MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e0f1121fb42a6a7dc4cd217cf2ec58e3438351e9d4fe150e89c6700c75195ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	2e0f1121fb42a6a7dc4cd217cf2ec58e3438351e9d4fe150e89c6700c75195ab
SHA3-384 hash:	15b6c4dc31b0fca9ba8260626d51939362ba317a553fb41a2d9f4b95623469c8b0595c654cc47d4ece15f750f5608465
SHA1 hash:	cf4331b31754a1656f48ff62439fb7f766c5e1e1
MD5 hash:	b9731f4788e0be7a4284bcf496b74378
humanhash:	oven-zulu-fillet-robin
File name:	b9731f4788e0be7a4284bcf496b74378.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	559'104 bytes
First seen:	2022-02-10 07:05:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5d5ea99353835429c4a88fcee781ef0d (1 x Amadey, 1 x RaccoonStealer)
ssdeep	6144:7gkcBLQebGMHJq5uQxTQ73X8c3/xCZsuryDrTHhgsoO2eOAOpMS3BMNmdhigab6:dcBkeb3pq5uQ5SsexVrtg02fAOqQTWD
Threatray	4'665 similar samples on MalwareBazaar
TLSH	T1AAC40112BA80C833D59E1D794424DAE5197BF8318A24EA0BF758BB5F2E306D1667730F
File icon (PE):
dhash icon	a3bcdcac9cccb494 (1 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://185.163.204.20/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.163.204.20/	https://threatfox.abuse.ch/ioc/384586/

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/240448/

Detection(s):

Win.Dropper.LokiBot-9938483-0

Win.Packed.Filerepmalware-9938574-0

Win.Malware.Generic-9938672-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP GET request

Sending an HTTP POST request

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Searching for the window

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6204b962942573cad44ec9a8/reports/2b749841-aedc-4a4d-bef6-c342c930620f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a5f2fbef-25df-4fea-88fc-c294b09c09c0

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/937389

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Raccoon Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2e0f1121fb42a6a7dc4cd217cf2ec58e3438351e9d4fe150e89c6700c75195ab/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-02-06 19:16:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

37 of 43 (86.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fyhrcip3iktkpxcm2il46lwfry2dqni6tvh6cuhitrtqbr2rswvq._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

0a7682c0607e0fcb3580d28aec0e3439d6eae0cde1ab3359832046f7f33cdb0f

RaccoonStealer

0b204af2061ae9985f4dbc95a6108c85136e0850cd59f8394ae58ab6610ebcdb

RaccoonStealer

15f994bbaf8a66f84e627fbb55798e7691afdccdf893f8af63b38cd2c4a7f09b

RaccoonStealer

2d2a03a2eb59a64eef9f15d160a2919707c5dee2844144d8ec9fdaae724a4162

RaccoonStealer

33c853d0f6d5467701301b6c4dfcf49da0e556b3ac2363b5619f673033627dca

RaccoonStealer

84a1953e1964885eee0c73a77decbd59896295464a6fb64903f9275c1af56665

RaccoonStealer

+ 4'655 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:f421f5a2a2bbfd503df491447166198fe1183bd4 stealer

Link:

https://tria.ge/reports/220210-hw41safgf3/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Raccoon

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

ebf01ccae6c164e12ad0e54af8641d6f836bf948b6bca39215a7d80ab478e2ac

MD5 hash:

0153b6c0feea2469da08781914b9f231

SHA1 hash:

68396e404e2a2d366d082ecd8f061b895876b4cf

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/4db558d8-da40-4eba-a0b4-6c41b865e1d2/

SH256 hash:

2e0f1121fb42a6a7dc4cd217cf2ec58e3438351e9d4fe150e89c6700c75195ab

MD5 hash:

b9731f4788e0be7a4284bcf496b74378

SHA1 hash:

cf4331b31754a1656f48ff62439fb7f766c5e1e1

Link:

https://www.unpac.me/results/4db558d8-da40-4eba-a0b4-6c41b865e1d2/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/240448/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample