MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2eeae1c74dff19b7538522acd75a4c9e0d369cec323d4837bdfbc00b8fc81799. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2eeae1c74dff19b7538522acd75a4c9e0d369cec323d4837bdfbc00b8fc81799
SHA3-384 hash: 591f9d3d909250170c1fd34b0260e3a1bb1783536b0ef728fa97ed2f3febe461827a1549fb39bceb5eade9a1b92a6767
SHA1 hash: 9db17df61d6222c8d96a3969887d27c1568e4e7b
MD5 hash: 0b3937c39ea113c3352090ac5ce26103
humanhash: zebra-april-eight-fillet
File name:0B3937C39EA113C3352090AC5CE26103.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:19'736'743 bytes
First seen:2021-08-11 09:20:36 UTC
Last seen:2021-08-11 09:51:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (54 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 393216:6Y+TwhZBn9zau6aa17rtANXDa8H1Ecuv9WA2R+y3prshUy:6Y+UV9zau6lKNTLJ29QRy
Threatray 41 similar samples on MalwareBazaar
TLSH T14E173327B659713EC4BD2B3501B3A51069FBB668F816AE1235E0C84CCF660D11E3FA79
dhash icon 7078d8ccd4d4cc69 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://74.119.195.135/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://74.119.195.135/ https://threatfox.abuse.ch/ioc/171652/

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0B3937C39EA113C3352090AC5CE26103.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-11 09:23:56 UTC
Tags:
installer
Link:
https://app.any.run/tasks/482277d4-9c44-4b46-b311-c99904d395a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file
Moving a recently created file
Sending a UDP request
Deleting a recently created file
Enabling the 'hidden' option for files in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Connection attempt
Sending a custom TCP request
Launching a service
Replacing files
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
58 / 100
Link:
https://www.joesandbox.com/analysis/830766
Signature
Antivirus / Scanner detection for submitted sample
Creates an autostart registry key pointing to binary in C:\Windows
Disable Windows Defender notifications (registry)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: WannaCry Ransomware
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to download files via bitsadmin
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 463197 Sample: oGgH8vgU0Z.exe Startdate: 11/08/2021 Architecture: WINDOWS Score: 58 91 74.119.195.135, 49763, 80 MOVECLICKLLCUS United States 2->91 93 telete.in 195.201.225.248, 443, 49762 HETZNER-ASDE Germany 2->93 95 4 other IPs or domains 2->95 99 Sigma detected: WannaCry Ransomware 2->99 101 Antivirus / Scanner detection for submitted sample 2->101 103 Multi AV Scanner detection for submitted file 2->103 105 5 other signatures 2->105 12 oGgH8vgU0Z.exe 2 2->12         started        15 svchost.exe 1 2->15         started        18 svchost.exe 1 2->18         started        21 2 other processes 2->21 signatures3 process4 dnsIp5 87 C:\Users\user\AppData\...\oGgH8vgU0Z.tmp, PE32 12->87 dropped 23 oGgH8vgU0Z.tmp 8 21 12->23         started        113 System process connects to network (likely due to code injection or exploit) 15->113 97 192.168.2.1 unknown unknown 18->97 file6 signatures7 process8 file9 79 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 23->79 dropped 81 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 23->81 dropped 83 C:\ProgramData\uzlyLtM20yixSdV\is-SUU31.tmp, PE32+ 23->83 dropped 85 5 other files (none is malicious) 23->85 dropped 26 wscript.exe 1 23->26         started        28 Revo Uninstaller Pro 4.2.3.exe 2 23->28         started        process10 file11 31 cmd.exe 1 26->31         started        34 cmd.exe 2 26->34         started        36 cmd.exe 1 26->36         started        89 C:\Users\...\Revo Uninstaller Pro 4.2.3.tmp, PE32 28->89 dropped 38 Revo Uninstaller Pro 4.2.3.tmp 62 83 28->38         started        process12 file13 115 Tries to download files via bitsadmin 31->115 41 reg.exe 1 1 31->41         started        44 conhost.exe 31->44         started        46 bitsadmin.exe 1 31->46         started        48 111.exe 34->48         started        50 7z.exe 34->50         started        53 conhost.exe 34->53         started        57 3 other processes 34->57 59 2 other processes 36->59 71 C:\Users\user\AppData\...\iswin7logo.dll, PE32 38->71 dropped 73 C:\Users\user\AppData\Local\...\botva2.dll, PE32 38->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\b2p.dll, PE32 38->75 dropped 77 17 other files (none is malicious) 38->77 dropped 55 rundll32.exe 38->55         started        signatures14 process15 file16 107 Disable Windows Defender notifications (registry) 41->107 109 Injects a PE file into a foreign processes 48->109 65 C:\ProgramData\uzlyLtM20yixSdV\...\111.exe, PE32 50->65 dropped 67 C:\Windows\system32\...\revoflt.sys (copy), PE32+ 55->67 dropped 69 C:\Windows\System32\drivers\SETBCF7.tmp, PE32+ 55->69 dropped 111 Creates an autostart registry key pointing to binary in C:\Windows 55->111 61 runonce.exe 55->61         started        signatures17 process18 process19 63 grpconv.exe 61->63         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2eeae1c74dff19b7538522acd75a4c9e0d369cec323d4837bdfbc00b8fc81799/
Threat name:
Win32.Trojan.Pasnaino
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 14:55:50 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f3vodr2n74m3ou4fekwnowsmtygtnhhmgi6uqn557paaxd6ic6mq._file
Verdict:
unknown
Similar samples:
0cae975d5c602437ef781f39605c9a79fe0c0bca956bd4fecb21e17ace1c58ca
RaccoonStealer
0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98
RaccoonStealer
0ed95818ba222ec8d2ae4fdaaed1b143d9faada09c27a6c8aaecb8aa5ceb270f
RaccoonStealer
2274f98683053410f2b4b95b9fd1ec041dfcff428d766f2a986195383803ecaf
RaccoonStealer
38f4fb2c7c3fe5f0e99d716a9c50e5be8242ee54fd8f81f4c8f0016d42f8591d
RaccoonStealer
41d1addb382678e81ab59cb80613f2c2ee746b2615233674cc8c323a9a0eff4c
RaccoonStealer
43fd44a53e16097ae8b813e48be98cddfce369cd515efa1383fd0ea0b5a4c0bc
RaccoonStealer
5788de5efeb9850b6fdea52dbe26a4aa9fa28dfbfd56280b4533226157d1c9a5
RaccoonStealer
610d9028a1aac20684ad5bf0b6c0212016eceb3d6d4563cead3c398aac441c5b
RaccoonStealer
b1adf30c5cb4c1a7c06e877308d0f0e32f6ea1b21105de5db7583a889d089373
RaccoonStealer
+ 31 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:0343d4da493d263f78921a8724ca6adf05347cfe discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/210811-412djdbenn/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Download via BitsAdmin
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Raccoon
Raccoon Stealer Payload
UAC bypass
Unpacked files
SH256 hash:
8c476862977612eaba3f1aa6562b31b17520b6331dce761b19e17e8f5876de66
MD5 hash:
367b6f802ece82ca85955e6feb915fee
SHA1 hash:
f4f09d71bec87dc1509d16fdbe51a6afbbdaf84c
Link:
https://www.unpac.me/results/d64b6367-1a11-4ba7-bcb0-7f03610243d3/
SH256 hash:
5ad3cf874bbb2c8807ad9544fefe1c7a99c99ca4d0c6afbe1dc9f7cc5f48cb1d
MD5 hash:
98e0e2e607e37658a8eaa2d647300621
SHA1 hash:
caa74c654cee2635216dbcd653cbcdf7a84076f7
Link:
https://www.unpac.me/results/d64b6367-1a11-4ba7-bcb0-7f03610243d3/
SH256 hash:
55a7b6e88f03528c8cdcc4cfff9a7e5efce3c9d3d21023ef2b37aa228b530ddc
MD5 hash:
850d12295447dbcd9e38a073aef72fb6
SHA1 hash:
bb8e998ed8b2e07d5ffec82509019df134468643
Link:
https://www.unpac.me/results/d64b6367-1a11-4ba7-bcb0-7f03610243d3/
SH256 hash:
2f6684c737abbb4896c676f947324e1444b130c7494d44e50c832aa0a6e27c12
MD5 hash:
ba2b0397a1517ca36a82e9a21e290e41
SHA1 hash:
ad31efc1b4d01f7d9b11c48b5097fc6b03e0b439
Link:
https://www.unpac.me/results/d64b6367-1a11-4ba7-bcb0-7f03610243d3/
SH256 hash:
e60d85e3225aad5397513fb3a1247da025c0602e233587c1193258dae92ead68
MD5 hash:
b41745d1c49c1b5327ad465151649793
SHA1 hash:
56035a9c146858082bb52aeb20d44e7e55dc18d1
Link:
https://www.unpac.me/results/d64b6367-1a11-4ba7-bcb0-7f03610243d3/
SH256 hash:
9482ca79e2fa257e32f822877ec5fc7451a6d9d9710bf7a04f0673cfad273e27
MD5 hash:
d7d8ad0ed5b70ad177cb15b3e3c70744
SHA1 hash:
4a9096dbd6ff9fa03653c1f2207a51b4d6da2a4e
Link:
https://www.unpac.me/results/d64b6367-1a11-4ba7-bcb0-7f03610243d3/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/d64b6367-1a11-4ba7-bcb0-7f03610243d3/
SH256 hash:
ca0a5b43e255d0fa7205be3437ea706eda966dd1839ae01d1de1d3b62f832994
MD5 hash:
d0e24e6d7017127bea02bb0160229bee
SHA1 hash:
34350e5b7f268797b2a7ec56390c2228f841b37b
Link:
https://www.unpac.me/results/d64b6367-1a11-4ba7-bcb0-7f03610243d3/
SH256 hash:
0394a50f7c9cd288fa6461d5fe1953e0c6ea3189547b66385751393ea4cbcf4b
MD5 hash:
939f849d93a4980091c5f1f5579aea67
SHA1 hash:
874377abc81e46a914e4dd5590a0443b2cd47987
Link:
https://www.unpac.me/results/d64b6367-1a11-4ba7-bcb0-7f03610243d3/
SH256 hash:
12585e1bf0451abf01b5c2d02a4ac8d2a1f6318d5084f71eb685bd9c350d26ab
MD5 hash:
49aa650d4991c69a89fe53a0e8cc6738
SHA1 hash:
01366805dbf6dff73a738fac133d9dd3e613391a
Link:
https://www.unpac.me/results/d64b6367-1a11-4ba7-bcb0-7f03610243d3/
SH256 hash:
711e25e09b5b70cd6f655fac98c8f5a090a98cceb3da6cd48fe217f4039daec3
MD5 hash:
bb2031e451dc762c85381e2ffc051491
SHA1 hash:
35e9ff066d4d0f05126286dc04039723cb1e1c95
Link:
https://www.unpac.me/results/d64b6367-1a11-4ba7-bcb0-7f03610243d3/
SH256 hash:
58e51a399403587bac0025192ceb885f0331cc64d72b36ee11fcad9264601521
MD5 hash:
ed1022cc2585554e2115eab4003022da
SHA1 hash:
da99701ea5f1c8479b74d1b8e833067ec4c5f096
Link:
https://www.unpac.me/results/d64b6367-1a11-4ba7-bcb0-7f03610243d3/
SH256 hash:
2eeae1c74dff19b7538522acd75a4c9e0d369cec323d4837bdfbc00b8fc81799
MD5 hash:
0b3937c39ea113c3352090ac5ce26103
SHA1 hash:
9db17df61d6222c8d96a3969887d27c1568e4e7b
Link:
https://www.unpac.me/results/d64b6367-1a11-4ba7-bcb0-7f03610243d3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2eeae1c74dff19b7538522acd75a4c9e0d369cec323d4837bdfbc00b8fc81799

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments