MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ceb40abe1bf14b26e4fc311c373a43770dfc67c8a9d0801d8ae7509e3507eebd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ceb40abe1bf14b26e4fc311c373a43770dfc67c8a9d0801d8ae7509e3507eebd
SHA3-384 hash: 3de254f55d748d035b7b23306450d599105ec95ec7d1850402ffef842a4db4b978b16e2473930a445054f25df2b0dc97
SHA1 hash: ff09f28117d1ac62f0a2be63a0140bcdc381e902
MD5 hash: 21ab8121e4f4be76154cd35d36a5c230
humanhash: floor-aspen-robert-seven
File name:CEB40ABE1BF14B26E4FC311C373A43770DFC67C8A9D08.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'200'128 bytes
First seen:2021-06-26 20:35:57 UTC
Last seen:2021-06-26 21:32:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 940e37cc2afec51fd8035d0d4a0942ad (1 x RaccoonStealer)
ssdeep 24576:GxYLC4vpP18rsGQ52x8ELTHXqzbQs9hnLJ369:ovwp9YHHCd969
Threatray 3'011 similar samples on MalwareBazaar
TLSH D345D016B798F221D46D4EB00A7643F4A92ABD315912891B72FDB70D2F32DC39C217A7
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://35.205.249.65/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://35.205.249.65/ https://threatfox.abuse.ch/ioc/154052/

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CEB40ABE1BF14B26E4FC311C373A43770DFC67C8A9D08.exe
Verdict:
Malicious activity
Analysis date:
2021-06-26 20:41:53 UTC
Tags:
evasion trojan stealer raccoon loader
Link:
https://app.any.run/tasks/8ca57a99-f986-4268-9cc0-002248f9c8ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Razy.861783.4502.16260.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1cb8c3c7-5d9a-4195-a34d-f304c39cb823
Result
Threat name:
Clipboard Hijacker Raccoon
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808499
Signature
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440910 Sample: CEB40ABE1BF14B26E4FC311C373... Startdate: 26/06/2021 Architecture: WINDOWS Score: 100 62 Multi AV Scanner detection for domain / URL 2->62 64 Potential malicious icon found 2->64 66 Found malware configuration 2->66 68 6 other signatures 2->68 10 CEB40ABE1BF14B26E4FC311C373A43770DFC67C8A9D08.exe 13 2->10         started        13 sqlcmd.exe 14 3 2->13         started        15 sqlcmd.exe 2->15         started        process3 signatures4 84 May check the online IP address of the machine 10->84 86 Contains functionality to steal Internet Explorer form passwords 10->86 88 Maps a DLL or memory area into another process 10->88 17 CEB40ABE1BF14B26E4FC311C373A43770DFC67C8A9D08.exe 89 10->17         started        90 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->90 92 Injects a PE file into a foreign processes 13->92 22 sqlcmd.exe 13->22         started        process5 dnsIp6 56 aun3xk19k.space 31.31.196.252, 443, 49733 AS-REGRU Russian Federation 17->56 58 iplogger.org 88.99.66.31, 443, 49731 HETZNER-ASDE Germany 17->58 60 2 other IPs or domains 17->60 48 C:\Users\user\AppData\...\xuieaoEiIg.exe, PE32 17->48 dropped 50 C:\Users\user\AppData\...\xIX4a2dREb.exe, PE32+ 17->50 dropped 52 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 17->52 dropped 54 58 other files (none is malicious) 17->54 dropped 70 Tries to steal Mail credentials (via file access) 17->70 72 Tries to harvest and steal browser information (history, passwords, etc) 17->72 24 xuieaoEiIg.exe 15 3 17->24         started        27 cmd.exe 1 17->27         started        29 xIX4a2dREb.exe 17->29         started        31 WerFault.exe 22->31         started        file7 signatures8 process9 signatures10 74 Uses schtasks.exe or at.exe to add and modify task schedules 24->74 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->76 78 Injects a PE file into a foreign processes 24->78 80 Contains functionality to compare user and computer (likely to detect sandboxes) 24->80 33 xuieaoEiIg.exe 1 24->33         started        36 conhost.exe 27->36         started        38 timeout.exe 1 27->38         started        40 WerFault.exe 29->40         started        82 Tries to evade analysis by execution special instruction which cause usermode exception 31->82 process11 file12 46 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 33->46 dropped 42 schtasks.exe 1 33->42         started        process13 process14 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ceb40abe1bf14b26e4fc311c373a43770dfc67c8a9d0801d8ae7509e3507eebd/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-04-16 12:50:10 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z22avpq36ffsnzh4geodoosdo4g7yz6ivhiiahmk45ij4nih526q._file
Verdict:
malicious
Similar samples:
0b02739c5fd7a7fa53410bc2287c42cf66a3a6d51ecc9570e76e4f0f8129f2d7
RaccoonStealer
3ec3b418b0e06128ef80ff02866d30c8071ba54066411760b6f71cab0f4c24f9
RaccoonStealer
4fd202b93cc2d13fbf7ca7de657a4c1e2f979a027bc49600604720ff5588f5a0
RaccoonStealer
5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0
RaccoonStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RaccoonStealer
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
RaccoonStealer
8b1c960881fc789460b5b274abd43baddb1c92e1a942d3a1080a4adb1f545e50
RaccoonStealer
a8fb61732f9696d24e02dda47d2f12abe0d8968e130f05d2381bb7b5a93f3ec0
RaccoonStealer
d1621aa8dd1273a4b6e4f3e6b83188044af80c6ffe9aba2e7e191f159ce9b1eb
RaccoonStealer
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
RaccoonStealer
+ 3'001 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon agilenet discovery spyware stealer
Link:
https://tria.ge/reports/210626-hvndc3cxp6/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Unpacked files
SH256 hash:
359689ec19613190600ec46107c7914b2fcf2d94af217d3ce992635b49bc5c4a
MD5 hash:
54aa199b30f3f41d3ef4b9541bd66c0e
SHA1 hash:
70bae4d84635b1d3074e6fbdb5145b3a057e01e6
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/3c923807-5162-4fea-8295-85b33e7984cb/
SH256 hash:
ceb40abe1bf14b26e4fc311c373a43770dfc67c8a9d0801d8ae7509e3507eebd
MD5 hash:
21ab8121e4f4be76154cd35d36a5c230
SHA1 hash:
ff09f28117d1ac62f0a2be63a0140bcdc381e902
Link:
https://www.unpac.me/results/3c923807-5162-4fea-8295-85b33e7984cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ceb40abe1bf14b26e4fc311c373a43770dfc67c8a9d0801d8ae7509e3507eebd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments