MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e48620af676ceaf029827a84f094f647146c490f867b13a49a20493cfa4aea7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e48620af676ceaf029827a84f094f647146c490f867b13a49a20493cfa4aea7c
SHA3-384 hash: 090807dd71b2229e36ea2b62a7c92bd491312f3d14e1a438a023cac567cf218068661b2ed2249e62bc15e47bb2f1f7ff
SHA1 hash: aa4cc95bdeaa22a00aa6ed9e5d6e8525ff9887a4
MD5 hash: b36931871f27cabc94055e912cdccd76
humanhash: yankee-magnesium-lactose-utah
File name:b36931871f27cabc94055e912cdccd76.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:460'288 bytes
First seen:2021-03-23 16:02:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash daff80399b65bcd2a31df0f7aedb91f4 (1 x RaccoonStealer, 1 x Stop)
ssdeep 12288:XNVIIvu7DMBeiTtKOrJ/6CTCeD5HeUgFdmU0R7zUC:XzLB7BfrJiCGc+UgrsR7z
Threatray 476 similar samples on MalwareBazaar
TLSH B5A4012077B1C0B7E55256BE4855C2724A36FC715B384AC72BD1277AAE363D08B3A387
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b36931871f27cabc94055e912cdccd76.exe
Verdict:
Malicious activity
Analysis date:
2021-03-23 22:47:23 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/15d4762e-8852-4e56-a09e-5cb7944ea813

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/126712/
Detection(s):
SecuriteInfo.com.Malware.PDB-11.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/651466
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e48620af676ceaf029827a84f094f647146c490f867b13a49a20493cfa4aea7c/
Threat name:
Win32.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-03-23 12:41:12 UTC
AV detection:
20 of 48 (41.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4sdcbl3hntvpakmcpkcpbfhwi4kgysipqz5rhje2ebetz6sk5j6a._file
Verdict:
malicious
Similar samples:
58813f984233cfb9eef1c9abefa7f58e96989dd9d6ebd903d40dc2cf3d56c5e8
RaccoonStealer
596ab1ddff660a3cd00e14f5e43d5af6a0ad03a41d07a51344b8eb61a594d27f
RaccoonStealer
5a811d31e3dd7e79900b43c1030cb7851acfce9d630093106aa7d3910a64f136
RaccoonStealer
6c6ab740e7d1e69bb05349e3b27b1a52a4e0bad10ef8b019147c9d87755f95cb
RaccoonStealer
706a3b4438e7b883d8c3cd66ffabfbb3e3495b3b7c6f9b48adf7a5c8cdd0c3c1
RaccoonStealer
a9d0121ba9783e14f8ac72cce2cbce7e330d0b7f29e5311f497b86d286f2d5d1
RaccoonStealer
ab76e3ddfecc8c84fd2179bb40cbe1c535963154c3e6e144e000dd97c1abbc78
RaccoonStealer
bcc495c75df0a47f59a60fdfb870bf833f0d320aff3f1e316f1cd96b5e578c07
RaccoonStealer
dcb02549ffe1d2212dbddc97bf48fc57965ca634ff30665cdeb085e60ae73690
RaccoonStealer
e80db3924627a7961f6bbb34a4d6849546d544620ea77f12b1b3dd8ed024ef4d
RaccoonStealer
+ 466 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:2ce901d964b370c5ccda7e4d68354ba040db8218 discovery spyware stealer
Link:
https://tria.ge/reports/210323-bgenemyvks/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Raccoon
Unpacked files
SH256 hash:
7b216d21305ea084f3f980640e1f20eb977e6cfed8651b1bad236c77171de882
MD5 hash:
70ed382529ceb355fa8c25f276b0a32a
SHA1 hash:
dfff4db1d7d7f6092fef7d36d5b871c4aa98a879
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/38c23eae-d35b-4185-94cb-bef44aaa6c1e/
Parent samples :
7996b83e810128a314228c81600971654815c8c437a27948b31fba612b2c2b61
e80db3924627a7961f6bbb34a4d6849546d544620ea77f12b1b3dd8ed024ef4d
42acd6c4185eec5476f6cf001a527ea5f02df93b58668518cc2f4fada0e93f25
924dd7da4bccf24de55307c9754c1e8e44f4706bdaebf80e8f9c60ebdb330635
f7b38e4972a5db6c45a63c5003b5bdc89cd8b93311af6be7f292e25cc9a8b072
40aa3ed3056a334717d50933026aace5847a379b8179178d00928ef1faf55f3d
5a811d31e3dd7e79900b43c1030cb7851acfce9d630093106aa7d3910a64f136
a9d0121ba9783e14f8ac72cce2cbce7e330d0b7f29e5311f497b86d286f2d5d1
8c9604ea096cd0a680d183f1f9b2a53d2cce276c7d86efdf21d3dd6bffead1f5
dcb02549ffe1d2212dbddc97bf48fc57965ca634ff30665cdeb085e60ae73690
e48620af676ceaf029827a84f094f647146c490f867b13a49a20493cfa4aea7c
7db8ace7c48f52fe13f99650d3bedb3fbad3d9a724fa61a08fab255c24a78d5b
8a2fae000c50871ca7a0600d477d6802d02d88df4bee5fa55918bbd7e71bdcd4
17d0d16c98137e68c2ad448821076ee3771edf8a8bf13e6b7b840ac27c452257
efb58eba36b38541a84724d63525a5c3edb74d1a7f7bfe0801e15d32c4080d11
1a659869af1442fd75244bc2522d961e1ecfb811a0670983efd501025f26fd81
4f17f472b466e5e20dcece3207b53ffd5767ffa6f7d540cac3bbf4d8bd21f392
5a24066b086955c44f6124104bc9be99220817c93c75dfa3c9e026d7e1e895ee
10bdc701ee1d051b4fa1e0f6d719fc898c9354c39459cfc9939465e3864f3421
c8847cb9a99370589fe52fcf91b96bef170990a13fa1eb734c1550c4862537d4
d16224a293f1a83316491fed1b2d0fab11594bdd237fb9daf042fb73de2f5407
9ba06643629d95201f9064dfeefcf6fb17a490d5b8fd86b59f3638311a356dd4
3704423d47a1fe2add6f129c38576926db6181fa56330c108f60927ec637340f
c5dc2a93cb4e826f0a7af4adfa5949f65ef758ec68b2d4b6891e307902759d58
b1fb790d7e5b79bad718c968c930b91957e19f8f98165e741afd484694000cba
c870d2a1d2a34377588eae250ef3058c6e4c6e3cfdd829e677eedc78eb1c9ac0
SH256 hash:
e48620af676ceaf029827a84f094f647146c490f867b13a49a20493cfa4aea7c
MD5 hash:
b36931871f27cabc94055e912cdccd76
SHA1 hash:
aa4cc95bdeaa22a00aa6ed9e5d6e8525ff9887a4
Link:
https://www.unpac.me/results/38c23eae-d35b-4185-94cb-bef44aaa6c1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e48620af676ceaf029827a84f094f647146c490f867b13a49a20493cfa4aea7c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe e48620af676ceaf029827a84f094f647146c490f867b13a49a20493cfa4aea7c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1083183/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/126712/

Comments