MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fa3311a001cd0ded00b1bf34f8d64979cefb8903c69a3519da777bb43037539. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fa3311a001cd0ded00b1bf34f8d64979cefb8903c69a3519da777bb43037539
SHA3-384 hash: 062d724684b73f6a99284876a001393db699b61a01e3e1153382cad7f174c106255f175214e56105128eb8e3b60c9264
SHA1 hash: 6106db9e52739702020af37a0bc6666b63020881
MD5 hash: 8ac6d2ddf561719d09b5d4a7df855f37
humanhash: quebec-alanine-yankee-wyoming
File name:8ac6d2ddf561719d09b5d4a7df855f37.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:122'368 bytes
First seen:2021-09-23 12:51:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f7987bf55fcab080da60dcb9686a7f63 (9 x RedLineStealer, 3 x RaccoonStealer, 2 x Tofsee)
ssdeep 1536:ErJu0xoFaPuQrUUttiXxzVfELOMflA24/55kxHwvoSk4D3LhU+x0n:CJu0uKrtazwR6D/55kxHwQS1Dl4
Threatray 6'492 similar samples on MalwareBazaar
TLSH T1DEC37C12F6E1C432D7F74A7548F5C6915A3FB8322A74899B764C125E4F226C28A3731F
File icon (PE):PE icon
dhash icon 1072c293b0381906 (17 x RedLineStealer, 5 x Stop, 4 x DanaBot)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.204.36/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.204.36/ https://threatfox.abuse.ch/ioc/225650/

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190755/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.2082.4311.UNOFFICIAL
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15000ebb-7afe-41b1-9f37-bb1a71de7de0
Result
Threat name:
Raccoon RedLine SmokeLoader Tofsee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856727
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 489160 Sample: ZSedt9YmzB.exe Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 61 f0577057.xsph.ru 2->61 63 185.163.204.36, 49837, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 2->63 65 6 other IPs or domains 2->65 73 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Multi AV Scanner detection for dropped file 2->77 81 15 other signatures 2->81 11 ZSedt9YmzB.exe 2->11         started        14 hejbbir 2->14         started        16 svchost.exe 1 2->16         started        18 3 other processes 2->18 signatures3 79 May check the online IP address of the machine 61->79 process4 signatures5 99 Detected unpacking (changes PE section rights) 11->99 101 Contains functionality to inject code into remote processes 11->101 103 Injects a PE file into a foreign processes 11->103 20 ZSedt9YmzB.exe 11->20         started        105 Multi AV Scanner detection for dropped file 14->105 107 Machine Learning detection for dropped file 14->107 23 hejbbir 14->23         started        process6 signatures7 83 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->83 85 Maps a DLL or memory area into another process 20->85 87 Checks if the current machine is a virtual machine (disk enumeration) 20->87 89 Creates a thread in another existing process (thread injection) 20->89 25 explorer.exe 18 20->25 injected process8 dnsIp9 67 193.56.146.41, 49770, 9080 LVLT-10753US unknown 25->67 69 216.128.137.31, 80 AS-CHOOPAUS United States 25->69 71 2 other IPs or domains 25->71 53 C:\Users\user\AppData\Roaming\hejbbir, PE32 25->53 dropped 55 C:\Users\user\AppData\Local\Temp\751A.exe, PE32 25->55 dropped 57 C:\Users\user\AppData\Local\Temp\6C4F.exe, PE32 25->57 dropped 59 7 other files (6 malicious) 25->59 dropped 109 System process connects to network (likely due to code injection or exploit) 25->109 111 Benign windows process drops PE files 25->111 113 Deletes itself after installation 25->113 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->115 30 751A.exe 25->30         started        33 64EC.exe 25->33         started        35 6C4F.exe 2 25->35         started        37 1B26.exe 2 25->37         started        file10 signatures11 process12 file13 117 Machine Learning detection for dropped file 30->117 119 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 30->119 121 Writes to foreign memory regions 30->121 133 2 other signatures 30->133 40 RegSvcs.exe 3 30->40         started        123 Detected unpacking (changes PE section rights) 33->123 125 Injects a PE file into a foreign processes 33->125 42 64EC.exe 33->42         started        127 Antivirus detection for dropped file 35->127 129 Multi AV Scanner detection for dropped file 35->129 45 6C4F.exe 2 35->45         started        47 conhost.exe 35->47         started        51 C:\Users\user\AppData\Local\...\ombnhdoe.exe, PE32 37->51 dropped 131 Detected unpacking (overwrites its own PE header) 37->131 signatures14 process15 signatures16 49 conhost.exe 40->49         started        91 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->91 93 Maps a DLL or memory area into another process 42->93 95 Checks if the current machine is a virtual machine (disk enumeration) 42->95 97 Creates a thread in another existing process (thread injection) 42->97 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fa3311a001cd0ded00b1bf34f8d64979cefb8903c69a3519da777bb43037539/
Threat name:
Win32.Backdoor.Tofsee
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 12:52:10 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f6rtcgqadtin5ualdpzu7dles6oo7oeqhru2gum5u533wqydou4q._file
Verdict:
malicious
Similar samples:
286ac923f7619b720847b3820652ca94b3b09ee4885e581ced04e8f1395713b9
RaccoonStealer
4ce736beca7ebfdae1fca1c504ef9482ada58dbf573fd57434aef6de2b36c9d6
RaccoonStealer
73d3930011ac4fb1ac1ec5b4d339c001a9892c152fbc8be47b81d8ff559018ca
RaccoonStealer
79df67c7efab39b9b413c0844b58b8597c32ff7870225bbc1d2e300416ec5b4e
RaccoonStealer
7dc5a00ea0996d4edb8fbee2a9d2caa97ece60b4d5f755c3e82a06205ee2a385
RaccoonStealer
8eea00bd7d1db820c7a1b5622119b76944215e5803c2e8b772b9548e9ee91c66
RaccoonStealer
9664922ce8e322f3e2902a458b8a00f19515d2cd9c5802482e4e2d40fce8b861
RaccoonStealer
a98b37b337927ef6cea8a053a4ea676646de4dfbf6ce9619593246a1ecc362b6
RaccoonStealer
ecf100d294f5b6b63ebc4e1430f6a07b07e3899b0c447a536d7c53c51d711549
RaccoonStealer
fe7e25d0fd410494f9d8299439faf7d89edb627b494c882d2b33c94625c7c35c
RaccoonStealer
+ 6'482 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:xmrig botnet:5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 botnet:anal2 botnet:qq backdoor discovery evasion infostealer miner persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210923-p34f6aecfl/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Modifies security service
Raccoon
RedLine
RedLine Payload
SmokeLoader
Tofsee
Windows security bypass
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
xmrig
Malware Config
C2 Extraction:
http://hamilaharr6.top/
http://bartanayane7.top/
http://zesiahavie8.top/
http://hancarlenei9.top/
http://samillavakiv10.top/
http://feryleromand11.top/
http://ubrianella12.top/
http://hepryceeaaa13.top/
http://viahalexandy14.top/
http://wenataliana15.top/
135.181.142.223:30397
45.67.231.145:10991
Unpacked files
SH256 hash:
14cd529ab1a67eeed2fdf0fe71a08b9dc8ecf61384072f676b4ff9ec3ef8fe74
MD5 hash:
125ecb7456bb5a2c5c724c2eca56f87e
SHA1 hash:
982aaa66cda8c0500e0811aa9e447cba4f0752ff
Link:
https://www.unpac.me/results/eb2d98e9-1b8e-4d6b-a461-9edc8d8b362f/
SH256 hash:
2fa3311a001cd0ded00b1bf34f8d64979cefb8903c69a3519da777bb43037539
MD5 hash:
8ac6d2ddf561719d09b5d4a7df855f37
SHA1 hash:
6106db9e52739702020af37a0bc6666b63020881
Link:
https://www.unpac.me/results/eb2d98e9-1b8e-4d6b-a461-9edc8d8b362f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fa3311a001cd0ded00b1bf34f8d64979cefb8903c69a3519da777bb43037539

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 2fa3311a001cd0ded00b1bf34f8d64979cefb8903c69a3519da777bb43037539

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1639930/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190755/

Comments