MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b4ca2c55ee1aebc8f963c87da8f160c31641bfd75808ad75273239b10dd793a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 8 File information Comments

SHA256 hash:	2b4ca2c55ee1aebc8f963c87da8f160c31641bfd75808ad75273239b10dd793a
SHA3-384 hash:	04feb80e8be34d7117ad61ef9bd6338642645b42bfba6c2cea04f2a6661a9adc6ac244a8afe5e041de04455f62ba0291
SHA1 hash:	acce5b8ed572ba37bf99e264657ee1073e26b478
MD5 hash:	5fe98645af299f9560e0054ceaba54c3
humanhash:	pasta-victor-bulldog-blossom
File name:	SecuriteInfo.com.W32.AIDetect.malware2.22480.18960
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	418'816 bytes
First seen:	2021-04-08 07:00:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a095dbaf3cfe1ec73e97e692303310fb (2 x RaccoonStealer, 1 x CryptBot)
ssdeep	6144:mtGiRvIbje3Lwq7B0RBpS+Yfy2GQ8C4+2BgDbPSVHfoxdF8E:buQ497B0RBpSpGLC/bXgs
Threatray	747 similar samples on MalwareBazaar
TLSH	3894011239C1D433D4A259759875C2B02AAFF9F22BA081C736D53B6FAAB13D08E35753
Reporter	SecuriteInfoCom
Tags:	RaccoonStealer

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetect.malware2.22480.18960

Verdict:

Malicious activity

Analysis date:

2021-04-08 07:10:34 UTC

Tags:

trojan stealer raccoon

Link:

https://app.any.run/tasks/860e7491-4c03-4140-8b9b-c473278c3b56

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/133055/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.22480.18960.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Creating a file

Deleting a recently created file

Reading critical registry keys

Delayed reading of the file

Running batch commands

Launching a process

Sending a TCP request to an infection source

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/669692

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2b4ca2c55ee1aebc8f963c87da8f160c31641bfd75808ad75273239b10dd793a/

Threat name:

Win32.Trojan.BotX

Status:

Malicious

First seen:

2021-04-08 07:01:13 UTC

AV detection:

16 of 48 (33.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fngkfrk64gxlzd4whsd5vdywbqywig75owaivv2somrzweg5pe5a._file

Verdict:

malicious

RaccoonStealer

0bae510b7238c821877790333b381f4ddd42034c5b799a3d7c1e0bff3fdcb940

RaccoonStealer

27614f810715e1ac5987d10abdac7e101227f1ff49e470cd0fee680c604d672d

RaccoonStealer

451f91c53fae29fef9d405b9b0125ea1bd561c20f2b90b26f609a0adb4aea9a8

RaccoonStealer

6a3449edd66599b768a57c56bca1cd880fd5099d465cc435c0579083c059e943

RaccoonStealer

a7b93c2fbb727ed832ef535e78fa66ad027e0ca8c9507ca5001112be967b0fe7

RaccoonStealer

af971899ab3b2be79d0e30b0426f5c02bacc978546085b0e47628081a55d01cd

RaccoonStealer

b2f42e0c46898da53cb52d2d1a7f7ea2a090b08491c8b89a4e155cf77b6ab9ed

RaccoonStealer

c0edfdbe050d2a12219c743a92d027535003cf164723b70b64962a39e9104c9d

RaccoonStealer

f8bf48e34c4002e07e7c57dc4eee52abe141b8a9cfb693325229f56cca507d40

RaccoonStealer

+ 737 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:687fc54591ef8d5772fd4c6b129cadc26dbadf74 discovery spyware stealer

Link:

https://tria.ge/reports/210408-73qte8w9ce/

Behaviour

Delays execution with timeout.exe

Modifies system certificate store

Suspicious use of WriteProcessMemory

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Raccoon

Unpacked files

SH256 hash:

f628c5debde6bc808a5a4c7ae025c5988815866fbfee0fc4dfeb299e5b8380be

MD5 hash:

e2e5b83864df401d53f578d99e61b039

SHA1 hash:

c8980dc113f89f98d7fed02481ecbd74515fa2e1

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/fcc07df4-9e2d-415e-86b3-7d50603184e6/

Parent samples :

a768e4da2a01fb5e505de3c2acefaff12d468eaa93f5af0e324c263b447d299e
af971899ab3b2be79d0e30b0426f5c02bacc978546085b0e47628081a55d01cd
2b4ca2c55ee1aebc8f963c87da8f160c31641bfd75808ad75273239b10dd793a
8dc88e24501dff5acf2683104b0313ae866e64d35afaab19ce7e366939b4cc84

SH256 hash:

2b4ca2c55ee1aebc8f963c87da8f160c31641bfd75808ad75273239b10dd793a

MD5 hash:

5fe98645af299f9560e0054ceaba54c3

SHA1 hash:

acce5b8ed572ba37bf99e264657ee1073e26b478

Link:

https://www.unpac.me/results/fcc07df4-9e2d-415e-86b3-7d50603184e6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2b4ca2c55ee1aebc8f963c87da8f160c31641bfd75808ad75273239b10dd793a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	@ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	MALWARE_Win_Raccoon Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon/Racealer infostealer

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	susp_winsvc_upx Create hunting rule
Author:	SBousseaden
Description:	broad hunt for any PE exporting ServiceMain API and upx packed

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_servhelper_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator