MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8e513067019477664ad514141496271939fcd04025246222d1d679b1f3ea0ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8e513067019477664ad514141496271939fcd04025246222d1d679b1f3ea0ba
SHA3-384 hash: 1019ed040e37977e78cb0a637e33432b67964bdc59d8b9a3929fb746f37ca5e64c1f26eddbe12fca40e9d9fe21ac4e1b
SHA1 hash: b66780fcc780a52592dcfb5b4f54101b80dc1b33
MD5 hash: fa199b1de90bdd6f2c25d2173fcbbab9
humanhash: equal-seven-washington-winter
File name:fa199b1de90bdd6f2c25d2173fcbbab9.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:538'112 bytes
First seen:2022-02-20 15:36:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c6cb352f12ed66274ee6145025da681 (1 x RaccoonStealer)
ssdeep 12288:f9I1yhwGuK4cq1iS+olT7a8qBiyx8zwqofM1:f9HpuZ5177a8Q8z1M
Threatray 5'813 similar samples on MalwareBazaar
TLSH T147B4120175A0C432DAF21EF25431C7C1626BB9A686617187FB14BB9F3E323915B7A31B
File icon (PE):PE icon
dhash icon a3bcdcac9c8cb4a4 (4 x ArkeiStealer, 2 x RaccoonStealer, 1 x Stop)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://178.79.174.111/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://178.79.174.111/ https://threatfox.abuse.ch/ioc/389603/

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242792/
Detection(s):
Win.Packed.Filerepmalware-9938574-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6794/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62125fe6a2660f3bb911d20f/reports/5b2b127f-ed57-444b-8c65-d3367ff25f79/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e5729445-1066-4ccc-bd7c-3e8385e5d7fe
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/942862
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8e513067019477664ad514141496271939fcd04025246222d1d679b1f3ea0ba/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-02-20 15:36:13 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5dsrgbtqdfdxmzfnkfaucslcogjz7tieajjemirndvtzwhz6uc5a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
2d2a03a2eb59a64eef9f15d160a2919707c5dee2844144d8ec9fdaae724a4162
RaccoonStealer
5c5084ef35d6a6a67521115b444a4931024cc2fac51295aabc354e28e8e00db4
RaccoonStealer
7a1ff7a23895d29ea7b16713073ff6149db56d63d42853a13993ad810c60cfdb
RaccoonStealer
caeb2e0940afbfa4b23dbb65614ebc7dfdb74e7b1ab9c1f764d539322628c289
RaccoonStealer
e7a411cdeff8c26a8d746d912e165f60699c01bb3d6fa433bb8475c59ef487a9
RaccoonStealer
f4d38c6679a945fbcf738512e8555df77c498a82e39728385dc097956491b2a2
RaccoonStealer
fe05e12308ece58217a0a37f2c13659402a4a6fe734a19d69e29f9e4ce50889b
RaccoonStealer
+ 5'803 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:e50c949ecf0380ef03a3368f13619264294662b6 stealer suricata
Link:
https://tria.ge/reports/220220-s1xsdacfel/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
Raccoon
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
Unpacked files
SH256 hash:
27d8f165e6319f02f93ed3c33bdee06b848b69d076390126a7a8a94a3d3c9e33
MD5 hash:
bae8f0a1e1c5305c84251384ee224173
SHA1 hash:
aecedfd51f9a27743f6b131c66c440ac767cb321
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/a1d8ec0f-dd7f-486d-8760-76a732581328/
Parent samples :
c0c3b3d28a7d7234cce6996c70cf235a20869c5d0f6b430b6a5bcf3b6a7434d2
02761cf4373052f66df32c7f5c981d90c013bdf16fc8f3ad8aafb6a96430c866
f9974bacd389548086f2e4814f763f460989fb242f1b1aa3c787dec6c39b6851
5030200d666e1f843a020f4dc2751fa2e91a9e52f929b8a7410ad6fc57d7f768
db2e87c99798d5a30cf5d0c31c589a0f9e07e4f4412e55dcb0bdb858578882d9
7971d9f44d083e8fd5f266c7e06ee50c87ec2d1b0630b0b21632282989b35a89
19813684f76bcc32fb50d0a5b8f92e4ab1c5fb4495d75d43228c71dcbea54741
ce621491bd4506b2e79e7c739bcdd643d5d2dab8a562bf20a1977660a3089fd1
cead8bab4b9438cc1b7e8d0002714afa905411a81673405b0e382456ba69de26
518f7eae214f5f0d25e36a746f2695c9f81b0f8c250b657af32f29e7417b006c
bc103a145b1fe5c822c73cb23fc46cf0b3922c7a66c5adc5726f50b2e38a155b
625fe1298820b5e535751e38ba8b25c8521e0a663f7fa0248b8b243d80acbe1d
dc199c7585c7d30d2132c40f40a6177da8312cdd9cc641282e4499f1fb32c979
d16b5c249dea1a1d9f395d5b38a62a5a4466c70fe23f2e7dbe95e8b531d7d383
21fe47c1ec28c406ad49dfeffa4dbae703a86b9ae7f93695d0d69aa58e408b3a
caeb2e0940afbfa4b23dbb65614ebc7dfdb74e7b1ab9c1f764d539322628c289
7a1ff7a23895d29ea7b16713073ff6149db56d63d42853a13993ad810c60cfdb
dac74ac8ca2257f92f6763f2db95baad4af92e4501a44c50572cc30b8042b310
f473b9b90112dd698de24ebe6fa904927e3f7a04e30922c5b3b990d706269286
10bcbff9daa66600e2c96c046f258631caa7c5b0da5618f001d46d8ed8f36d9c
bc111014315d5632ee5baad01a4956e0fd74996935e2ce531a6dea163451f415
fe05e12308ece58217a0a37f2c13659402a4a6fe734a19d69e29f9e4ce50889b
3e76725c3afe2b4d36b8474bc0bb08cee4716bb1d007432a0bbb454f16d2a1e7
333b7e8f8e544f5e99ef45bf08bb5f7311dd1692011a7f75ed1c903d02d1e2c3
201c56eb552e03593e9324daaec20c069719ae88cd2a99b9f8d8be6a88028234
e0c53ca40fa7065b0c76b01eacd256efcd8ada5e4c4cde3664dc95eadeafaafa
26196adf92b9651f89233c6317ca533dac00fa4bbd0b8f0fbeb8da9365b929ad
f4d38c6679a945fbcf738512e8555df77c498a82e39728385dc097956491b2a2
5c5084ef35d6a6a67521115b444a4931024cc2fac51295aabc354e28e8e00db4
d82a817121dbfb073d398328c0b18ba6c5571c768e97d14207afaf3b7a401560
466a22e3f5ef8a653a7bec43434eaa8fa19c7f089ece026352ebdbfcfc4df8a5
019d041219a518b5ca40ba5547cf5f8b80fcedce2ee8f791f02d9d9acda7388f
e8e513067019477664ad514141496271939fcd04025246222d1d679b1f3ea0ba
03fc818962bef15922b1098bfd60581bab3372d0bd717a932c19af5162d7b0a2
06068e7042a68b17c2a719f2b3eb07128ecefd9d7125c03ffa20eccce9409d2d
af0bc0b2149df1769de0128984f8178620fae9de69e5bb4e0a3d661ae8cd18eb
SH256 hash:
e8e513067019477664ad514141496271939fcd04025246222d1d679b1f3ea0ba
MD5 hash:
fa199b1de90bdd6f2c25d2173fcbbab9
SHA1 hash:
b66780fcc780a52592dcfb5b4f54101b80dc1b33
Link:
https://www.unpac.me/results/a1d8ec0f-dd7f-486d-8760-76a732581328/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e8e513067019/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8e513067019477664ad514141496271939fcd04025246222d1d679b1f3ea0ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe e8e513067019477664ad514141496271939fcd04025246222d1d679b1f3ea0ba

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2046398/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/242792/

Comments