MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffa212f2e4a69930a47fab0c12b6e2d98c590dd18c5ee1115e5ea4571b89ac50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffa212f2e4a69930a47fab0c12b6e2d98c590dd18c5ee1115e5ea4571b89ac50
SHA3-384 hash: ff7a1809967b02537de4a176ba1eb22e55b22eb7a3100f728ffab12093ff5f163fb2c5875ab17574e929befbf8795af4
SHA1 hash: 7a54f08edcd6d9a1fb1db142ee18b689014a514e
MD5 hash: 49e3f1ba228f5b076eabbe045cda84f3
humanhash: green-twenty-comet-nitrogen
File name:49E3F1BA228F5B076EABBE045CDA84F3.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:17'147'138 bytes
First seen:2021-09-05 10:36:06 UTC
Last seen:2021-09-05 12:17:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (54 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 393216:lolMJCXup7T1lLLpCUFXyLZ2bLG7h2clq1A2AUQ5:l8X819iZYNuj
Threatray 3'215 similar samples on MalwareBazaar
TLSH T1D807332BB295A53DD4AA2B350573A11088FBBB2DE4177E5627E0C48CCF365C01E3BE65
dhash icon c0d4ec80b0b4b4e4 (5 x RaccoonStealer, 4 x RedLineStealer, 4 x LummaStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://94.158.245.173/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.173/ https://threatfox.abuse.ch/ioc/215894/

Intelligence

File Origin
# of uploads :
2
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
49E3F1BA228F5B076EABBE045CDA84F3.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-05 10:38:35 UTC
Tags:
installer
Link:
https://app.any.run/tasks/d50e29cf-ee14-44d6-bc17-1e1764931191

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file
Moving a recently created file
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Replacing files
Sending a UDP request
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d5570c6-a63a-4896-9090-dbaa880620ec
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
50 / 100
Link:
https://www.joesandbox.com/analysis/845526
Signature
Antivirus / Scanner detection for submitted sample
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477958 Sample: 1eaXUW3rL1.exe Startdate: 05/09/2021 Architecture: WINDOWS Score: 50 79 Antivirus / Scanner detection for submitted sample 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 Yara detected AntiVM3 2->83 85 3 other signatures 2->85 9 1eaXUW3rL1.exe 2 2->9         started        12 svchost.exe 1 2->12         started        14 svchost.exe 2->14         started        process3 file4 65 C:\Users\user\AppData\...\1eaXUW3rL1.tmp, PE32 9->65 dropped 16 1eaXUW3rL1.tmp 8 21 9->16         started        process5 file6 55 IObit.StartMenu.8.....1.Final.exe (copy), PE32 16->55 dropped 57 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->57 dropped 59 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 16->59 dropped 61 5 other files (none is malicious) 16->61 dropped 19 IObit.StartMenu.8.vPro.5.3.0.1.Final.exe 2 16->19         started        23 wscript.exe 1 16->23         started        process7 dnsIp8 77 5.3.0.1 LINKEM-ASIT Russian Federation 19->77 63 IObit.StartMenu.8.vPro.5.3.0.1.Final.tmp, PE32 19->63 dropped 25 IObit.StartMenu.8.vPro.5.3.0.1.Final.tmp 18 327 19->25         started        29 cmd.exe 1 23->29         started        31 cmd.exe 23->31         started        33 cmd.exe 23->33         started        file9 process10 file11 67 C:\...xpire_SM.exe (copy), PE32 25->67 dropped 69 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 25->69 dropped 71 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 25->71 dropped 73 94 other files (none is malicious) 25->73 dropped 93 Uses cmd line tools excessively to alter registry or file data 25->93 35 KillAllStartMenu.exe 25->35         started        95 Uses schtasks.exe or at.exe to add and modify task schedules 29->95 37 reg.exe 29->37         started        40 reg.exe 29->40         started        42 conhost.exe 29->42         started        49 18 other processes 29->49 44 Installer.exe 31->44         started        46 7z.exe 31->46         started        51 4 other processes 31->51 53 2 other processes 33->53 signatures12 process13 file14 87 Disables Windows Defender (deletes autostart) 37->87 89 Disable Windows Defender real time protection (registry) 40->89 91 Injects a PE file into a foreign processes 44->91 75 C:\ProgramData\...\Installer.exe, PE32 46->75 dropped signatures15
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ffa212f2e4a69930a47fab0c12b6e2d98c590dd18c5ee1115e5ea4571b89ac50/
Threat name:
Win32.Trojan.Pasnaino
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 12:16:00 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=76rbf4xeu2mtbjd7vmgbfnxc3ggfsdorrrpocek6l2sfog4jvria._file
Verdict:
malicious
Similar samples:
1b4d9981e15438e889193b4272e5bc6d07d0b8984e95741eb36f7cad3dec66e6
RaccoonStealer
36dbd261a7559865cd8fcf4b437758e113c89cfd05dda604a646f343dda2abe6
RaccoonStealer
4da160dc1a5e5f2f2e0dee7ab9ccd3a522e34bbef2d602f35525b788f3afee2a
RaccoonStealer
93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c
RaccoonStealer
bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334
RaccoonStealer
ccd5ab291113bf69fcbccee8ab889c9cf5a0d0240feed43b73785497ace3c467
RaccoonStealer
+ 3'205 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:3659cc597a258a4a805c5672721af02cdb861a23 evasion stealer trojan
Link:
https://tria.ge/reports/210905-mntbjacgbj/
Behaviour
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Modifies security service
Raccoon
Unpacked files
SH256 hash:
697cf9b7a364edac75cd0451aed93b09a477fb7a345758416084d6f65b501c0a
MD5 hash:
259d2f304354aa7635e11272f1f736f3
SHA1 hash:
4deb8eb3b858f04a328e48a4e4b0a22453ef8068
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
2cb9ac0bb9995c1351a97b48867722f42d720dfd11e4459577bfd8c68d0a9c85
MD5 hash:
76a43227847b006e7dd8a9c4390011ae
SHA1 hash:
b0115e4ea328578d473bedeaf8d494c917484f69
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
641f8ac075f4635617793a448cf69fd04f3326473838475284d3420a5767bb1a
MD5 hash:
758a2163a127489deb358f21b0b68510
SHA1 hash:
9ce554793fc6024b5246fe32fb213092ec6a61fb
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
99f9f07401bfb516a26a5448de5f23470538b7b880223e137cca1f427f578d9a
MD5 hash:
ae0b3af77d40591e565018d9efe7c76f
SHA1 hash:
6f337618e2e355c78e2a0483347ecfd06c8f0e1c
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
86a547b7911d8ef03b3011bce67d3a4664821042525cdbfadefe9be31dc271c5
MD5 hash:
05564ac0a61a7d86e01500f973316072
SHA1 hash:
2380be5c8f707b036ea59e43d4581708ac9bab37
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
7c0abcc33639ca2d2116aee8a1954789a3aec41184e18193c039b19d02789a74
MD5 hash:
814bc53a501c000c24d9615db2d58a88
SHA1 hash:
f415929dc40036e951dc859e428ef76a2250164b
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
d4ce5d514efcbf979bcc5fd7eed06c31ef1c3c774c60d436f32b9370ba07a977
MD5 hash:
d89b9e50981ba630944e1a03f0a01d8e
SHA1 hash:
608d9054ce149d483c8712f6bc8652bb180faf0c
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
f5d70bd0152d7dda521cb89c3d948f13b59efc902f6da83fae54d3f98c0e43b8
MD5 hash:
6197106fec2be6baf41c272fb052ff07
SHA1 hash:
52ffe5761dc561704c82448ed3eeb1ca8e519fd7
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
01e1c0ec628486c9721df9a739597e9fa57e6e95291491a51075cc6020eea44b
MD5 hash:
d240cc936f47ab3aac5ab8f988a360e6
SHA1 hash:
0131e626f9a9ed52b85396616b87fb16f4cfbb29
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
289670a7e3e63946e024d4981fb8c75a3a388ac1ea100c962798af8836d3246e
MD5 hash:
393ef105719f76bdd94723405fe492c5
SHA1 hash:
04b347ca9e9e637c7960808497489a69e8d935ba
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
9716fc53be20a22455a92d019670000e084abe095669fcd38c7108d07d5cd00d
MD5 hash:
d02f9d796dbc81c149f0dba7278c340c
SHA1 hash:
f7778cb68e9854681c4f1ce50b28512abcdbf0ef
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
201ce9b884d42e8d779faedec2f2ecb4958e0c1fe42d4b577c96725c4451eee0
MD5 hash:
ffe6d1692c9d7b548d7b0350c5b900e4
SHA1 hash:
d7030a6a2a2212fe35556d19e03950088cba9df8
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
bea56b3f57672e3408688907017d9d2a8fb146afa7582c5f5e9b68ab0a1dae26
MD5 hash:
512f6bf696fdd6e90b5b1a8c0fa8930c
SHA1 hash:
72c1169223f520066d411231eba3e45f855cdaf4
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
766973803b4f5826beab9b68a8f2c9025e75df910fbb6b7bc078bdbbbd92d236
MD5 hash:
fa82cc6ba76630783e10a967da89d26c
SHA1 hash:
4418c4b241d204b820c77012a40d53e33cc37da0
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
c8e41734d658a85850497050813577fe377acf4acb68326a506f5e67e54a27eb
MD5 hash:
cac982406ed4abf2c39b613fb13532c5
SHA1 hash:
165e665df5f5ab3d7f9f870a86b989039445d358
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
SH256 hash:
ffa212f2e4a69930a47fab0c12b6e2d98c590dd18c5ee1115e5ea4571b89ac50
MD5 hash:
49e3f1ba228f5b076eabbe045cda84f3
SHA1 hash:
7a54f08edcd6d9a1fb1db142ee18b689014a514e
Link:
https://www.unpac.me/results/f880a61d-352e-4e86-ac05-0c79059ca496/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ffa212f2e4a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ffa212f2e4a69930a47fab0c12b6e2d98c590dd18c5ee1115e5ea4571b89ac50

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments