MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ae6703e19002c43074774727b96a0de197208bef65f33b52272ea5327cb586d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ae6703e19002c43074774727b96a0de197208bef65f33b52272ea5327cb586d
SHA3-384 hash: fd01e90c676c265adcf96a780cbf8bfe4b6bd08f7ea62df13dd504f436b10aac1f5705b00e1efbe6401746e455fa4234
SHA1 hash: f4489003e0c06e4b9637581d545e27f5be9900f1
MD5 hash: f7928541a6c0301e441e0a2f17b375e6
humanhash: white-stream-west-december
File name:f7928541a6c0301e441e0a2f17b375e6.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:293'888 bytes
First seen:2021-09-28 12:35:20 UTC
Last seen:2021-09-28 14:06:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56c207817e66e7690a43bf97b1ee7374 (5 x RaccoonStealer, 3 x RedLineStealer, 2 x ArkeiStealer)
ssdeep 6144:LidOABJIo38y2btsv98Whvznsh5bn2eYX:LiEEJ138Ftsv98mrmbA
Threatray 3'961 similar samples on MalwareBazaar
TLSH T1EE548E20B7E0C034F5B716F549BA93B8BA2E7AB16B2491CB63D516EA53346E4DC30353
File icon (PE):PE icon
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
185.92.74.142:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.92.74.142:80 https://threatfox.abuse.ch/ioc/227056/

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://mixcracked.net/sigmakey-box-crack/
Verdict:
Malicious activity
Analysis date:
2021-09-28 12:02:06 UTC
Tags:
trojan evasion rat redline loader stealer vidar opendir
Link:
https://app.any.run/tasks/146aa482-146c-454a-8ad9-377cf4ee25bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Ulise.303597.14414.12788.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/151dfe7f-ac7f-4738-9f13-6411e7ce5269
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859852
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses known network protocols on non-standard ports
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492287 Sample: pdOvHIg8Uq.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 69 185.163.204.37, 49850, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 2->69 71 t.me 149.154.167.99, 443, 49844 TELEGRAMRU United Kingdom 2->71 73 2 other IPs or domains 2->73 83 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->83 85 Antivirus detection for URL or domain 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 12 other signatures 2->89 10 pdOvHIg8Uq.exe 2->10         started        13 tchaicr 2->13         started        15 svchost.exe 2->15         started        17 9 other processes 2->17 signatures3 process4 dnsIp5 119 Detected unpacking (changes PE section rights) 10->119 121 Contains functionality to inject code into remote processes 10->121 123 Injects a PE file into a foreign processes 10->123 20 pdOvHIg8Uq.exe 10->20         started        125 Machine Learning detection for dropped file 13->125 23 tchaicr 13->23         started        127 Changes security center settings (notifications, updates, antivirus, firewall) 15->127 25 MpCmdRun.exe 15->25         started        67 127.0.0.1 unknown unknown 17->67 signatures6 process7 signatures8 111 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->111 113 Maps a DLL or memory area into another process 20->113 115 Checks if the current machine is a virtual machine (disk enumeration) 20->115 27 explorer.exe 9 20->27 injected 117 Creates a thread in another existing process (thread injection) 23->117 32 conhost.exe 25->32         started        process9 dnsIp10 77 216.128.137.31, 80 AS-CHOOPAUS United States 27->77 79 privacy-toolz-for-you-403.top 194.169.163.139, 49746, 49747, 49748 NETRACK-ASRU Russian Federation 27->79 81 10 other IPs or domains 27->81 59 C:\Users\user\AppData\Roaming\tchaicr, PE32 27->59 dropped 61 C:\Users\user\AppData\Local\Temp\9186.exe, PE32 27->61 dropped 63 C:\Users\user\AppData\Local\Temp\8158.exe, PE32 27->63 dropped 65 2 other malicious files 27->65 dropped 129 System process connects to network (likely due to code injection or exploit) 27->129 131 Benign windows process drops PE files 27->131 133 Deletes itself after installation 27->133 135 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->135 34 9186.exe 3 27->34         started        38 8158.exe 2 27->38         started        40 E9D5.exe 27->40         started        42 2 other processes 27->42 file11 signatures12 process13 dnsIp14 75 94.26.228.204, 32917, 49852 PTC-YEMENNETYE Russian Federation 34->75 91 Multi AV Scanner detection for dropped file 34->91 93 Query firmware table information (likely to detect VMs) 34->93 95 Hides threads from debuggers 34->95 45 conhost.exe 34->45         started        97 Antivirus detection for dropped file 38->97 99 Machine Learning detection for dropped file 38->99 101 Injects a PE file into a foreign processes 38->101 47 8158.exe 2 38->47         started        49 conhost.exe 38->49         started        51 8158.exe 38->51         started        103 Tries to detect sandboxes and other dynamic analysis tools (window names) 40->103 105 Tries to detect sandboxes / dynamic malware analysis system (registry check) 40->105 53 conhost.exe 40->53         started        57 C:\Users\user\AppData\Local\Temp\...\.dll, PE32 42->57 dropped 107 Detected unpacking (changes PE section rights) 42->107 109 Tries to detect virtualization through RDTSC time measurements 42->109 55 7726.exe 42->55         started        file15 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ae6703e19002c43074774727b96a0de197208bef65f33b52272ea5327cb586d/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 12:01:46 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=flthapqzaawegb2horzhxfva3ymxecf66zpthnjcolvfgj6llbwq._file
Verdict:
malicious
Similar samples:
0652c9175a86e4089ae3370daf85e588d28d8f23ed7a17479841504c67357ab9
RaccoonStealer
25149614d2732a9db3e86ee490064f943cef5747b19d937d2f3cc2d7e13d29b7
RaccoonStealer
26e2162f3b45c16da421b18e0a1163c9e2900c250a796bb535435e63e7562e70
RaccoonStealer
5dcdd9b2e6f81b11f4e4d0cb96709286deac6c8a8385d473f17d599ee55c150f
RaccoonStealer
6232bd70528f163b7aa8e8d76f6c4e63a0660eb112eabf2cc1859cc9e83ca755
RaccoonStealer
71bbaf19229855f0bfdebbe93d12b5f5fac6c0b542b5ca3b5a00d4b088ccdadc
RaccoonStealer
79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a
RaccoonStealer
843140b0a3f095d74fe2682d3ae029d4da70a5bae79850cf047a72c9d4a882c0
RaccoonStealer
dc9787f1ca396af3c6a84f52c1f4a1969b7d33999507f2093480071fc22e9d63
RaccoonStealer
e2182bd67553bff631bb93f7a016163c7cb82485cf9614bf566c9b49e821b158
RaccoonStealer
+ 3'951 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:raccoon family:redline family:smokeloader family:tofsee family:xmrig botnet:5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 botnet:7503ff9128ce04d8aa87f5435101fb3450bd21b8 botnet:a72c96f6762e4258a13dee8bc0dd14557df18467 botnet:instashop botnet:vol4 botnet:z0rm1onbuild backdoor discovery evasion infostealer miner persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/210928-psysxscaa6/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Arkei Stealer Payload
Arkei
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Windows security bypass
xmrig
Malware Config
C2 Extraction:
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
92.246.89.6:38437
45.156.21.209:56326
185.92.74.142:80
92.222.145.232:61157
Unpacked files
SH256 hash:
2fead9437f15e057951fd6a02ab05076e38db13483df0191787c21c79343b9e7
MD5 hash:
1c90f3a3fcd93ee08b2154cbcff49085
SHA1 hash:
73ac881633a13c3c31c1153d8105b8ecbb60961e
Link:
https://www.unpac.me/results/da9b3101-bd48-4f40-bd69-80591074a297/
SH256 hash:
2ae6703e19002c43074774727b96a0de197208bef65f33b52272ea5327cb586d
MD5 hash:
f7928541a6c0301e441e0a2f17b375e6
SHA1 hash:
f4489003e0c06e4b9637581d545e27f5be9900f1
Link:
https://www.unpac.me/results/da9b3101-bd48-4f40-bd69-80591074a297/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2ae6703e1900/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ae6703e19002c43074774727b96a0de197208bef65f33b52272ea5327cb586d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 2ae6703e19002c43074774727b96a0de197208bef65f33b52272ea5327cb586d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1639930/
  
Delivery method
Distributed via web download

Comments