MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07dd81aa4994d15fd4d26bb4b9a4aa5dff47d99da2ab76718f480f62cb4ddb93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07dd81aa4994d15fd4d26bb4b9a4aa5dff47d99da2ab76718f480f62cb4ddb93
SHA3-384 hash: 91ee0b6713fec642acdef8b21cb41ad90f88a1104e67a85cc6c4d5d5fca50138217b2bb8f4151d3519e8a6cacf259588
SHA1 hash: 06d6101bd0b03997a8e239de9b9dec6de69a9c6b
MD5 hash: 2983b011d132fe58ae6f372c735c1287
humanhash: ohio-diet-west-indigo
File name:SecuriteInfo.com.Trojan.DownLoader34.13550.23784.9070
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'077'248 bytes
First seen:2020-07-31 12:44:27 UTC
Last seen:2020-08-07 02:46:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:okRyUsfOkmi5W5o69QoO1EeQqKBdQ1aUY4B4t8dv:okTkn58LxO1RQTB8Bm
Threatray 1'108 similar samples on MalwareBazaar
TLSH 6135E1447B50E50FC26B8F7BC6D44800EDB8E59B9A17D387B48527EF18CE36EA8016B5
Reporter SecuriteInfoCom
Tags:RaccoonStealer

Intelligence

File Origin
# of uploads :
5
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36506/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.13550.23784.9070.UNOFFICIAL
Create hunting rule

Result
Threat name:
AsyncRAT Azorult Raccoon Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/406084
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Keylogger Generic
Yara detected Raccoon Stealer
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255378 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 92 fgdjhksdfsdxcbv.ru 2->92 94 asdxcvxdfgdnbvrwe.ru 2->94 96 4 other IPs or domains 2->96 124 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 11 other signatures 2->130 10 SecuriteInfo.com.Trojan.DownLoader34.13550.23784.exe 15 7 2->10         started        signatures3 process4 dnsIp5 106 mantis.ug 217.8.117.77, 49736, 49740, 49744 CREXFEXPEX-RUSSIARU Russian Federation 10->106 108 mantis.co.ug 10->108 88 C:\Users\user\AppData\Local\Temp\Psdmva.exe, PE32 10->88 dropped 90 SecuriteInfo.com.T...13550.23784.exe.log, ASCII 10->90 dropped 150 Contains functionality to steal Internet Explorer form passwords 10->150 152 Injects a PE file into a foreign processes 10->152 15 SecuriteInfo.com.Trojan.DownLoader34.13550.23784.exe 91 10->15         started        20 Psdmva.exe 14 7 10->20         started        file6 signatures7 process8 dnsIp9 112 mantis.co.ug 15->112 114 telete.in 195.201.225.248, 443, 49737 HETZNER-ASDE Germany 15->114 116 34.65.10.107, 49738, 49739, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 15->116 56 C:\Users\user\AppData\...\xWa7TiyLDm.exe, PE32 15->56 dropped 58 C:\Users\user\AppData\...\ihaWOT4eKi.exe, PE32 15->58 dropped 60 C:\Users\user\AppData\...\P4m1doWxAb.exe, PE32 15->60 dropped 64 66 other files (2 malicious) 15->64 dropped 120 Tries to steal Mail credentials (via file access) 15->120 22 xWa7TiyLDm.exe 15->22         started        27 73zvtDT4xd.exe 15->27         started        29 P4m1doWxAb.exe 15->29         started        39 2 other processes 15->39 118 mantis.co.ug 20->118 62 C:\Users\user\AppData\Local\...\IUvsOle.exe, PE32 20->62 dropped 122 Injects a PE file into a foreign processes 20->122 31 Psdmva.exe 61 20->31         started        33 IUvsOle.exe 3 20->33         started        35 Psdmva.exe 20->35         started        37 Psdmva.exe 20->37         started        file10 signatures11 process12 dnsIp13 98 googlehosted.l.googleusercontent.com 216.58.214.193, 443, 49750 GOOGLEUS United States 22->98 100 192.168.2.1 unknown unknown 22->100 102 doc-04-3c-docs.googleusercontent.com 22->102 66 C:\Users\user\AppData\Local\Prhcsec.exe, PE32 22->66 dropped 132 Writes to foreign memory regions 22->132 134 Allocates memory in foreign processes 22->134 136 Creates a thread in another existing process (thread injection) 22->136 68 C:\Users\user\AppData\...\&startupname&.exe, PE32 27->68 dropped 41 P4m1doWxAb.exe 29->41         started        104 michaeldiamantis.ug 31->104 70 C:\Users\user\AppData\...\vcruntime140.dll, PE32 31->70 dropped 72 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 31->72 dropped 74 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 31->74 dropped 76 45 other files (none is malicious) 31->76 dropped 138 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->138 140 Tries to steal Instant Messenger accounts or passwords 31->140 142 Tries to steal Mail credentials (via file access) 31->142 148 3 other signatures 31->148 144 Injects a PE file into a foreign processes 33->144 146 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 33->146 44 IUvsOle.exe 33->44         started        48 conhost.exe 39->48         started        50 timeout.exe 39->50         started        52 ihaWOT4eKi.exe 39->52         started        file14 signatures15 process16 dnsIp17 78 C:\Windows\Temp\h0mgfweg.exe, PE32 41->78 dropped 54 cmstp.exe 41->54         started        110 mantis.ug 44->110 80 C:\ProgramData\vcruntime140.dll, PE32 44->80 dropped 82 C:\ProgramData\sqlite3.dll, PE32 44->82 dropped 84 C:\ProgramData\softokn3.dll, PE32 44->84 dropped 86 4 other files (none is malicious) 44->86 dropped 154 Tries to steal Crypto Currency Wallets 44->154 file18 signatures19 process20
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/07dd81aa4994d15fd4d26bb4b9a4aa5dff47d99da2ab76718f480f62cb4ddb93/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-30 17:05:36 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7oydksjstiv7vgsno2ltjfklx7upwm5ukvxm4mpjahwfs2n3ojq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
08fe7e61eafc062a5f50981fae0f578442cdfd31a00e2398389c8bea37485f02
RaccoonStealer
2474c1ce1d299fd2234e7b10f6e464861151bf53e68f15a2a944dbeb56e5e0e9
RaccoonStealer
286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
RaccoonStealer
37c2608ad09b3f6d0cd33476b8f6bf6fefd1a0f2408657072da80a0454da7e6f
RaccoonStealer
54cdc9b1ede5661104e61f012de44e010500744c2b3003a6ffaff2f3f6eded34
RaccoonStealer
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
RaccoonStealer
7e9b9bbb673e25ab8ee790dbfd2a3e489c0d3a88ab73aafe671f68982f1b41da
RaccoonStealer
8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
RaccoonStealer
9b1328490717e1e3c97216a17bf36b67103a40dae3bbac6865487e51fea82b32
RaccoonStealer
a486d1f0ad1fb2729dbbcd5d3606f30566f86abd3f2d5218c11077dfeac95f0e
RaccoonStealer
+ 1'098 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
ransomware rat evasion trojan spyware discovery infostealer family:azorult stealer family:raccoon family:asyncrat
Link:
https://tria.ge/reports/200731-45t8v5qwbs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of SetThreadContext
JavaScript code in executable
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Windows security modification
Deletes itself
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Modifies Windows Defender Real-time Protection settings
Azorult
Raccoon
Raccoon log file
Contains code to disable Windows Defender
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07dd81aa4994d15fd4d26bb4b9a4aa5dff47d99da2ab76718f480f62cb4ddb93

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 07dd81aa4994d15fd4d26bb4b9a4aa5dff47d99da2ab76718f480f62cb4ddb93

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/36506/
  
URLhaus
https://urlhaus.abuse.ch/url/401281/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/366553/
  
URLhaus
https://urlhaus.abuse.ch/url/360443/
  
URLhaus
https://urlhaus.abuse.ch/url/422721/
  
URLhaus
https://urlhaus.abuse.ch/url/422726/
  
URLhaus
https://urlhaus.abuse.ch/url/422728/
  
URLhaus
https://urlhaus.abuse.ch/url/422730/
  
URLhaus
https://urlhaus.abuse.ch/url/422731/
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
URLhaus
https://urlhaus.abuse.ch/url/422738/
  
URLhaus
https://urlhaus.abuse.ch/url/422744/

Comments