MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 6 Comments

SHA256 hash: 286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
SHA3-384 hash: db3b517ed0ceabda08d5409771f16c91d40f0c05c3a6d5a017a8693e5426279d934fb0dbd07e6fcb542c8e2335b3225d
SHA1 hash: 0e241c16dfc4b0e3b918c86a0ae39bdaff7fd81f
MD5 hash: 6ebc441b966301fb0df9e020409349b4
humanhash: maine-low-lake-blue
File name:6ebc441b966301fb0df9e020409349b4.exe
Download: download sample
Signature RaccoonStealer
File size:823'296 bytes
First seen:2020-07-31 10:25:54 UTC
Last seen:2020-08-02 07:34:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8a39c205952d33542b205c4ebdb081c8
ssdeep 12288:wwK5QVZaFrHcjwZ1vBQQn1b49bu17oKPXXLDrRFQSF8hKcCqtyEEzfsICoieW2:jodHFNlP17oSXX9ShKFqty/xPiev
TLSH 1B05233041A76A52F57B45B22AB015D50FBC996379A58CBFCF44383C2EF2B81D246B36
Reporter @abuse_ch
Tags:exe RaccoonStealer


Twitter
@abuse_ch
RaccoonStealer C2:
http://34.65.10.107/gate/log.php

AZORult C2:
http://michaeldiamantis.ug/index.php

ArkeiStealer C2:
http://mantis.ug/

Intelligence


File Origin
# of uploads :
4
# of downloads :
24
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Gathering data
Result
Threat name:
AsyncRAT Azorult Raccoon Remcos Vidar
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: Executable Used by PlugX in Uncommon Location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Generic Dropper
Yara detected Keylogger Generic
Yara detected Raccoon Stealer
Yara detected Remcos RAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255300 Sample: 1sNG7ySc17.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 112 fgdjhksdfsdxcbv.ru 2->112 114 asdxcvxdfgdnbvrwe.ru 2->114 116 5 other IPs or domains 2->116 138 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->138 140 Found malware configuration 2->140 142 Malicious sample detected (through community Yara rule) 2->142 144 14 other signatures 2->144 11 1sNG7ySc17.exe 16 2->11         started        15 cmd.exe 2->15         started        17 taskkill.exe 2->17         started        signatures3 process4 file5 108 C:\Users\user\AppData\Local\...\POvnsqt.exe, PE32 11->108 dropped 110 C:\Users\user\AppData\Local\...\Ofdsnswq.exe, PE32 11->110 dropped 180 Detected unpacking (changes PE section rights) 11->180 182 Detected unpacking (overwrites its own PE header) 11->182 184 Contains functionality to steal Internet Explorer form passwords 11->184 186 Maps a DLL or memory area into another process 11->186 19 POvnsqt.exe 4 11->19         started        22 1sNG7ySc17.exe 91 11->22         started        26 Ofdsnswq.exe 4 11->26         started        28 hyhag1tq.exe 15->28         started        30 conhost.exe 15->30         started        32 conhost.exe 17->32         started        signatures6 process7 dnsIp8 146 Detected unpacking (changes PE section rights) 19->146 148 Maps a DLL or memory area into another process 19->148 34 POvnsqt.exe 66 19->34         started        132 34.65.10.107, 49737, 49738, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 22->132 134 mantis.co.ug 22->134 136 2 other IPs or domains 22->136 98 C:\Users\user\AppData\...\yAtjQW8PyQ.exe, PE32 22->98 dropped 100 C:\Users\user\AppData\...\a8MhGSegsc.exe, PE32 22->100 dropped 102 C:\Users\user\AppData\...\PE0oR26iVl.exe, PE32 22->102 dropped 104 66 other files (2 malicious) 22->104 dropped 150 Tries to steal Mail credentials (via file access) 22->150 39 Dk7qVNV1ih.exe 22->39         started        41 a8MhGSegsc.exe 22->41         started        43 yAtjQW8PyQ.exe 22->43         started        49 2 other processes 22->49 152 Detected unpacking (overwrites its own PE header) 26->152 45 Ofdsnswq.exe 181 26->45         started        47 powershell.exe 28->47         started        file9 signatures10 process11 dnsIp12 118 mantis.ug 217.8.117.77, 49736, 49739, 49740 CREXFEXPEX-RUSSIARU Russian Federation 34->118 120 michaeldiamantis.ug 34->120 80 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 34->80 dropped 82 C:\Users\user\AppData\Local\Temp\ac.exe, PE32 34->82 dropped 84 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 34->84 dropped 94 49 other files (none is malicious) 34->94 dropped 154 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->154 156 Tries to steal Instant Messenger accounts or passwords 34->156 158 Tries to steal Mail credentials (via file access) 34->158 170 2 other signatures 34->170 51 rc.exe 34->51         started        55 ac.exe 34->55         started        122 fgdjhksdfsdxcbv.ru 39->122 124 googlehosted.l.googleusercontent.com 216.58.214.193, 443, 49745, 49754 GOOGLEUS United States 39->124 126 doc-04-3c-docs.googleusercontent.com 39->126 86 C:\Users\user\AppData\Local\Prhcsec.exe, PE32 39->86 dropped 160 Writes to foreign memory regions 39->160 162 Allocates memory in foreign processes 39->162 164 Creates a thread in another existing process (thread injection) 39->164 88 C:\Users\user\AppData\...\&startupname&.exe, PE32 41->88 dropped 166 Injects a PE file into a foreign processes 41->166 57 yAtjQW8PyQ.exe 43->57         started        90 C:\ProgramData\vcruntime140.dll, PE32 45->90 dropped 92 C:\ProgramData\sqlite3.dll, PE32 45->92 dropped 96 5 other files (none is malicious) 45->96 dropped 168 Tries to steal Crypto Currency Wallets 45->168 60 cmd.exe 45->60         started        62 PE0oR26iVl.exe 49->62         started        64 conhost.exe 49->64         started        66 timeout.exe 49->66         started        file13 signatures14 process15 dnsIp16 128 googlehosted.l.googleusercontent.com 51->128 130 doc-0c-bg-docs.googleusercontent.com 51->130 172 Writes to foreign memory regions 51->172 174 Allocates memory in foreign processes 51->174 176 Creates a thread in another existing process (thread injection) 51->176 178 Injects a PE file into a foreign processes 55->178 106 C:\Windows\Temp\hyhag1tq.exe, PE32 57->106 dropped 68 cmstp.exe 57->68         started        70 conhost.exe 60->70         started        72 taskkill.exe 60->72         started        74 powershell.exe 62->74         started        file17 signatures18 process19 process20 76 conhost.exe 70->76         started        78 conhost.exe 74->78         started       
Threat name:
Win32.Trojan.Ymacco
Status:
Malicious
First seen:
2020-07-30 19:49:15 UTC
AV detection:
24 of 31 (77.42%)
Threat level
  5/5
Result
Malware family:
oski
Score:
  10/10
Tags:
ransomware rat evasion trojan stealer family:raccoon family:asyncrat infostealer family:azorult spyware discovery family:oski
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency wallets, possible credential harvesting
Checks installed software on the system
JavaScript code in executable
Drops desktop.ini file(s)
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
Windows security modification
Reads data files stored by FTP clients
Executes dropped EXE
Async RAT payload
Contains code to disable Windows Defender
AsyncRat
Raccoon
Azorult
Modifies Windows Defender Real-time Protection settings
Oski
Raccoon log file
Threat name:
DriveBy Activity
Score:
0.90

Yara Signatures


Rule name:win_asyncrat_j1
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_oski_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_a0
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_remcos_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5

(this sample)

Comments