MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ce285cf68d5bf2dfef9e6e11d398b251085cbca275363691cf94e64de622212. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ce285cf68d5bf2dfef9e6e11d398b251085cbca275363691cf94e64de622212
SHA3-384 hash: 752224c2a8e9dd3ca573e219c46a374e7e7664e5608201ef37c3acf79f84b822c357f89186122654476544261afc14b5
SHA1 hash: ffb6b671d29c634e837418a53cf28ee3efbcc308
MD5 hash: 7a2973571f083a8b8cdb6051de5fdd0f
humanhash: minnesota-mike-vegan-fifteen
File name:7a2973571f083a8b8cdb6051de5fdd0f.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:315'904 bytes
First seen:2022-02-03 17:15:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f0af22a03ecdedbd2c62f1da70f1873 (1 x RaccoonStealer)
ssdeep 6144:bemEaPNAZLA2/eOtBfS15qrm3EKwJCkS0ZLzXgVg36QjkZuQCIVKoH:C3gmpPGeBfS15qrD3CSwWq9UIV
Threatray 7'249 similar samples on MalwareBazaar
TLSH T1FC648E00B790C035F1B756F8897A93A9B63E7EA15B3450CB62D52BEE5A346E0EC31317
File icon (PE):PE icon
dhash icon 25ec1378399b9b91 (23 x RedLineStealer, 13 x Smoke Loader, 7 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://91.219.236.18/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.18/ https://threatfox.abuse.ch/ioc/378337/

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/232518/
Detection(s):
Win.Malware.Dropperx-9938227-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a recently created process
Query of malicious DNS domain
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5894/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61fc32ec18d1bfdde4ef3210/reports/f2aa4e84-f7db-466a-a21d-16029de8421f/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7df27218-5372-4c6d-b355-0220796aa863
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/933559
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ce285cf68d5bf2dfef9e6e11d398b251085cbca275363691cf94e64de622212/
Threat name:
Win32.Backdoor.Systembc
Create hunting rule
Status:
Malicious
First seen:
2022-02-03 17:16:09 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=btrilt3i2w7s37xz43qr2omleuiils6ke5jwg2i47fhgjxtceija._file
Verdict:
malicious
Similar samples:
0245c82558329cfd8ef5ef901e4929075d4d873ba20d9704731758580caed7be
RaccoonStealer
5af14eed5da9b6c6341581bd9e989db2f8fce94452463afebc4581ab07d37f11
RaccoonStealer
66c13284aed1c04524b47ce98cfa70843f88b16733b9d7c14266c8575502df9b
RaccoonStealer
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
RaccoonStealer
87b1b6c23161d93aed2729e2fce32dc577793341e4755cdeaac41f8c50b76a56
RaccoonStealer
9b58105b315bbd6a5af96e63f88dc59cdedef401324916ae48de270a021ec29d
RaccoonStealer
a771e073fa4ba6ef336ab59ae52114c034d5725a7731dfb1593a764688f7dc16
RaccoonStealer
e69a5acecc913dd2a60736303db36b6f2415caf682dfff23dc5e7822e5bf117a
RaccoonStealer
eb24b3b9375f0b3272fac6eecc9329f79eab274d802b2ad37037cc83a46fa3f1
RaccoonStealer
+ 7'239 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/220203-vs5t5acdgl/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Unpacked files
SH256 hash:
788f723ebfe0110232b52ee15345acc5f74a53ea45e5f422dc5ce2eb5833fadc
MD5 hash:
198ff357daf4345c9fc869616b139381
SHA1 hash:
24c9899b296cf004e400b77e72b89f42bb726f37
Link:
https://www.unpac.me/results/c19af4f2-dd27-4f2c-8ff4-7a7bb2158b96/
Parent samples :
3c6f5e38acd57a6372e44dc341bf46060fef8c8b0e1dd3ffa38b21ddaddc3773
6861cdee1ee282ee8c69e31503d95291409907d8b27538f8082adb00205ad105
ccf4e081582226315f3a2bc171b604e3911d0225cc85e18188872ea9832a5388
be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005
53bcd8239258dcbb10f9d3b6d057103c18fe3dd614c5809053426b01b741500d
SH256 hash:
0ce285cf68d5bf2dfef9e6e11d398b251085cbca275363691cf94e64de622212
MD5 hash:
7a2973571f083a8b8cdb6051de5fdd0f
SHA1 hash:
ffb6b671d29c634e837418a53cf28ee3efbcc308
Link:
https://www.unpac.me/results/c19af4f2-dd27-4f2c-8ff4-7a7bb2158b96/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ce285cf68d5bf2dfef9e6e11d398b251085cbca275363691cf94e64de622212

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 0ce285cf68d5bf2dfef9e6e11d398b251085cbca275363691cf94e64de622212

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2020720/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/232518/

Comments