MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2669e627de7b20f97e8907844f237cad68533f68d8e9afe231310eada7355bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2669e627de7b20f97e8907844f237cad68533f68d8e9afe231310eada7355bc
SHA3-384 hash: 43fe8b3d41b0bef2012a019b32d3f17a8d7b1119575a8d246f1a0db59c5808d01a23156084c1f695963e6a2a7f6b10b7
SHA1 hash: 089dab547bcadf1089f3b10e21fec0edfbd5d2a1
MD5 hash: ecaca02755471850373dd0aabafdb9bb
humanhash: carbon-tennis-washington-mike
File name:ecaca02755471850373dd0aabafdb9bb.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:863'232 bytes
First seen:2021-05-25 07:09:39 UTC
Last seen:2021-05-25 08:05:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cdba31eb15eac28b6bd8bfecbb97f747 (2 x RaccoonStealer, 1 x Loki, 1 x CryptBot)
ssdeep 24576:Tt5nXk187g784Qn3o3PVBnCrdogSALeDk3h7hmJW+i:Zxk18+FFdBnCrdjKg7hmJd
Threatray 122 similar samples on MalwareBazaar
TLSH C505F120AEA1D034F5BB01B046B2D678753ABDE16B3444EF23D43AEE55786E4AD3074B
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
STOP
Create hunting rule
Link:
https://www.capesandbox.com/analysis/161723/
Detection(s):
Win.Ransomware.Generickdz-9864351-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/791278
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Mutes Antivirus updates and installments via hosts file black listing
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes many files with high entropy
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 423676 Sample: OxTWO6bcQM.exe Startdate: 25/05/2021 Architecture: WINDOWS Score: 100 104 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->104 106 Antivirus detection for URL or domain 2->106 108 Multi AV Scanner detection for submitted file 2->108 110 3 other signatures 2->110 12 OxTWO6bcQM.exe 2->12         started        15 OxTWO6bcQM.exe 2->15         started        17 OxTWO6bcQM.exe 2->17         started        19 OxTWO6bcQM.exe 2->19         started        process3 signatures4 130 Detected unpacking (changes PE section rights) 12->130 132 Detected unpacking (overwrites its own PE header) 12->132 134 Writes many files with high entropy 12->134 21 OxTWO6bcQM.exe 1 16 12->21         started        136 Contains functionality to inject code into remote processes 15->136 138 Injects a PE file into a foreign processes 15->138 25 OxTWO6bcQM.exe 15->25         started        27 OxTWO6bcQM.exe 12 17->27         started        29 OxTWO6bcQM.exe 19->29         started        process5 dnsIp6 98 api.2ip.ua 77.123.139.190, 443, 49712, 49716 VOLIA-ASUA Ukraine 21->98 100 192.168.2.1 unknown unknown 21->100 82 C:\Users\user\AppData\...\OxTWO6bcQM.exe, PE32 21->82 dropped 84 C:\Users\...\OxTWO6bcQM.exe:Zone.Identifier, ASCII 21->84 dropped 31 OxTWO6bcQM.exe 21->31         started        34 icacls.exe 21->34         started        102 asvb.top 25->102 86 C:\Users\user\Desktop\OxTWO6bcQM.exe, data 25->86 dropped file7 process8 signatures9 140 Injects a PE file into a foreign processes 31->140 36 OxTWO6bcQM.exe 1 27 31->36         started        process10 dnsIp11 94 asvb.top 35.235.74.220, 49717, 49718, 49719 GOOGLEUS United States 36->94 96 api.2ip.ua 36->96 74 C:\Users\user\AppData\...\updatewin2.exe, PE32 36->74 dropped 76 C:\Users\user\AppData\...\updatewin1.exe, PE32 36->76 dropped 78 C:\Users\user\AppData\Local\...\5.exe, PE32 36->78 dropped 80 306 other files (297 malicious) 36->80 dropped 116 Modifies existing user documents (likely ransomware behavior) 36->116 41 5.exe 36->41         started        44 updatewin2.exe 36->44         started        47 updatewin1.exe 2 36->47         started        file12 signatures13 process14 file15 118 Detected unpacking (changes PE section rights) 41->118 120 Detected unpacking (overwrites its own PE header) 41->120 122 Writes many files with high entropy 41->122 124 Injects a PE file into a foreign processes 41->124 49 5.exe 41->49         started        88 C:\Windows\System32\drivers\etc\hosts, ASCII 44->88 dropped 126 Mutes Antivirus updates and installments via hosts file black listing 44->126 128 Modifies the hosts file 44->128 54 updatewin1.exe 47->54         started        signatures16 process17 dnsIp18 90 tttttt.me 95.216.186.40, 443, 49727 HETZNER-ASDE Germany 49->90 92 genericalphabet.top 35.197.240.92, 443, 49728 GOOGLEUS United States 49->92 66 C:\Users\user\AppData\...\pY4zE3fX7h.zip, Zip 49->66 dropped 68 C:\Users\user\AppData\...\X2Ix2OScWpD.zip, Zip 49->68 dropped 70 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 49->70 dropped 72 58 other files (none is malicious) 49->72 dropped 112 Tries to steal Mail credentials (via file access) 49->112 114 Tries to harvest and steal browser information (history, passwords, etc) 49->114 56 cmd.exe 49->56         started        58 powershell.exe 54->58         started        file19 signatures20 process21 process22 60 conhost.exe 56->60         started        62 timeout.exe 56->62         started        64 conhost.exe 58->64         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2669e627de7b20f97e8907844f237cad68533f68d8e9afe231310eada7355bc/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-05-25 06:48:19 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
32b0fbaf95fefcc9b89243be8721625592fc9ed92d76a48cab263898fd3d5c08
RaccoonStealer
6ed8e078433a7e7938f2084f83a640d707708ac99a246b31736bd22327664668
RaccoonStealer
7c3fbd0f34909ffd02eaba038b6cd7b61a2b9d5f96514fabe70cf66f7e58c09c
RaccoonStealer
7c75df63bc40beca5ccf65db76c33539ee9f3468a4149e1a0c0bfd30949f4b4d
RaccoonStealer
99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2
RaccoonStealer
a3c074948f5e3d2b89f0035bbf7bd74b1a3ec0525dc1496b4463f55ef15f3521
RaccoonStealer
b055016e0d82c57b58cd126f26b4b8f4dae1441f0019bdaa42452e815f128944
RaccoonStealer
c5e7c2f3efd209636294e9ae666d8784f63025aae3a3ba437e4d0c975dc9366c
RaccoonStealer
e8951a6a271ccd3f6e81dcc88703c9efe55abebb9439a48990e4ae863725c368
RaccoonStealer
ed8a7ffec56f450a365e758012db092883bbd23565f3f9fbb004c189fb703de3
RaccoonStealer
+ 112 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1d76a465540f6a904ac9f1310fe3a3824b5b4549 discovery evasion persistence ransomware stealer
Link:
https://tria.ge/reports/210525-3517vwyw4a/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Modifies extensions of user files
Deletes Windows Defender Definitions
Raccoon
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2669e627de7b20f97e8907844f237cad68533f68d8e9afe231310eada7355bc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe a2669e627de7b20f97e8907844f237cad68533f68d8e9afe231310eada7355bc

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/161723/
  
URLhaus
https://urlhaus.abuse.ch/url/1256494/
  
Delivery method
Distributed via web download

Comments