096af97f2753bfbc1a7065e42eb58a2b110. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1188d327931485523c83b1e16af6096af97f2753bfbc1a7065e42eb58a2b110
SHA3-384 hash: a0ed29cb1e2a07af2a0d0fe6087c0b339a9dd3c9ac9e9bcec8a909d02d017b55715d73066471bdd1f5f21ba60f4d80ef
SHA1 hash: f4d17997fded9c8fad153a67f02b0d768849bf1f
MD5 hash: a20e837c00b73d104f168c5e3556ed69
humanhash: beer-maine-bluebird-oxygen
File name:a20e837c00b73d104f168c5e3556ed69.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:518'656 bytes
First seen:2021-08-13 21:16:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e4e1e1e6e225074b287b0f65b50fbc7e (3 x ArkeiStealer, 2 x RedLineStealer, 1 x GCleaner)
ssdeep 6144:Hzbpw6dkcsjPtNxTvYcCRpykL8evCB4LffEQb9srZIC7SOPV+bW4vCIwY8:HzijVHYxL8WCWjPGrOCXV8DC5
Threatray 1'455 similar samples on MalwareBazaar
TLSH T11AB40130A682F872F1D74531743DD7E4F27AF8605B54429B26983E6E7E33280576A33A
dhash icon 4839b230e8c38890 (25 x RaccoonStealer, 4 x RedLineStealer, 3 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.77.115.2/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.77.115.2/ https://threatfox.abuse.ch/ioc/185163/

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a20e837c00b73d104f168c5e3556ed69.exe
Verdict:
Malicious activity
Analysis date:
2021-08-13 21:17:00 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/780c9ee0-0beb-453c-b9ef-bd0b3e55a6d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179094/
Detection(s):
Win.Dropper.Upatre-9884831-0
Create hunting rule

Win.Packed.Generic-9884888-0
Create hunting rule

Win.Malware.Generic-9884893-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SpyEye
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90dc4bca-501e-4c17-a03c-446e072b9f07
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832670
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 465101 Sample: pOA5rPS19W.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 83 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->83 85 Multi AV Scanner detection for domain / URL 2->85 87 Found malware configuration 2->87 89 8 other signatures 2->89 9 pOA5rPS19W.exe 83 2->9         started        14 MicrosoftApi.exe 2->14         started        process3 dnsIp4 61 telete.in 195.201.225.248, 443, 49734 HETZNER-ASDE Germany 9->61 63 34.77.115.2, 49745, 80 GOOGLEUS United States 9->63 65 45.137.190.197, 49746, 80 BITWEB-ASRU Russian Federation 9->65 53 C:\Users\user\AppData\...\wJhVMlwula.exe, PE32+ 9->53 dropped 55 C:\Users\user\AppData\...\KHuE3GA115.exe, PE32 9->55 dropped 57 C:\Users\user\AppData\...\vcruntime140.dll, PE32 9->57 dropped 59 58 other files (none is malicious) 9->59 dropped 99 Detected unpacking (changes PE section rights) 9->99 101 Detected unpacking (overwrites its own PE header) 9->101 103 Tries to steal Mail credentials (via file access) 9->103 105 Tries to harvest and steal browser information (history, passwords, etc) 9->105 16 wJhVMlwula.exe 2 4 9->16         started        20 KHuE3GA115.exe 9->20         started        22 cmd.exe 1 9->22         started        67 45.137.190.236, 49761, 49763, 49764 BITWEB-ASRU Russian Federation 14->67 107 Query firmware table information (likely to detect VMs) 14->107 109 Hides threads from debuggers 14->109 111 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->111 file5 signatures6 process7 file8 49 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 16->49 dropped 73 Detected unpacking (changes PE section rights) 16->73 75 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->75 77 Query firmware table information (likely to detect VMs) 16->77 81 2 other signatures 16->81 24 MicrosoftApi.exe 1 5 16->24         started        79 Detected unpacking (overwrites its own PE header) 20->79 28 conhost.exe 22->28         started        30 timeout.exe 1 22->30         started        signatures9 process10 file11 51 C:\Users\user\AppData\...\tmp4236.tmp.cmd, DOS 24->51 dropped 91 Detected unpacking (changes PE section rights) 24->91 93 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->93 95 Query firmware table information (likely to detect VMs) 24->95 97 3 other signatures 24->97 32 cmd.exe 1 24->32         started        35 cmd.exe 1 24->35         started        signatures12 process13 signatures14 69 Uses schtasks.exe or at.exe to add and modify task schedules 32->69 71 Adds a directory exclusion to Windows Defender 32->71 37 powershell.exe 20 32->37         started        39 conhost.exe 32->39         started        41 timeout.exe 1 32->41         started        43 conhost.exe 35->43         started        45 timeout.exe 1 35->45         started        47 schtasks.exe 35->47         started        process15
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e1188d327931485523c83b1e16af6096af97f2753bfbc1a7065e42eb58a2b110/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 02:31:35 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4emi2mtzgfefki6ihmpbnl3as2xzp4tvhp54djyglzbowwfcweia._file
Verdict:
malicious
Similar samples:
024b8be122d6b658363e0e132d52d469fb107cc5b16e9f78494c89a7756852c4
RaccoonStealer
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
RaccoonStealer
1d322ad6c295b0ee8a552e96ac231c4d9259141c9ed22f7319c7f169eaecee71
RaccoonStealer
3a6c6ec5b5e168e0452009714a8d37581459b8d386c26ef69c98a6802d5e65d6
RaccoonStealer
40d59f94d24d0acc3dc9bb832853e2b9ec079f8b84f216c47a04a547877803f9
RaccoonStealer
9169cc1093e14262e9d08db10152ee815f88ed87d12bc7b934c3645d23f347ea
RaccoonStealer
97c558bcbdaf21258e91098900d19e1ba944379a779a6a7c57aec46ea3de5438
RaccoonStealer
d7854719c33f72a1afa0c562bdf44a8941b4017fbe90a215636aad91d1bf4f10
RaccoonStealer
+ 1'445 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:ad90a7d46dd9833fb5a0293f0bb4aac37f7c0140 discovery evasion spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210813-jabbr743nn/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Raccoon Stealer Payload
suricata: ET MALWARE Generic gate[.].php GET with minimal headers
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
2318eadfba58f48633efefad19b60db038eb798d95069e9b85503276b50d77fe
MD5 hash:
03188bf186874cd08d7e74c270e596fd
SHA1 hash:
c0dd5e0f7d2fb0e038bb94a135df1c3aa3fc81ba
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/d4e0f5b0-0fb0-4753-ad76-003084694fd3/
SH256 hash:
e1188d327931485523c83b1e16af6096af97f2753bfbc1a7065e42eb58a2b110
MD5 hash:
a20e837c00b73d104f168c5e3556ed69
SHA1 hash:
f4d17997fded9c8fad153a67f02b0d768849bf1f
Link:
https://www.unpac.me/results/d4e0f5b0-0fb0-4753-ad76-003084694fd3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1188d327931485523c83b1e16af6096af97f2753bfbc1a7065e42eb58a2b110

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179094/

Comments