MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4e480b258663b2d168c836922136e292348d3f977e97e003ef06388a7693891. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4e480b258663b2d168c836922136e292348d3f977e97e003ef06388a7693891
SHA3-384 hash: 45d196c62e887401dba659bd1aa4a85f6659b535dda8fc87c360bf371de85763382a31e205226f872ff5a057de607bbd
SHA1 hash: 89858d13f39a36f181eeee872f4226622533af45
MD5 hash: 6f3dbe0a78e953e41cf84618d95579c5
humanhash: bravo-apart-october-fanta
File name:6f3dbe0a78e953e41cf84618d95579c5.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:566'784 bytes
First seen:2021-04-12 08:01:52 UTC
Last seen:2021-04-12 08:56:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6abcd353ab9736efc91a9e17dd2f8b32 (5 x RaccoonStealer, 1 x Smoke Loader, 1 x Heodo)
ssdeep 12288:uQEdDqokeYkljARbl77eZRpNMwOp85o+HfPjtzK0k3SdUEZyJ5WtD5:uXowjARx7SRpNnN5pzKAULmtD5
Threatray 751 similar samples on MalwareBazaar
TLSH 9FC4F02073D0C033D45224798529CBB14EBF78715AAAA98FBBC40FBD2F256D1B72574A
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
https://tapewormorchestra.top/

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
zhhrnz1iPtu7.exe
Verdict:
Malicious activity
Analysis date:
2021-04-12 07:22:22 UTC
Tags:
evasion loader trojan stealer ficker
Link:
https://app.any.run/tasks/ee4a969a-d24b-4c59-975f-d3579b8dea0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133694/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.23770.2855.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Running batch commands
Launching a process
Sending a UDP request
Sending a TCP request to an infection source
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/672727
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4e480b258663b2d168c836922136e292348d3f977e97e003ef06388a7693891/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4tsibmsymy5s2fumqnusee3oferuru7zo7ux4ab66bryrj3jhciq._file
Verdict:
malicious
Similar samples:
313c10bb9543e370b3017177671899b850975eef576f643ca6648ecef512e114
RaccoonStealer
4c2dc9d041a919e8367ee723c5a9b8ebcdc41c9e9495b333242d14ce3bb4a2a4
RaccoonStealer
651adbad4b2e863da82c38b9014479348492d0e370fd928a797589873a45cb63
RaccoonStealer
9285a4e08b654a24a9e3f7f6d46b27203a48ae623ebfd1a4b1fc1e18ad9a1503
RaccoonStealer
96e0358360461b108acd27bcf09eb6cadb6dbcff1d0c46dd13225d58189800ff
RaccoonStealer
a7bc9073cc389bccaa5d3f35cfd21554e7c9ccb52b1f10da67bcacb2177dccfa
RaccoonStealer
c002108c5acc520f9afa5423b73934dca1a813e6020752859f0639a9b2f12cd1
RaccoonStealer
dffc13d1cfcc907792273c3a9423844a659ef1ca31ea5bed0d09c1d4f5f58984
RaccoonStealer
e4b7cf0c007f13c5fe3f305a74fef72e87309958e89420503102902d198436cc
RaccoonStealer
f72a2fd77ccffec0e2c9bf4570895a48942135778325d52ca2996f54d26a45c3
RaccoonStealer
+ 741 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:16992cd33145ccbb6feeacb4e84400a56448fa14 discovery spyware stealer
Link:
https://tria.ge/reports/210412-jq9ghhm41n/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of WriteProcessMemory
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Raccoon
Unpacked files
SH256 hash:
2aa7107ab7731ff792f8bc07c71d43a31db0ad465ddc6d6a842dc21c085e1e0a
MD5 hash:
23734ca6306da19e6c15a5138b927ee5
SHA1 hash:
f1d932518887f87e034bedc3ae80fb8690dc1755
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/f7ce9abb-f5b4-42ef-8329-dca2ff00f885/
Parent samples :
4c2dc9d041a919e8367ee723c5a9b8ebcdc41c9e9495b333242d14ce3bb4a2a4
a7b93c2fbb727ed832ef535e78fa66ad027e0ca8c9507ca5001112be967b0fe7
fd6ba9b7188a0b11c92287c273eea76f688576dc07eb73b4b42bb0bf061fb393
0bae510b7238c821877790333b381f4ddd42034c5b799a3d7c1e0bff3fdcb940
68e7b4aa89f3f204e8e2d158c4a0892ff43980870e1907d4ed1dc1b57295bd7f
651adbad4b2e863da82c38b9014479348492d0e370fd928a797589873a45cb63
f72a2fd77ccffec0e2c9bf4570895a48942135778325d52ca2996f54d26a45c3
313c10bb9543e370b3017177671899b850975eef576f643ca6648ecef512e114
d5c5e40afe4cda3f04420bd271612e8eedd17d2239f1f08f34b96911aad028b0
9285a4e08b654a24a9e3f7f6d46b27203a48ae623ebfd1a4b1fc1e18ad9a1503
063599342888ca8db39fbfa1a514614781beae26ef228c4c6a5a3f99b67b6a63
3f7631475db3c73d38a22ebdad553d0b0a430f7f570f6878aec9d69742c3e349
a7bc9073cc389bccaa5d3f35cfd21554e7c9ccb52b1f10da67bcacb2177dccfa
dffc13d1cfcc907792273c3a9423844a659ef1ca31ea5bed0d09c1d4f5f58984
6a3449edd66599b768a57c56bca1cd880fd5099d465cc435c0579083c059e943
aed1d7b22349500d64437ab8051253675b4dfc84e24f42fe2c4b180f5dde13a2
e4b7cf0c007f13c5fe3f305a74fef72e87309958e89420503102902d198436cc
96e0358360461b108acd27bcf09eb6cadb6dbcff1d0c46dd13225d58189800ff
806239b652ede8148ff6e178d832830aa6563dc67a4d0d4d35a5ddefaf878568
8d4108636588686bd91c938e7e4b320db2a70e18614b92911400b89d7ca1f1c2
ceed28fedc15a2189b20a8667db52344ef0b65c6414f03c33237a20fba19543f
c002108c5acc520f9afa5423b73934dca1a813e6020752859f0639a9b2f12cd1
693353c431f2ba4f4ca0333c13962db98f9094c0f9d902c1302e5ef1d43a5576
e4e480b258663b2d168c836922136e292348d3f977e97e003ef06388a7693891
b2b8d24633abf976441e73febe9ca099157b1aa5011cc990cb045c5efd9ded0b
82bd63a7a749e86241fb9113bf40fd27d9a3db36c9971ee14ff54825fa631ad2
b7462d93582f61ae4d54bca04359eed4da1804772df8bcebe6723594b3dab2af
08c430e1f712b8538ac261b7998af6c00f89bb75d273183dc563c54389a2fba4
c609c257eaa84273642b03d2b12337f5e64c16ce6bdd0abfd25a557aa94d06b0
13333d8111107cce84e50c0264e4b3ffa7af34802de26de7d229ca86782db674
SH256 hash:
e4e480b258663b2d168c836922136e292348d3f977e97e003ef06388a7693891
MD5 hash:
6f3dbe0a78e953e41cf84618d95579c5
SHA1 hash:
89858d13f39a36f181eeee872f4226622533af45
Link:
https://www.unpac.me/results/f7ce9abb-f5b4-42ef-8329-dca2ff00f885/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4e480b258663b2d168c836922136e292348d3f977e97e003ef06388a7693891

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe e4e480b258663b2d168c836922136e292348d3f977e97e003ef06388a7693891

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1107072/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133694/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-14 14:54:50 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0049] File System Micro-objective::Get File Attributes
4) [C0051] File System Micro-objective::Read File
5) [C0050] File System Micro-objective::Set File Attributes
6) [C0052] File System Micro-objective::Writes File
7) [C0033] Operating System Micro-objective::Console
8) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
9) [C0040] Process Micro-objective::Allocate Thread Local Storage
10) [C0041] Process Micro-objective::Set Thread Local Storage Value
11) [C0018] Process Micro-objective::Terminate Process