MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b2b1ee5564f49b3b5d0edf4d211fd8568a8e1ddce52786353f1f9cc7cf89e91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 13

Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash:	6b2b1ee5564f49b3b5d0edf4d211fd8568a8e1ddce52786353f1f9cc7cf89e91
SHA3-384 hash:	3d5de4c633f1f497d03566a527f0233544fa068b489d8f8c0b232a44bb4ebe2047a1cfcf43a4f87e98c294a9c0e9af67
SHA1 hash:	6bf206cbc606541b4ad947cc52b32f83bb75f9fc
MD5 hash:	538966ca17f737c5918871db7f12a744
humanhash:	hamper-sink-lithium-burger
File name:	6b2b1ee5564f49b3b5d0edf4d211fd8568a8e1ddce527.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	671'744 bytes
First seen:	2022-02-03 09:46:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bb549f57f2afd62976d0e4074d762a0f (1 x RaccoonStealer, 1 x CoinMiner.XMRig)
ssdeep	12288:sQBjiXlOi+Rurh2YY1oYaNKpoEvOBj5Cx6ZMu6vmg6y:sQJeleRur3hYyIoELx6ZX6l
Threatray	8'639 similar samples on MalwareBazaar
TLSH	T1BFE4121075C2D032D0E346750869DB70AA7BBF375E7B814B376593AE9F713B0422636A
File icon (PE):
dhash icon	fcfc94b4b494d9c1 (16 x Amadey, 15 x Smoke Loader, 5 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe RaccoonStealer

abuse_ch

RaccoonStealer C2:
http://91.219.236.18/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://91.219.236.18/	https://threatfox.abuse.ch/ioc/378337/

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/231853/

Detection(s):

Win.Malware.Generic-9938273-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Сreating synchronization primitives

Sending an HTTP GET request

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

gandcrab greyware packed racealer

Link:

https://www.filescan.io/uploads/61fba47918d1bfdde4ef243b/reports/a066898f-1dc7-4cbf-936f-0e3df44fc15a/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ccee5f80-e513-4b95-802c-472d802a9fe4

Result

Threat name:

Raccoon

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/933186

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6b2b1ee5564f49b3b5d0edf4d211fd8568a8e1ddce52786353f1f9cc7cf89e91/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-02-03 00:47:56 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nmvr5zkwj5e3hnoq5x2neep5qvukryo5zzjhqy2t6h44y7hyt2iq._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

55e255ef816091c759f9ec529c10870104fedd7ed74d7936b396c4541d806357

RaccoonStealer

84a1953e1964885eee0c73a77decbd59896295464a6fb64903f9275c1af56665

RaccoonStealer

c99134879d691e2bbbf506c3fcc992d1c7b4153c07e7f3952b80c92c944e5539

RaccoonStealer

e438f74e71aa80712289eaac851a59a481b24e46ba5d607e3cd42aeea6129bd8

RaccoonStealer

eeb0c6a760a7c9d17c02dbacf4f4715917caf3d111209ce29b67b366dc8b9dd9

RaccoonStealer

+ 8'629 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:97440559aa600fdf11b5d973d306af5470f07592 stealer

Link:

https://tria.ge/reports/220203-lrqjdafcb4/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Raccoon

Unpacked files

SH256 hash:

12287e9d97b24a41dca13b0808fa9d6e19e973230cb0413e8c0f49df706b0798

MD5 hash:

794e1e8cf2e19b9b9ffc46b21421602c

SHA1 hash:

4ec3319d1abb5a23fd8bac8ea8c6dc91a0a306bc

Detections:

win_raccoon_auto

Link:

https://www.unpac.me/results/6e6789c0-cd20-4498-a363-4209b7d094ed/

Parent samples :

4dd01a8d65fe6852b72d8f20b5c0381014b924a1e8f4a74e7127605f4833d840
966983c5b7ca38d1d9feb23a203f54cfb98ee08163541d5b369a61157d5e30e1
33c853d0f6d5467701301b6c4dfcf49da0e556b3ac2363b5619f673033627dca
55e255ef816091c759f9ec529c10870104fedd7ed74d7936b396c4541d806357
df1956c9c78bee24fd2c934c2c40d7494eb38c5ee43cbc702b6f397653ce818b
bf8c82f5f3651a7e6005b7ae9d1dfb0f7184f169b521d26b93dfb11172dfea21
f158128e478896a5522d97a2b1490fa30246b0a2eac1cdd8b417df8e36cd06f3
6b2b1ee5564f49b3b5d0edf4d211fd8568a8e1ddce52786353f1f9cc7cf89e91
47cfc46cf65a5efb244a0d4d9c07fc4ad66915e7e02af5ea9416012275344165
0ed974de469222788be4db09ddf1720ea96a39e959df8eda85e6dcccb73e4a59
4e89904593d8709d655956623fedffb7137ece77ea70c4097e8f4390952c7f4d

SH256 hash:

6b2b1ee5564f49b3b5d0edf4d211fd8568a8e1ddce52786353f1f9cc7cf89e91

MD5 hash:

538966ca17f737c5918871db7f12a744

SHA1 hash:

6bf206cbc606541b4ad947cc52b32f83bb75f9fc

Link:

https://www.unpac.me/results/6e6789c0-cd20-4498-a363-4209b7d094ed/

Malware family:

Raccoon v1.7.2

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/6b2b1ee5564f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6b2b1ee5564f49b3b5d0edf4d211fd8568a8e1ddce52786353f1f9cc7cf89e91

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

exe 6b2b1ee5564f49b3b5d0edf4d211fd8568a8e1ddce52786353f1f9cc7cf89e91

(this sample)

Cape

https://www.capesandbox.com/analysis/231853/

URLhaus

https://urlhaus.abuse.ch/url/2026552/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample