MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ac3efb66c417b56db8e17b4e9dd6cd11d97c711076fefe71547b0835c7f217d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ac3efb66c417b56db8e17b4e9dd6cd11d97c711076fefe71547b0835c7f217d
SHA3-384 hash: 0c822028b679e2460ec29bf48764cbc2bec31e7c4c16c11b5459eb27a8d06e57e0ba19350d6b179a53c103a01f687313
SHA1 hash: 0ffded81d3c5be8b58ba700f0c639b5dc7a21406
MD5 hash: 74939d2fabac24f43488c0c7d3cab3dc
humanhash: pizza-magazine-eighteen-california
File name:74939d2fabac24f43488c0c7d3cab3dc.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:596'480 bytes
First seen:2021-10-17 11:45:27 UTC
Last seen:2021-10-17 13:15:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 33155a730e036f2480434cae8e547169 (12 x RaccoonStealer, 2 x CryptBot, 1 x TeamBot)
ssdeep 12288:okNPuJHX+Y521xEYq8RcP+sHhwJd2sIwLa8DOarcLBcJGtESibI2:oAPuJHNGEZPH7sIh8kBcJGo
Threatray 3'802 similar samples on MalwareBazaar
TLSH T11CC4DF10A6A1D039F9F352F84DBA9329A52E7AE1272490CB53D51BED87346E0FE31347
File icon (PE):PE icon
dhash icon e8e8e8e8aa66a499 (51 x RaccoonStealer, 27 x ArkeiStealer, 22 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.204.33/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.204.33/ https://threatfox.abuse.ch/ioc/234895/

Intelligence

File Origin
# of uploads :
2
# of downloads :
522
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197978/
Detection(s):
SecuriteInfo.com.Variant.Ulise.313073.3518.21718.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/616c0cfddb358dd15ebe4128/reports/476dafaa-663b-47f3-80bd-1373ab1ff150/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d07a8866-e045-4c2f-a162-5695ff4421ea
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871807
Signature
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 504235 Sample: bYHmn5GaOW.exe Startdate: 17/10/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Antivirus detection for URL or domain 2->46 48 3 other signatures 2->48 7 bYHmn5GaOW.exe 85 2->7         started        process3 dnsIp4 32 telegatt.top 172.67.168.153, 49753, 80 CLOUDFLARENETUS United States 7->32 34 185.163.204.33, 49754, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 7->34 36 cdn.discordapp.com 162.159.134.233, 443, 49757, 49758 CLOUDFLARENETUS United States 7->36 24 C:\Users\user\AppData\...\oWKJqqQr8b.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\...\Mmi8LoRv4v.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 7->28 dropped 30 58 other files (none is malicious) 7->30 dropped 50 Detected unpacking (changes PE section rights) 7->50 52 Detected unpacking (overwrites its own PE header) 7->52 54 Tries to steal Mail credentials (via file access) 7->54 56 3 other signatures 7->56 12 Mmi8LoRv4v.exe 14 3 7->12         started        16 oWKJqqQr8b.exe 15 3 7->16         started        18 cmd.exe 1 7->18         started        file5 signatures6 process7 dnsIp8 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->58 38 www.google.com 142.250.203.100, 443, 49759, 49761 GOOGLEUS United States 16->38 40 192.168.2.1 unknown unknown 16->40 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started        signatures9 process10
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2ac3efb66c417b56db8e17b4e9dd6cd11d97c711076fefe71547b0835c7f217d/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2021-10-17 11:46:05 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=flb67ntmif5vnw4oc62otxlm2eozpryra5x67zyvi6yigxd7ef6q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
175857c3f9480499cf56d30f394f885d51ac9ef05bbc1d6bd86d3b4af393c261
RaccoonStealer
42a1fdea9b33a2063e50bc4f0c7ac31fcc08ee7d070632f2921a5482a29ba870
RaccoonStealer
94036ecca794753179e68c331482c2b42b0c06a067169c8b004fad4e7dda673a
RaccoonStealer
97dbb2b9d161dd2b5f26eb48acef6ef70701b75a75b2d281e3dbb7fd946de319
RaccoonStealer
cc98ee14bc8504ed2dae9d010c7f209775de51f9f31086814e2fb6b42baa7cb5
RaccoonStealer
e128f0a54c481a677c0cdc5159600956776cc02fe066cec67775958e4d132ee9
RaccoonStealer
e45562980424366481dbd17982b5773aa120d0c6410a0d45ef4daa156ca7c478
RaccoonStealer
ee72d76436717cfab41a33950d641e7e6820d23369b21fe937cc2fc2549c6869
RaccoonStealer
f71af415b9939891015d10018b116c538506e55aaa67dc825c2c95cf6626555c
RaccoonStealer
fd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
RaccoonStealer
+ 3'792 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:723d14b565e8f39294f31f86b0ce56cdaee75105 stealer
Link:
https://tria.ge/reports/211017-nxa2zsceh7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
f8d2f1c7ad4cfa1b5f4e4ead859d5b907449b1804f31eb44fa99362601dfb303
MD5 hash:
278c0571687953c7bbf2dc79255fd5ec
SHA1 hash:
95c64a39418829e08432e18c8baa3f6ab0534b71
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/1c952874-6434-4854-86db-06e36ad80fec/
Parent samples :
ee72d76436717cfab41a33950d641e7e6820d23369b21fe937cc2fc2549c6869
97dbb2b9d161dd2b5f26eb48acef6ef70701b75a75b2d281e3dbb7fd946de319
42a1fdea9b33a2063e50bc4f0c7ac31fcc08ee7d070632f2921a5482a29ba870
e45562980424366481dbd17982b5773aa120d0c6410a0d45ef4daa156ca7c478
2ac3efb66c417b56db8e17b4e9dd6cd11d97c711076fefe71547b0835c7f217d
ade0899750767b8471c3b1ace720a85ebd9c0ba8c84af462257373cb7104d17d
937626d18f1e68354b43aefc092e7833333b219fce7648ca28b94f2f46f13b10
c30a7b035bad293727b98b2ec5c09a5ca9a2d5ff2073fd10de1383238fa094dd
c614fd9a439ee18db9156e3b8d5033137690e386f0cf7d028037fa3cf3503499
665044e68300e3da42a2dbbf0a64861290e50503a47b32b11a36d7e0b3dee594
642c488a6447d1db50f322359bb2cca33ea1e8f4c71f14ae4b81930020c5fb2d
e28a6d3bdcfdad9ff4c37e6c22c1a52018e5076ec65b128614bcf0e8eb711171
3f7782d85f744e3e728fb3b2c3dc04d00993f3e6a7caf3b4cab412837bcc4c07
c3461cf008e62a6616de0037fd35c54a4d3165a89431dcdb1d431669ca81fa3d
f6aa3dc3569ec484dd54f461b0f4ff25de4a81c422ad0b91ec06ae5c0fa893e5
SH256 hash:
2ac3efb66c417b56db8e17b4e9dd6cd11d97c711076fefe71547b0835c7f217d
MD5 hash:
74939d2fabac24f43488c0c7d3cab3dc
SHA1 hash:
0ffded81d3c5be8b58ba700f0c639b5dc7a21406
Link:
https://www.unpac.me/results/1c952874-6434-4854-86db-06e36ad80fec/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2ac3efb66c41/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ac3efb66c417b56db8e17b4e9dd6cd11d97c711076fefe71547b0835c7f217d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 2ac3efb66c417b56db8e17b4e9dd6cd11d97c711076fefe71547b0835c7f217d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1584973/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197978/

Comments