MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a
SHA3-384 hash: dc2718117be4b1d3df07fc8769b55956b6eb62158f2a468ec7fb19df5c2c4e172eead28ffbb10ef87c667b9ed2b7a7fc
SHA1 hash: e52812e0a3a17a291f524bde23a7dea44339bbf3
MD5 hash: 20b4ed91510de8b2766a7b27b643a007
humanhash: stream-earth-social-helium
File name:20b4ed91510de8b2766a7b27b643a007.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'038'192 bytes
First seen:2020-12-07 19:22:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb2dc6a3b0ff08c6c90db330cd506ba5 (1 x RaccoonStealer)
ssdeep 24576:/axyj3UlpY02W9pNydU50sTmJf2fU+NAmAOLm+t:/ac3UoW9OGxTmJ6emACm+
Threatray 1'509 similar samples on MalwareBazaar
TLSH 2D2502279D260917E4090C709AA5D6F26F3EED2370C21E1FF704F95D18A274768E1ABB
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107089/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
DNS request
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT Azorult Raccoon Remcos Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/557289
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Executable Used by PlugX in Uncommon Location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Yara detected Remcos RAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 327740 Sample: nYu1NYxf3H.exe Startdate: 07/12/2020 Architecture: WINDOWS Score: 100 121 agentpurple.ac.ug 2->121 123 agentpapple.ac.ug 2->123 125 2 other IPs or domains 2->125 177 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->177 179 Multi AV Scanner detection for domain / URL 2->179 181 Found malware configuration 2->181 183 15 other signatures 2->183 10 nYu1NYxf3H.exe 16 2->10         started        14 Yzhkdrv.exe 2->14         started        17 Yzhkdrv.exe 2->17         started        signatures3 process4 dnsIp5 107 C:\Users\user\AppData\Local\...\YTfghawe.exe, PE32 10->107 dropped 109 C:\Users\user\AppData\Local\...\HJsdfccdf.exe, PE32 10->109 dropped 193 Detected unpacking (changes PE section rights) 10->193 195 Detected unpacking (overwrites its own PE header) 10->195 197 Maps a DLL or memory area into another process 10->197 19 HJsdfccdf.exe 4 10->19         started        22 nYu1NYxf3H.exe 82 10->22         started        26 YTfghawe.exe 4 10->26         started        137 discord.com 14->137 139 cdn.discordapp.com 14->139 199 Writes to foreign memory regions 14->199 201 Allocates memory in foreign processes 14->201 203 Creates a thread in another existing process (thread injection) 14->203 28 ieinstal.exe 14->28         started        141 162.159.135.233 CLOUDFLARENETUS United States 17->141 143 discord.com 17->143 145 cdn.discordapp.com 17->145 205 Injects a PE file into a foreign processes 17->205 30 ieinstal.exe 17->30         started        file6 signatures7 process8 dnsIp9 185 Detected unpacking (changes PE section rights) 19->185 187 Maps a DLL or memory area into another process 19->187 32 HJsdfccdf.exe 71 19->32         started        131 chinarobotics2020.top 104.18.53.69, 443, 49714 CLOUDFLARENETUS United States 22->131 133 telete.in 195.201.225.248, 443, 49711 HETZNER-ASDE Germany 22->133 135 172.67.208.20, 443, 49715 CLOUDFLARENETUS United States 22->135 99 C:\Users\user\AppData\...\k1q6gZQfNS.exe, PE32 22->99 dropped 101 C:\Users\user\AppData\...\WqtqGWg8Bd.exe, PE32 22->101 dropped 103 C:\Users\user\AppData\...\RSliQfyvtw.exe, PE32 22->103 dropped 105 59 other files (none is malicious) 22->105 dropped 189 Tries to steal Mail credentials (via file access) 22->189 37 WqtqGWg8Bd.exe 22->37         started        39 k1q6gZQfNS.exe 22->39         started        41 cmd.exe 22->41         started        45 2 other processes 22->45 191 Detected unpacking (overwrites its own PE header) 26->191 43 YTfghawe.exe 188 26->43         started        file10 signatures11 process12 dnsIp13 111 brice.ac.ug 32->111 81 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 32->81 dropped 83 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 32->83 dropped 85 C:\Users\user\AppData\Local\Temp\ac.exe, PE32 32->85 dropped 95 49 other files (none is malicious) 32->95 dropped 159 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->159 161 Tries to steal Instant Messenger accounts or passwords 32->161 163 Tries to steal Mail credentials (via file access) 32->163 175 3 other signatures 32->175 47 rc.exe 32->47         started        52 ds2.exe 32->52         started        54 ac.exe 32->54         started        64 2 other processes 32->64 113 discord.com 37->113 115 cdn.discordapp.com 37->115 165 Writes to foreign memory regions 37->165 167 Allocates memory in foreign processes 37->167 169 Creates a thread in another existing process (thread injection) 37->169 56 ieinstal.exe 37->56         started        171 Injects a PE file into a foreign processes 39->171 58 conhost.exe 41->58         started        60 timeout.exe 41->60         started        117 darkangel.ac.ug 217.8.117.77, 49712, 49713, 49716 CREXFEXPEX-RUSSIARU Russian Federation 43->117 119 192.168.2.1 unknown unknown 43->119 87 C:\ProgramData\vcruntime140.dll, PE32 43->87 dropped 89 C:\ProgramData\sqlite3.dll, PE32 43->89 dropped 91 C:\ProgramData\softokn3.dll, PE32 43->91 dropped 97 4 other files (none is malicious) 43->97 dropped 173 Tries to steal Crypto Currency Wallets 43->173 62 cmd.exe 43->62         started        93 C:\Users\user\AppData\...\OoSWkPRRGjx.exe, PE32 45->93 dropped file14 signatures15 process16 dnsIp17 147 cdn.discordapp.com 162.159.129.233, 443, 49719, 49721 CLOUDFLARENETUS United States 47->147 149 discord.com 162.159.135.232, 443, 49718, 49720 CLOUDFLARENETUS United States 47->149 79 C:\Users\user\AppData\Local\...\Yzhkdrv.exe, PE32 47->79 dropped 151 Writes to foreign memory regions 47->151 153 Allocates memory in foreign processes 47->153 155 Creates a thread in another existing process (thread injection) 47->155 66 ieinstal.exe 47->66         started        157 Injects a PE file into a foreign processes 52->157 69 ds2.exe 52->69         started        71 conhost.exe 62->71         started        73 taskkill.exe 62->73         started        75 conhost.exe 64->75         started        77 timeout.exe 64->77         started        file18 signatures19 process20 dnsIp21 127 agentpapple.ac.ug 66->127 129 taenaia.ac.ug 185.140.53.149, 49723, 49724, 49725 DAVID_CRAIGGG Sweden 66->129
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a/
Threat name:
Win32.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2020-12-07 09:38:04 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a4z5mqfigore43bxzaefu3rcxizel3xjsxed5x3z6ihpumt5gzna._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
azorult
Create hunting rule
Similar samples:
25671ba9cd329552a77fc4fba49e36a21dfa35aece4d7112ef386c7451a28f35
RaccoonStealer
2dae80e04d518be8a6e1659d53afd6aea2eecc35086db46b4dd0a701a4b6f812
RaccoonStealer
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
RaccoonStealer
6916d0f41d35a9142e598496a1e996616b4fad6d15f0f3da7ec9210b6a124586
RaccoonStealer
77d3172d77aa45c61b8563dcb13b26bd2f8f9fb4cbc2fcc966966a26f316ba56
RaccoonStealer
7ee5b9efb560631ad507780466048457784cdde32db86f60b06da06e5a1201ce
RaccoonStealer
7ff052b87f0dd31a5426fa0a03cc6618ecc6bc5b1b7cfeab12ee1adf5dbffd41
RaccoonStealer
c3daf1d20367ee0d7a849419594356ec6cad7c9169107b332c64ab67cb739823
RaccoonStealer
eb77240415767631cd46725bf985bd034d5b005a939ea60785ebe2e45aa5541a
RaccoonStealer
f158368c489837c721cb01f7bf86f18536f9948f35f2ced67827d638b8253f16
RaccoonStealer
+ 1'499 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:azorult family:modiloader family:oski family:raccoon discovery evasion infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201207-tejlrppcrj/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops desktop.ini file(s)
JavaScript code in executable
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Async RAT payload
ServiceHost packer
Azorult
Contains code to disable Windows Defender
ModiLoader, DBatLoader
Modifies Windows Defender Real-time Protection settings
Oski
Raccoon
AsyncRat
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
Unpacked files
SH256 hash:
0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a
MD5 hash:
20b4ed91510de8b2766a7b27b643a007
SHA1 hash:
e52812e0a3a17a291f524bde23a7dea44339bbf3
Link:
https://www.unpac.me/results/aff4e8b0-498d-474c-bfc0-08ec694af010/
SH256 hash:
7a9cc86f682173a47784fe2d5c4ef9b80674c7ae07aa821db7647befc9da9781
MD5 hash:
9f20de393ff95fca40efd3be1c5450dd
SHA1 hash:
d9a52b6afab156ff499f177f263e30c3cda5d357
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/aff4e8b0-498d-474c-bfc0-08ec694af010/
SH256 hash:
eb0c985eb2848b4d2b180d79b8a38bebad6df9d6ce9a32673aec6cc2466171a2
MD5 hash:
7bc15f8bb669146c2972e916d369f173
SHA1 hash:
ec0726f63873640f699a0e29e81fdc8c6e61a218
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/aff4e8b0-498d-474c-bfc0-08ec694af010/
SH256 hash:
aa1c34d9d3d8339c41c064028375b0f9325c4cb8c09baebd4e4f5c9c71d94f32
MD5 hash:
d8fb83cc260d7220694a482621268973
SHA1 hash:
d80f825cc693ac5ce5d412bc466ebb6d3884a106
Detections:
win_raccoon_a0
Create hunting rule
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/aff4e8b0-498d-474c-bfc0-08ec694af010/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
  
URLhaus
https://urlhaus.abuse.ch/url/677630/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/791302/
  
URLhaus
https://urlhaus.abuse.ch/url/584190/
  
URLhaus
https://urlhaus.abuse.ch/url/820569/
  
URLhaus
https://urlhaus.abuse.ch/url/446431/
  
URLhaus
https://urlhaus.abuse.ch/url/615227/
  
URLhaus
https://urlhaus.abuse.ch/url/677624/
  
URLhaus
https://urlhaus.abuse.ch/url/615226/
  
URLhaus
https://urlhaus.abuse.ch/url/791257/
  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
URLhaus
https://urlhaus.abuse.ch/url/836469/
Cape
Cape
https://www.capesandbox.com/analysis/107089/

Comments