MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecf14e5b521fd83697915fe02ab94585de651c21917d9f949d3c13b3beecac20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecf14e5b521fd83697915fe02ab94585de651c21917d9f949d3c13b3beecac20
SHA3-384 hash: 95d62b76d3ed80c871db03f58248d40b8d4d75e46bca67edf0b164c967641859157289953911ad6ccface916633001bb
SHA1 hash: bb84af3616bb85e23fef50530ee8aa22a3070ea5
MD5 hash: 6b7554c5f2b7a246639156524fb86a78
humanhash: papa-vegan-idaho-three
File name:6b7554c5f2b7a246639156524fb86a78.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'574'576 bytes
First seen:2021-06-09 15:14:25 UTC
Last seen:2021-06-09 15:52:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:MAWfOZiCn4Y1xYwCJCa1mAJJYZFfjxbz3FojP:MAWfOZnn4Qx2CLgSZFfjS
Threatray 814 similar samples on MalwareBazaar
TLSH BF7554137D4CF711E5E42E3782DF2D2813F259C68633960BBF4ABEA51461642ADB232D
Reporter abuse_ch
Tags:exe RaccoonStealer signed

Code Signing Certificate

Organisation:UriTypeConverter
Issuer:UriTypeConverter
Algorithm:ecdsa-with-SHA256
Valid from:2021-06-08T09:00:00Z
Valid to:2022-06-09T07:00:00Z
Serial number: 9687d853e728079b
Thumbprint Algorithm:SHA256
Thumbprint: 08618dfb8371c187199c9b10ddb1081a5159f3615e0d4d41b26c30769d20c3cc
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165653/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Tnegaml.10103.7797.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending a custom TCP request
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Running batch commands
Launching a process
Connection attempt to an infection source
Stealing user critical data
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/799646
Signature
.NET source code contains potential unpacker
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ecf14e5b521fd83697915fe02ab94585de651c21917d9f949d3c13b3beecac20/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-06-09 15:15:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5tyu4w2sd7mdnf4rl7qcvokfqxpgkhbbsf6z7fe5hqj3hpxmvqqa._file
Verdict:
malicious
Similar samples:
25635e943bef1181ce962f2294a131960b61c093159e197dabda485a88e9b069
RaccoonStealer
2884051cd64be98b26224c6cd9ba46bc6802242fdb2aabbb3dd4aa6b1eb16a78
RaccoonStealer
4169236e7560956d442207c2cc74a767f6470bcedf1d8022677e0aee8949d4f5
RaccoonStealer
45269d3d0fbf13c80d6c496d3ee36e13808e36063bc82e3247cfc291e0f9223c
RaccoonStealer
4960918e52dd7f7db806c36c9393ef8329e173c60d9f59de66474af874ba1e46
RaccoonStealer
4a8de772cb047939cbac796b1461b5276e418fb33249cb4d41785ef37fa91a35
RaccoonStealer
67ee0a1422563807cb5af36dd2527d3e96f5532f34020c0cdacb4325d31d77b0
RaccoonStealer
9d98cf2a209bc4ccc92b7dc792c6f3b21c0ce1c2f7eb72498823e7a593145fea
RaccoonStealer
aa703fb814c6e09c409060654ea9b5798b6a99cb0ceb25bd31bf894dc60702f5
RaccoonStealer
e23b40b78fd6f45156c801ffa325293e35a3e4a3a2311de54ae213b70d7d4ce3
RaccoonStealer
+ 804 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon discovery spyware stealer
Link:
https://tria.ge/reports/210609-vtzsntrrwn/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Unpacked files
SH256 hash:
52fd814d731febd12f63c8777662989f342b345fd44497350aedb047194e9355
MD5 hash:
a583fbfaa05af40deb0bb3225af39607
SHA1 hash:
a39796466dcc3203c346d559af49ef2d91636dce
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/2580db61-d431-40b8-8aff-b9a630ea4869/
SH256 hash:
675819cdf464bb11c1365b5bc2cc6a61dbf8d4497c6deb750149cc1c44f700b1
MD5 hash:
1819f7fd658bdcbb60d080459e59d692
SHA1 hash:
3f82b208a6d15214f89660c2020e626d856a338c
Link:
https://www.unpac.me/results/2580db61-d431-40b8-8aff-b9a630ea4869/
SH256 hash:
ecf14e5b521fd83697915fe02ab94585de651c21917d9f949d3c13b3beecac20
MD5 hash:
6b7554c5f2b7a246639156524fb86a78
SHA1 hash:
bb84af3616bb85e23fef50530ee8aa22a3070ea5
Link:
https://www.unpac.me/results/2580db61-d431-40b8-8aff-b9a630ea4869/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ecf14e5b521fd83697915fe02ab94585de651c21917d9f949d3c13b3beecac20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe ecf14e5b521fd83697915fe02ab94585de651c21917d9f949d3c13b3beecac20

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/165653/
  
URLhaus
https://urlhaus.abuse.ch/url/1314783/
  
Delivery method
Distributed via web download

Comments