MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ec3b418b0e06128ef80ff02866d30c8071ba54066411760b6f71cab0f4c24f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ec3b418b0e06128ef80ff02866d30c8071ba54066411760b6f71cab0f4c24f9
SHA3-384 hash: 92da449f998f5e8c1b219bc3830ee006da398862c82e58b4a567b9c2e7a7ca3a5e6a9786f1ad6fe8c035510d1523bf3a
SHA1 hash: 30bb8bd152acde424615ad34a9d9179894a1a6dd
MD5 hash: 2677fe21e69a9906dc92ddbdf03e60e9
humanhash: fix-maine-oven-item
File name:3EC3B418B0E06128EF80FF02866D30C8071BA54066411.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:614'400 bytes
First seen:2021-06-02 19:30:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7bfd5d688dd539b059ca876a58652218 (2 x RaccoonStealer)
ssdeep 12288:/WhqSFVfadBiigSnBMQRyUnv7PPChx1BoFRfsZeJ9K:wVfx2B5zyRssk9K
Threatray 2'835 similar samples on MalwareBazaar
TLSH FED4F12A37FD407AF0624EB11AA4B7B04A7EF9365605550BE34027192FB2FC9ED1172B
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://104.155.99.141/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://104.155.99.141/ https://threatfox.abuse.ch/ioc/69470/

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3EC3B418B0E06128EF80FF02866D30C8071BA54066411.exe
Verdict:
Malicious activity
Analysis date:
2021-06-02 19:33:57 UTC
Tags:
evasion trojan stealer raccoon loader
Link:
https://app.any.run/tasks/40e63767-f9be-418b-a328-eb513529626c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164197/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796244
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 428640 Sample: 3EC3B418B0E06128EF80FF02866... Startdate: 02/06/2021 Architecture: WINDOWS Score: 100 73 Found malware configuration 2->73 75 Antivirus detection for URL or domain 2->75 77 Antivirus / Scanner detection for submitted sample 2->77 79 5 other signatures 2->79 10 3EC3B418B0E06128EF80FF02866D30C8071BA54066411.exe 13 2->10         started        process3 signatures4 89 May check the online IP address of the machine 10->89 91 Contains functionality to steal Internet Explorer form passwords 10->91 93 Maps a DLL or memory area into another process 10->93 13 3EC3B418B0E06128EF80FF02866D30C8071BA54066411.exe 91 10->13         started        process5 dnsIp6 67 tttttt.me 95.216.186.40, 443, 49741, 49766 HETZNER-ASDE Germany 13->67 69 iplogger.org 88.99.66.31, 443, 49742 HETZNER-ASDE Germany 13->69 71 2 other IPs or domains 13->71 57 C:\Users\user\AppData\...\k90rfAvaM8.exe, PE32 13->57 dropped 59 C:\Users\user\AppData\...\Of4LNtr44F.exe, PE32+ 13->59 dropped 99 Tries to steal Mail credentials (via file access) 13->99 18 k90rfAvaM8.exe 15 3 13->18         started        21 Of4LNtr44F.exe 13->21         started        23 cmd.exe 1 13->23         started        file7 signatures8 process9 signatures10 81 Contains functionality to steal Internet Explorer form passwords 18->81 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->83 85 Injects a PE file into a foreign processes 18->85 25 k90rfAvaM8.exe 91 18->25         started        30 WerFault.exe 20 9 21->30         started        32 WerFault.exe 21->32         started        34 conhost.exe 23->34         started        36 timeout.exe 1 23->36         started        process11 dnsIp12 61 tttttt.me 25->61 63 192.168.2.1 unknown unknown 25->63 65 aun3xk18k.space 25->65 49 C:\Users\user\AppData\...\IPTuTXEW4b.exe, PE32 25->49 dropped 51 C:\Users\user\AppData\...\bUDFlwWa6E.exe, PE32+ 25->51 dropped 53 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 25->53 dropped 55 58 other files (none is malicious) 25->55 dropped 95 Tries to steal Mail credentials (via file access) 25->95 97 Tries to harvest and steal browser information (history, passwords, etc) 25->97 38 IPTuTXEW4b.exe 25->38         started        41 cmd.exe 25->41         started        43 bUDFlwWa6E.exe 25->43         started        file13 signatures14 process15 signatures16 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->87 45 conhost.exe 41->45         started        47 timeout.exe 41->47         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ec3b418b0e06128ef80ff02866d30c8071ba54066411760b6f71cab0f4c24f9/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-04-19 14:34:00 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3b3igfq4bqsr34a74bim3jqzadrxjkamzaroyfw64okwd2met4q._file
Verdict:
malicious
Similar samples:
0b02739c5fd7a7fa53410bc2287c42cf66a3a6d51ecc9570e76e4f0f8129f2d7
RaccoonStealer
0f0eb4a8a538f339214f86a8b084d685a4fb51d54f258f5718393003ab1ff35b
RaccoonStealer
4a8de772cb047939cbac796b1461b5276e418fb33249cb4d41785ef37fa91a35
RaccoonStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RaccoonStealer
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
RaccoonStealer
8b1c960881fc789460b5b274abd43baddb1c92e1a942d3a1080a4adb1f545e50
RaccoonStealer
a8fb61732f9696d24e02dda47d2f12abe0d8968e130f05d2381bb7b5a93f3ec0
RaccoonStealer
a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154
RaccoonStealer
c082ed88815d66ea1bf11f905d15a39faa502d4b458a15cf31d5cd5e7bc7156e
RaccoonStealer
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
RaccoonStealer
+ 2'825 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon agilenet discovery spyware stealer
Link:
https://tria.ge/reports/210602-571mnqnbes/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ec3b418b0e06128ef80ff02866d30c8071ba54066411760b6f71cab0f4c24f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/164197/

Comments