MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2eee0fe004e7d90317053ea8f10fddcc0dc4c7ab9e17ab50b96a6ea167eb855e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 2 File information Comments

SHA256 hash:	2eee0fe004e7d90317053ea8f10fddcc0dc4c7ab9e17ab50b96a6ea167eb855e
SHA3-384 hash:	aee3783a22b244a68ec836bd6bdad459d11b40a4489a5daf8626b53b6f41b8fd50f1b8c198a4d4340a307674d9ea8334
SHA1 hash:	44ecce5b2cc95d79cb5f2b6a73dadb7956748dc9
MD5 hash:	ed330ff9ffeb5c0935fddd855fb4cbc0
humanhash:	black-johnny-sweet-football
File name:	ED330FF9FFEB5C0935FDDD855FB4CBC0.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	508'552 bytes
First seen:	2021-07-24 06:55:39 UTC
Last seen:	2021-07-24 07:55:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'595 x Formbook, 12'238 x SnakeKeylogger)
ssdeep	12288:3GNEut+zHfclahiyShV+h/Dx70ESka9AK6k4OnMd0K:3gEukbf6asphA17VS7Uk4Td0K
Threatray	1'559 similar samples on MalwareBazaar
TLSH	T1DDB401263FADF902E86C2F7155820BB5A1B2EC5C3819DEBE12BFB95C0D365C1881515F
dhash icon	52d6996a73f5aa99 (1 x RaccoonStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://185.234.247.50/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.234.247.50/	https://threatfox.abuse.ch/ioc/162348/

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ED330FF9FFEB5C0935FDDD855FB4CBC0.exe

Verdict:

Malicious activity

Analysis date:

2021-07-24 06:59:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/aefe03a5-6129-462c-9ea4-aa0b537de17a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/173838/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46644898.29049.26197.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b4a9d65b-ecf6-4f5e-96fb-01b46b862784

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2eee0fe004e7d90317053ea8f10fddcc0dc4c7ab9e17ab50b96a6ea167eb855e/

Threat name:

ByteCode-MSIL.Infostealer.Racealer

Status:

Malicious

First seen:

2021-07-18 12:51:20 UTC

AV detection:

28 of 46 (60.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=f3xa7yae47mqgfyfh2upcd65zqg4jr5ltyl2wufznjxkcz7lqvpa._file

Verdict:

malicious

RaccoonStealer

4639173bfdc5b0702df9a307a2de81d7973b0e2196c7ba07f5ff02ec3be3beec

RaccoonStealer

55dae3a9ea2e8108b1c8552f9605f2a8f8ce7116b055d96cf1c827989ac0efd5

RaccoonStealer

824b934ef0962b68f3fa0fa48bf269e8ab08699bd88cc8fd9c22a4e4eb4a8f88

RaccoonStealer

8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0

RaccoonStealer

d6907c6b017e06a1fbe8ca89190beb214916d62cb43c75ce596c29321c4b01af

RaccoonStealer

ee22929b148bbbc5527e628d58085c517b34f546f6d06625a6e81f030f8e5d89

RaccoonStealer

fe65170a6f6cd5ba0df997262bca40350b650067db206bc83bfaf80da94bba9e

RaccoonStealer

+ 1'549 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/210724-g8sawbl3de/

Behaviour

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Unpacked files

SH256 hash:

acee84d493030da3d1cafcd3e21256b4eccde4a60c0d4024c650b738d90fb457

MD5 hash:

dda7fd83685dc53043f4d764db431696

SHA1 hash:

dfc8d113da4b151dcc55e0a8bf4617ee4ea62709

Link:

https://www.unpac.me/results/1acea656-c3db-4479-8f31-56f184744196/

SH256 hash:

cfdd177b315364db491c505d4d26b42ce20982118bd36ad6c9b99a2b2407623b

MD5 hash:

b0b24e7e3453f2a1915a08f17ab57fea

SHA1 hash:

1c1b4965833a4c5ade1d7c57fbba7c0361e968bb

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/1acea656-c3db-4479-8f31-56f184744196/

SH256 hash:

2eee0fe004e7d90317053ea8f10fddcc0dc4c7ab9e17ab50b96a6ea167eb855e

MD5 hash:

ed330ff9ffeb5c0935fddd855fb4cbc0

SHA1 hash:

44ecce5b2cc95d79cb5f2b6a73dadb7956748dc9

Link:

https://www.unpac.me/results/1acea656-c3db-4479-8f31-56f184744196/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/2eee0fe004e7d90317053ea8f10fddcc0dc4c7ab9e17ab50b96a6ea167eb855e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/173838/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample