MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef1d91fe25dabf1bdc5786fda6a80ec716e28742aeda9513130cfd47c5da4c46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 5 File information Comments

SHA256 hash:	ef1d91fe25dabf1bdc5786fda6a80ec716e28742aeda9513130cfd47c5da4c46
SHA3-384 hash:	944bae2c3b0adec49f8cec6e6a888d4ed6fc9cc102dd5a75035c2136ac30379eb02586da119be3366f17cc10436fa45c
SHA1 hash:	27091fa3cc338e13ef056769e917c37b6bed2b95
MD5 hash:	a0d3c0ebbd5fbdf61022416799f551ee
humanhash:	single-earth-seventeen-pizza
File name:	a0d3c0ebbd5fbdf61022416799f551ee.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	547'328 bytes
First seen:	2021-06-26 06:11:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fd6ceffd8ee4d2c3457149f5628cc57c (1 x RaccoonStealer)
ssdeep	12288:4+G5w/RZPH4r7Few8jTREQ9pzjHy+eLDP0:ZmA44j3REQHvHy+eLA
Threatray	852 similar samples on MalwareBazaar
TLSH	1BC4D01067A1C038F5F732F456BA9278E9297AB16B3490CF62D516EE57246F0EC30727
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://35.205.249.65/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://35.205.249.65/	https://threatfox.abuse.ch/ioc/154052/

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a0d3c0ebbd5fbdf61022416799f551ee.exe

Verdict:

Malicious activity

Analysis date:

2021-06-26 06:12:06 UTC

Tags:

trojan stealer raccoon

Link:

https://app.any.run/tasks/4a0d60a8-aef8-4d60-890e-1e26eab44330

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/168421/

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7b83b3c0-37ec-4492-a934-43b22154510b

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/808389

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to evade analysis by execution special instruction which cause usermode exception

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef1d91fe25dabf1bdc5786fda6a80ec716e28742aeda9513130cfd47c5da4c46/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-06-24 21:57:00 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=54ozd7rf3k7rxxcxq362nkaoy4lofb2cv3njkeytbt6upro2jrda._file

Verdict:

malicious

RaccoonStealer

31d1cf356412dd77a0f0792d2519d8421a959838517b5b47cd3bd919d7dae973

RaccoonStealer

362628d38a581740fb42a4515943beaf197697d91cee269ec0e0e02052fa6074

RaccoonStealer

4a8de772cb047939cbac796b1461b5276e418fb33249cb4d41785ef37fa91a35

RaccoonStealer

72711bf320b270469fe93a2aee1564c02debb5460512e1aa7bcc779c749c4550

RaccoonStealer

7f85fe44b19f19e5467a22fb791efce9c622b6672fcea94a1db9c61df06b9166

RaccoonStealer

84c253c61523798734a2bafaa54b04974aeb1828d3c93001fcdbce748b68ca78

RaccoonStealer

8d52c410200f15e0ce1dc51b0cf92dcd7563f07783f23e1699e5f0b3ffde0362

RaccoonStealer

c67c03bb7557d62a63cc092656dcab67033956a413fbd4f6c1eb75e13f9cf587

RaccoonStealer

e23b40b78fd6f45156c801ffa325293e35a3e4a3a2311de54ae213b70d7d4ce3

RaccoonStealer

+ 842 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:cf8d01ecc5b3e3b80a8ff61ccbea87d63dadf99c stealer

Link:

https://tria.ge/reports/210626-q85nk3qmne/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Raccoon

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

8d2f8ca3aad8935f681587e67b1e977a473f129b6c1e373b5e950d020d7a4786

MD5 hash:

b6119d8f32b364349877064a0d26bb6b

SHA1 hash:

5ee64f287861226366448751cfac2ed466f92071

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/1ebef999-2e34-4e7c-9500-e2131972b004/

Parent samples :

eaf21113303119db75f4c107af7551cee1dfa0e58faf10f5ac9cbd2871affdf8
a3bdabe80c498e418f5c8b87a34a7b88013b6c803385012bacff4bb388207c10
ef1d91fe25dabf1bdc5786fda6a80ec716e28742aeda9513130cfd47c5da4c46

SH256 hash:

ef1d91fe25dabf1bdc5786fda6a80ec716e28742aeda9513130cfd47c5da4c46

MD5 hash:

a0d3c0ebbd5fbdf61022416799f551ee

SHA1 hash:

27091fa3cc338e13ef056769e917c37b6bed2b95

Link:

https://www.unpac.me/results/1ebef999-2e34-4e7c-9500-e2131972b004/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef1d91fe25dabf1bdc5786fda6a80ec716e28742aeda9513130cfd47c5da4c46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon/Racealer infostealer

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/168421/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample