MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebbef474434eab0794928cccebb8db93ed801dc2dd2b3e45f46c736d78718f9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebbef474434eab0794928cccebb8db93ed801dc2dd2b3e45f46c736d78718f9e
SHA3-384 hash: a84b5d259174a8a21c7bcf67a5bb62a2c3b74cdd59e465091a29ddbf8b068b227bd37ea8756bb822f25e1df6a7fbea6a
SHA1 hash: de0a3fc889a15ddab0cb4afa931a72859a55735f
MD5 hash: ca04502ff8009c1cc5a1ba556d9c9ffd
humanhash: lactose-high-enemy-north
File name:ca04502ff8009c1cc5a1ba556d9c9ffd.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:6'231'096 bytes
First seen:2021-08-28 20:05:44 UTC
Last seen:2021-08-28 21:07:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b9290431b366a1252cf05522cb28180 (8 x RaccoonStealer)
ssdeep 98304:ZS6B/6qRfi0oMOFScwwgQM07W9IE623VoAdnqZhOs+QxsWMzZeSsgLUtfFsM:ZSy/tRfi0zOFSxjF0IlCAiht+0sz8jgK
Threatray 2'304 similar samples on MalwareBazaar
TLSH T19C5623261722D080C1D1C932563BFEB972B66E1D1B41DC786AE27CC735B75E6A203A4F
dhash icon c8c4e8d0aab2b2b8 (2 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://84.246.85.16/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://84.246.85.16/ https://threatfox.abuse.ch/ioc/201706/

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ca04502ff8009c1cc5a1ba556d9c9ffd.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-28 20:07:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/daef8525-335f-42a4-952d-ff77142432df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183146/
Detection(s):
SecuriteInfo.com.UDS.Trojan-PSW.Win32.Racealer.20464.20171.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt to an infection source
Sending a UDP request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Running batch commands
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c04b72eb-b7b3-4f95-af52-9b965bcdb35b
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/840846
Signature
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebbef474434eab0794928cccebb8db93ed801dc2dd2b3e45f46c736d78718f9e/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-08-28 20:06:04 UTC
AV detection:
5 of 26 (19.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5o7pi5cdj2vqpfesrtgoxog3spwyahoc3uvt4rpunrzw26drr6pa._file
Verdict:
unknown
Similar samples:
0f0eb4a8a538f339214f86a8b084d685a4fb51d54f258f5718393003ab1ff35b
RaccoonStealer
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
RaccoonStealer
3ce688f6b00b57a37f3ffa4c5410cc02ed5fa05eab37304d44e2d8399aa8b8e2
RaccoonStealer
60f649f6d971c44b959f6fef2bf1d08c3dbe00edeac7a889e81adc761ba5ddba
RaccoonStealer
676efd23da897b1cd244d4bf83607ee87fbb00434839e9913e0fd48e4fb48ef6
RaccoonStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RaccoonStealer
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
RaccoonStealer
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
RaccoonStealer
+ 2'294 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:0a7408c65c3ceba29fcaa1d6f9f7143fe4fab73a discovery spyware stealer
Link:
https://tria.ge/reports/210828-2pql1ndkqj/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Unpacked files
SH256 hash:
64e6583bcaa1c54937f7f48429728ad3d9e67e847e08961a35dc0151ce0c75bd
MD5 hash:
f627cef6a488942a5bbcc5187f25f3c6
SHA1 hash:
a38ea9d043e6ced1ba51077a8a784badd70d4801
Link:
https://www.unpac.me/results/c10a6080-4659-4d7b-bac8-148ba1215133/
SH256 hash:
ebbef474434eab0794928cccebb8db93ed801dc2dd2b3e45f46c736d78718f9e
MD5 hash:
ca04502ff8009c1cc5a1ba556d9c9ffd
SHA1 hash:
de0a3fc889a15ddab0cb4afa931a72859a55735f
Link:
https://www.unpac.me/results/c10a6080-4659-4d7b-bac8-148ba1215133/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ebbef474434eab0794928cccebb8db93ed801dc2dd2b3e45f46c736d78718f9e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe ebbef474434eab0794928cccebb8db93ed801dc2dd2b3e45f46c736d78718f9e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1549207/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/183146/

Comments