MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d2a3832a1b693d9f5eed571212585443e6ee282429160973d67e17736c43629. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d2a3832a1b693d9f5eed571212585443e6ee282429160973d67e17736c43629
SHA3-384 hash: 783e8bcac63b48e6c29bcf84737c89929f8d3d5204bff1e65f6e2c15346ce86e8628afefb13b82a6248037c23059a980
SHA1 hash: a465f5d3ccc65edf6e23229b2befe82088c8806f
MD5 hash: 2557b7ae7f15fd73fd4a4b6c9cc2990e
humanhash: bacon-lion-berlin-carolina
File name:2557b7ae7f15fd73fd4a4b6c9cc2990e.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'146'688 bytes
First seen:2022-02-09 18:25:57 UTC
Last seen:2022-02-09 20:05:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 41304e4befbbd8a63ad6ec59f252160b (56 x RedLineStealer, 4 x RaccoonStealer, 2 x CoinMiner)
ssdeep 49152:iWhMWpPiW1DHm3mFTgeMYf0Oeo/NoBSyFyTIpCK/mnf7YYbnEiwR8CFnqMFCEzsX:TpPiWQ21gbYpGTsk0oiwRB5lXS04c6d
Threatray 6'644 similar samples on MalwareBazaar
TLSH T16D16330662D1C6D4F9C867B21AE32A578CFE711748AFFE2A00DD8D58F059BB1E671843
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.204.20/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.204.20/ https://threatfox.abuse.ch/ioc/384586/

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://procrackerz.org/
Verdict:
Malicious activity
Analysis date:
2022-02-05 15:52:32 UTC
Tags:
opendir trojan stealer raccoon loader
Link:
https://app.any.run/tasks/3a0810fa-087f-4900-a01f-b843ece0bae9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239806/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Sending an HTTP GET request
Sending an HTTP POST request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
DNS request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed raccoon racealer wacatac yakes
Link:
https://www.filescan.io/uploads/62040747942573cad44c48c0/reports/b63c8a2e-0188-4a23-b397-262e054ad92f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1b245d2-fdd4-438e-9d1f-c27a54ff8217
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937156
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to prevent local Windows debugging
DLL side loading technique detected
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 569630 Sample: gBIqPAcGLq.exe Startdate: 09/02/2022 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 7 other signatures 2->60 10 gBIqPAcGLq.exe 2->10         started        13 oobeldr.exe 2->13         started        15 oobeldr.exe 2->15         started        process3 signatures4 76 Writes to foreign memory regions 10->76 78 Allocates memory in foreign processes 10->78 80 Tries to detect virtualization through RDTSC time measurements 10->80 82 Injects a PE file into a foreign processes 10->82 17 AppLaunch.exe 82 10->17         started        22 WerFault.exe 23 9 10->22         started        84 Contains functionality to prevent local Windows debugging 13->84 process5 dnsIp6 48 185.163.45.239, 49758, 80 MIVOCLOUDMD Moldova Republic of 17->48 50 185.163.204.20, 49759, 80 CAUCASUS-CABLE-SYSTEMCCSAutonomousSystemGE Germany 17->50 52 45.84.0.253, 49764, 80 ALEXHOSTMD Russian Federation 17->52 36 C:\Users\user\AppData\...\SdxXsAZQnX.exe, PE32 17->36 dropped 38 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 17->38 dropped 40 C:\Users\user\AppData\LocalLow\...\nss3.dll, PE32 17->40 dropped 44 57 other files (1 malicious) 17->44 dropped 62 Tries to steal Mail credentials (via file / registry access) 17->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 17->64 66 Tries to harvest and steal browser information (history, passwords, etc) 17->66 68 2 other signatures 17->68 24 SdxXsAZQnX.exe 17->24         started        42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->42 dropped file7 signatures8 process9 signatures10 70 Writes to foreign memory regions 24->70 72 Allocates memory in foreign processes 24->72 74 Injects a PE file into a foreign processes 24->74 27 AppLaunch.exe 1 24->27         started        30 WerFault.exe 19 9 24->30         started        process11 file12 46 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 27->46 dropped 32 schtasks.exe 1 27->32         started        process13 process14 34 conhost.exe 32->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d2a3832a1b693d9f5eed571212585443e6ee282429160973d67e17736c43629/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-02-06 02:22:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
34 of 43 (79.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nuvdqmvbw2j5t5po2vyscjmfiq7g5yucikiwbfz5m7qxonwegyuq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0dc9020d1da0f60fb0ea2b10ee9e6930f67e5d3bc5859ba390973e5165d86b7a
RaccoonStealer
15ec70046b6bcf402d46edfc374574ada52bb672a956d38b9c04677873c59543
RaccoonStealer
1b7b6ef3fc21c58be4121dcd66b8e3b1231c0bb49f6e256460cc213775f4dd90
RaccoonStealer
7616d28ae0259737b65234b689f0ed88875aaede87f2408068ad41144dd489d0
RaccoonStealer
8f0ce948ee3b5f284eed19d5065de393931e6979eac0d177464d55e2e470c3e7
RaccoonStealer
94b6f442982377412659b219dffc88f6d171b044c66583cc025335de2f8e6aa4
RaccoonStealer
c25d1fe88e1b97a9b07941683641db28863d24e4c422a9cb4033db3cf641a9ae
RaccoonStealer
+ 6'634 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220209-w27whsbdcj/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
8f4e1f04c8b323955fe4cee45dd62969fe36095798b88c1d4af0089f13e2887b
MD5 hash:
229d334df3523b0e0cf560bfb79c6e91
SHA1 hash:
8021a14a37351e1e91954c7f4d001911e7e0f036
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/81900043-ec8e-4f7a-8fe4-26f05c18fbf5/
Parent samples :
5f1cae348c31c954f11e1b846cbcd7ad139c537e1025a5e4a3d314208e329a3c
6d2a3832a1b693d9f5eed571212585443e6ee282429160973d67e17736c43629
SH256 hash:
6d2a3832a1b693d9f5eed571212585443e6ee282429160973d67e17736c43629
MD5 hash:
2557b7ae7f15fd73fd4a4b6c9cc2990e
SHA1 hash:
a465f5d3ccc65edf6e23229b2befe82088c8806f
Link:
https://www.unpac.me/results/81900043-ec8e-4f7a-8fe4-26f05c18fbf5/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/239806/

Comments