MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6571c9ee5508a3a15a186c993d9e13ff43b0c0874d43db45dbead81d280c58c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	e6571c9ee5508a3a15a186c993d9e13ff43b0c0874d43db45dbead81d280c58c
SHA3-384 hash:	da78b59b7b20dd85abfd6e15b620f17492c81d994e4ad026e96cb5d8d4cae433fea1e35ecdb1a8d7f3b213d0ee412279
SHA1 hash:	80e7545f558c2656ececf3ee2f94795b1b7b84ac
MD5 hash:	f545d501be333e5a1ba5bdbb404b031a
humanhash:	early-kansas-twelve-steak
File name:	e6571c9ee5508a3a15a186c993d9e13ff43b0c0874d43.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	535'040 bytes
First seen:	2021-09-05 10:26:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b2c249fef864036a8cc857592c5ce556 (5 x RaccoonStealer, 2 x CoinMiner, 1 x RedLineStealer)
ssdeep	12288:HHYRg+jv8PYRSq5OHCfEHo9Z/JlwEDkj8N20f:nYWc0YRd/9pJlwEmC20
Threatray	3'645 similar samples on MalwareBazaar
TLSH	T162B4F11A7E90E873D486C6726426C7F0DE7DBC712924814B7754FF6E2E302909A2E397
dhash icon	b27e7c7d767e6e72 (1 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://94.158.245.173/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://94.158.245.173/	https://threatfox.abuse.ch/ioc/215894/

Intelligence

File Origin

# of uploads :

# of downloads :

242

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e6571c9ee5508a3a15a186c993d9e13ff43b0c0874d43.exe

Verdict:

Malicious activity

Analysis date:

2021-09-05 10:28:26 UTC

Tags:

installer trojan stealer raccoon loader

Link:

https://app.any.run/tasks/6718d83b-c61f-46f5-9b86-23e9671488ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/185433/

Detection(s):

Win.Packed.Generic-9890937-0

Win.Malware.Generic-9890979-0

Win.Packed.Filerepmalware-9891018-0

Win.Packed.Filerepmalware-9891026-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Launching the default Windows debugger (dwwin.exe)

Connection attempt to an infection source

Connection attempt

Sending an HTTP POST request

Sending an HTTP GET request

Creating a file

Deleting a recently created file

Reading critical registry keys

Delayed reading of the file

Running batch commands

Launching a process

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0b79d1eb-b886-415d-bf96-2d2e91c4a1f1

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/845519

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

raccoon

Link:

https://mwdb.cert.pl/sample/e6571c9ee5508a3a15a186c993d9e13ff43b0c0874d43db45dbead81d280c58c/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-09-05 09:36:16 UTC

AV detection:

19 of 27 (70.37%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4zlrzhxfkcfdufnbq3ezhwpbh72dwdaiotkd3nc5x2wyduuaywga._file

Verdict:

malicious

RaccoonStealer

14a0212c393bf55f873eca41cafc64ebe116e0327b78fc699a1fc8e4b9da9f9a

RaccoonStealer

3ae0a9d38c7e7ff2c785b1be78535afb96373367893fed9d64e294edcb00b597

RaccoonStealer

44bc314dee6f54dac04db053c1d5d65f001d4f371ff01bcf4e36821f3bf47f82

RaccoonStealer

4b72193efa0ec645714d27582038da1f3794bea0b05acb2ac757df913e35fde7

RaccoonStealer

93a8b82b3e9b2b1697b0874eec3efa8bb43c9e2a0d0d5163492b6f08eb6462b4

RaccoonStealer

993324955100beb9c2426b5b82293c60bc63fc1b054fc47ca6ede4a11cf564bf

RaccoonStealer

b4530472faa0dc34cc4d8c390f02b6449fc40f2fbc9cb4b108a2b2d41b15e277

RaccoonStealer

d3a5b777c6bf05953b2aecb511a605e268a5de26659d1b044fc03cc5700e2e09

RaccoonStealer

f5f5ced262e7b06f44c049bba0a1ba17b5f261621d5dd93a2e41f7b5a0859e20

RaccoonStealer

+ 3'635 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:56be4efb71b0a38de783d05b401b05f1bc805bb2 discovery spyware stealer

Link:

https://tria.ge/reports/210905-mgjhrahee6/

Behaviour

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Raccoon

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

0e2a294165840a5ba0a18343331b26dc15747c99e989c3bf5b8a219d968709d0

MD5 hash:

c7086aa56ded0f3d493cd93d50e3c7b8

SHA1 hash:

6baafff73dd33408ae9865331afd5ebc0e8c6a7e

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/1c0fd19b-2cd8-4bc7-99a8-de36ac3feacc/

Parent samples :

77c40ad589b025d3e607000a82a93ac4695a0cd444b3413e432a648c7a375d4d
ce3ab3701778b42da8a688e9e9ea7d3dcbc7873464f95a214771962ad40c710b
b33af04dc64bab485eaaccbe574940a2e641107f8886d0e5e60b303dbe5f797c
38a1d1189d24606ff02ab44bb3e960c11f0d3eee0784e00aeda1fb17fbb3338f
435025a3a84b8da4ccab5d7fd59de3f2c4f58b11db8e11adcfee10c99f491d63
deddab103a2aaae2ce26b6b3b1b1d263ac4c272584ec1d7d5ff8a96bcbaebd4f
e6571c9ee5508a3a15a186c993d9e13ff43b0c0874d43db45dbead81d280c58c
1e2ff254e9ce7fcaba6d728b569ed2adefc8b6080a8cbacb2e62f41203055d94
cd682f673e7dfbeac62b8e2fad4afa3fd12e25faf8356635f4ff76c4dd326cbf
ac9d3193a2f9d3c34acb6d90d3e6dcfe275b0616352f1af8d4d25ed05ef8a9ce
4f86bb133e6e11730ea9a42d2b199d6e28ac7e29add3250416b467212921a02b

SH256 hash:

e6571c9ee5508a3a15a186c993d9e13ff43b0c0874d43db45dbead81d280c58c

MD5 hash:

f545d501be333e5a1ba5bdbb404b031a

SHA1 hash:

80e7545f558c2656ececf3ee2f94795b1b7b84ac

Link:

https://www.unpac.me/results/1c0fd19b-2cd8-4bc7-99a8-de36ac3feacc/

Malware family:

Raccoon v1.7.2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/e6571c9ee550/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e6571c9ee5508a3a15a186c993d9e13ff43b0c0874d43db45dbead81d280c58c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/185433/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample