MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e266297bd6f57232b8421fa09de406f352591328d452b04b183144427f43011a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 4 File information Comments

SHA256 hash:	e266297bd6f57232b8421fa09de406f352591328d452b04b183144427f43011a
SHA3-384 hash:	0fef2372dde8ee07921f42192cb434f33e8b9407ce3e6e35ae397c19f2a715e208825b22e6831b33c6ce2fce2cc81dd1
SHA1 hash:	d5148025f2f3e99e0bd440e599d40f4e0ccbb059
MD5 hash:	35e7888189d7515a2161db1b7502c193
humanhash:	quebec-sixteen-fourteen-arizona
File name:	35E7888189D7515A2161DB1B7502C193.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	574'464 bytes
First seen:	2021-07-30 19:55:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	70e518a4e374b11de0b31f3e2e46dd7e (1 x RaccoonStealer)
ssdeep	12288:FUkbBuiwzaWhct6hVJGOPsIWV0rA9OGYVQBN/kczs:FUkciwjjGOPsITchYV
Threatray	1'338 similar samples on MalwareBazaar
TLSH	T1C9C4E00067A0C0B9F5B732B85D7A9FB465E97EB16B6450CF62C52AEA47306F0AC31713
dhash icon	aadaae9ec6a6aab2 (1 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://185.234.247.148/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.234.247.148/	https://threatfox.abuse.ch/ioc/164913/

Intelligence

File Origin

# of uploads :

# of downloads :

581

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

35E7888189D7515A2161DB1B7502C193.exe

Verdict:

Malicious activity

Analysis date:

2021-07-30 19:57:11 UTC

Tags:

trojan stealer raccoon

Link:

https://app.any.run/tasks/de73cd99-6a2a-433c-91a1-1c1c4fce2dc9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/175358/

Detection(s):

Win.Dropper.Raccoon-9871234-0

Win.Malware.Generic-9871244-0

Win.Malware.Redline-9871299-1

Win.Packed.Pwsx-9871324-0

Win.Malware.SmokeLoader-9871566-1

Win.Packed.Pwsx-9872818-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8aadec49-5474-4756-aef6-e8d6557ff5de

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/824689

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e266297bd6f57232b8421fa09de406f352591328d452b04b183144427f43011a/

Threat name:

Win32.Infostealer.Convagent

Status:

Malicious

First seen:

2021-07-27 04:29:13 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4jtcs66w6vzdfoccd6qj3zag6njfsezi2rjlasyygfcee72daena._file

Verdict:

malicious

RaccoonStealer

143cf1724057f9b6a6630656e8735857d6146ff6dd0c2afc736545b46194437c

RaccoonStealer

1555f744c779e3ce93f92b454ad2092e136622c39c21eca20125dd79cdf8fb94

RaccoonStealer

2c5105d428486ab9bd43df850f2b74e9250769976662bc9937128ce0ff6257b0

RaccoonStealer

4d7bb45f219aaebc5c2745b60879b954a56b58a3f16c5e5c3252143c9b7a3a47

RaccoonStealer

4e0cca88ac33e671cd7cc9689605b8830d03ad80e39e716516381499be1c906a

RaccoonStealer

afa7f830663555f46ce1f944605092c8259dbc9f36970d7305588d56ba03c728

RaccoonStealer

c5a3e3c23c820cc768a283e2a66515722048a51ece2387bcb8883a3b6a061b41

RaccoonStealer

d8d3c3800a157b2b6efa4fd9f0e07901a404f8d19d3e7163f4ae31776ff7a3a2

RaccoonStealer

e479976218616ff4a1303a5e783d6034d06ee0e2c6e0fb9c7f4e42c0b794541f

RaccoonStealer

+ 1'328 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:033290187f927bc60a9d7571f4b6be0b4066e20d stealer

Link:

https://tria.ge/reports/210730-hbj4qnq7zj/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Raccoon

Raccoon Stealer Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

e09d12779c29bdf87df2df916fb2fac86bafcd0e1e9b19528ddc9e21745f6be7

MD5 hash:

19bec8a71745cff383e93512bca27e23

SHA1 hash:

f79799983760005998e2087ef9b95400ec135e6d

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/23952eba-7f3d-4a1f-aff4-18047ee31d57/

Parent samples :

b4ae66ae60bce1d66bf3359720c2be58cb944b9c47cba4a06defb6f3ebc58347
e266297bd6f57232b8421fa09de406f352591328d452b04b183144427f43011a

SH256 hash:

e266297bd6f57232b8421fa09de406f352591328d452b04b183144427f43011a

MD5 hash:

35e7888189d7515a2161db1b7502c193

SHA1 hash:

d5148025f2f3e99e0bd440e599d40f4e0ccbb059

Link:

https://www.unpac.me/results/23952eba-7f3d-4a1f-aff4-18047ee31d57/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e266297bd6f57232b8421fa09de406f352591328d452b04b183144427f43011a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon/Racealer infostealer

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/175358/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample