MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21ac1216673e162cc396584817355de87662f0855231863cb883fa6d447f1be7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21ac1216673e162cc396584817355de87662f0855231863cb883fa6d447f1be7
SHA3-384 hash: d308d81e1b63acf01e116272c54baa9d54baa20bbf515adc2d08b03f19177d755146ca1b4f51b801bd6d595d0b9f4ac0
SHA1 hash: 029a45605110a123802054fe58a245aa2366e470
MD5 hash: 0b5b8f5dde52b3c1630542f55ea07cf3
humanhash: vegan-spring-red-johnny
File name:0b5b8f5dde52b3c1630542f55ea07cf3.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'490'432 bytes
First seen:2022-11-07 11:18:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9a32b98b42514f41ec809f9879d4e38 (3 x RedLineStealer, 2 x ArkeiStealer, 1 x RaccoonStealer)
ssdeep 24576:2b63ABm5SE+UCuH8ERM+OtByU/bzJ8cIlKQHF6hB3VpiNkh+qszQpJMvK5NoT:SAABoSWp8EhOtIobt8VlKcF0FpiNq+Vp
Threatray 51 similar samples on MalwareBazaar
TLSH T120651348B8918934CBB6A5340836D7554A3FF81D8F84BA97F30FB13E1E302867956B9D
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon a6a2e3e3e3a3a200 (5 x RedLineStealer, 4 x RemoteManipulator, 2 x Formbook)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
0b5b8f5dde52b3c1630542f55ea07cf3.exe
Verdict:
Malicious activity
Analysis date:
2022-11-07 11:19:15 UTC
Tags:
opendir loader trojan raccoon recordbreaker
Link:
https://app.any.run/tasks/bfd8b94a-819f-4b2d-a809-baece521f72b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/329829/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.29088.32253.19554.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Moving a file to the %temp% directory
Creating a window
Modifying an executable file
Creating a file
Moving a recently created file
Deleting a recently created file
Replacing files
Creating a file in the mass storage device
Unauthorized injection to a system process
Infecting executable files
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/49561/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6368e9abd8b92f0ee64c6f24/reports/5f25b8ca-f3d2-4490-be4b-4b8352a15cff/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Tandem Espionage
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac01093f-a1b4-465d-8596-ca0cbb3e8192
Result
Threat name:
Eternity Worm, Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107163
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Eternity Worm
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 739827 Sample: GfrAGWiWAI.exe Startdate: 07/11/2022 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Antivirus detection for dropped file 2->46 48 8 other signatures 2->48 8 GfrAGWiWAI.exe 1 2->8         started        process3 signatures4 56 Contains functionality to inject code into remote processes 8->56 58 Writes to foreign memory regions 8->58 60 Allocates memory in foreign processes 8->60 62 Injects a PE file into a foreign processes 8->62 11 vbc.exe 15 245 8->11         started        16 conhost.exe 8->16         started        process5 dnsIp6 38 fordraro.xyz 51.178.73.51, 49711, 80 OVHFR France 11->38 40 192.168.2.1 unknown unknown 11->40 28 C:\Users\user\Desktop\...\WHZAGPPPLA.exe, PE32 11->28 dropped 30 C:\Users\...\WHZAGPPPLA-psp.xcod.scr (copy), PE32 11->30 dropped 32 C:\Users\user\Desktop\...\OVWVVIANZH.exe, PE32 11->32 dropped 34 233 other malicious files 11->34 dropped 64 Performs DNS queries to domains with low reputation 11->64 66 Writes many files with high entropy 11->66 68 Modifies existing user documents (likely ransomware behavior) 11->68 18 racoocr.exe 1 11->18         started        file7 signatures8 process9 signatures10 50 Writes to foreign memory regions 18->50 52 Allocates memory in foreign processes 18->52 54 Injects a PE file into a foreign processes 18->54 21 vbc.exe 12 18->21         started        24 conhost.exe 18->24         started        26 vbc.exe 18->26         started        process11 dnsIp12 36 135.181.103.91, 49712, 80 HETZNER-ASDE Germany 21->36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21ac1216673e162cc396584817355de87662f0855231863cb883fa6d447f1be7/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-11-02 22:53:24 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=egwbefthhylczq4wlbebonk55b3gf4efkiyympfyqp5g2rd7dptq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0c2904ecd4b19029cf744748d94fc2eab2292b46fafda9956e0e24e2e5dda191
RaccoonStealer
1b39b6803f086419f973c91bb4969d1961853566c9ad36de23ee7aa9075dabab
RaccoonStealer
7ed6e17d4eb4b8124ec1dac5ef69265d24c5fd7e9fb39e8a35b8f20cb9ee8edf
RaccoonStealer
d580564f940ba230f8028972bed4aa32bd8ef647d31e0911747be5889636623e
RaccoonStealer
d8eb0cd465f3e4cef6571c08b8468a8ddf4a95bf1c8eb482170c85b7803c6b49
RaccoonStealer
e86174e025e61e09387c8f93943bd0622cf2e1556dfc0ff6f0e858b7b9d911e7
RaccoonStealer
f8458174c4abdd56f7fb6e07a3c16d95d908fa5461ebd5a8425c60480b8c3b57
RaccoonStealer
ffbad07fc76d01e1563c39da44266294f388a0fdbc3f11ccc6ea3f513747b33b
RaccoonStealer
+ 41 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:eternity family:raccoon botnet:bf3346f8b90a3b56b998fed7451ba685 stealer worm
Link:
https://tria.ge/reports/221107-nevcxadcb8/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Eternity
Raccoon
Malware Config
C2 Extraction:
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
http://135.181.103.91/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4b4d4ce2-2db2-4ffd-85e5-9a3fb004da2a
Unpacked files
SH256 hash:
21ac1216673e162cc396584817355de87662f0855231863cb883fa6d447f1be7
MD5 hash:
0b5b8f5dde52b3c1630542f55ea07cf3
SHA1 hash:
029a45605110a123802054fe58a245aa2366e470
Link:
https://www.unpac.me/results/eeeac780-bf21-4ecd-8bc1-76f0af5a8e4a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21ac1216673e162cc396584817355de87662f0855231863cb883fa6d447f1be7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 21ac1216673e162cc396584817355de87662f0855231863cb883fa6d447f1be7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2403179/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/329829/

Comments