MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07dd81aa4994d15fd4d26bb4b9a4aa5dff47d99da2ab76718f480f62cb4ddb93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 07dd81aa4994d15fd4d26bb4b9a4aa5dff47d99da2ab76718f480f62cb4ddb93
SHA3-384 hash: 91ee0b6713fec642acdef8b21cb41ad90f88a1104e67a85cc6c4d5d5fca50138217b2bb8f4151d3519e8a6cacf259588
SHA1 hash: 06d6101bd0b03997a8e239de9b9dec6de69a9c6b
MD5 hash: 2983b011d132fe58ae6f372c735c1287
humanhash: ohio-diet-west-indigo
File name:SecuriteInfo.com.Trojan.DownLoader34.13550.23784.9070
Download: download sample
Signature RaccoonStealer
File size:1'077'248 bytes
First seen:2020-07-31 12:44:27 UTC
Last seen:2020-08-02 07:34:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 24576:okRyUsfOkmi5W5o69QoO1EeQqKBdQ1aUY4B4t8dv:okTkn58LxO1RQTB8Bm
TLSH 6135E1447B50E50FC26B8F7BC6D44800EDB8E59B9A17D387B48527EF18CE36EA8016B5
Reporter @SecuriteInfoCom
Tags:RaccoonStealer

Intelligence


File Origin
# of uploads :
3
# of downloads :
27
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Threat name:
AsyncRAT Azorult Raccoon Remcos
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Keylogger Generic
Yara detected Raccoon Stealer
Yara detected Remcos RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255378 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 92 fgdjhksdfsdxcbv.ru 2->92 94 asdxcvxdfgdnbvrwe.ru 2->94 96 4 other IPs or domains 2->96 124 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 11 other signatures 2->130 10 SecuriteInfo.com.Trojan.DownLoader34.13550.23784.exe 15 7 2->10         started        signatures3 process4 dnsIp5 106 mantis.ug 217.8.117.77, 49736, 49740, 49744 CREXFEXPEX-RUSSIARU Russian Federation 10->106 108 mantis.co.ug 10->108 88 C:\Users\user\AppData\Local\Temp\Psdmva.exe, PE32 10->88 dropped 90 SecuriteInfo.com.T...13550.23784.exe.log, ASCII 10->90 dropped 150 Contains functionality to steal Internet Explorer form passwords 10->150 152 Injects a PE file into a foreign processes 10->152 15 SecuriteInfo.com.Trojan.DownLoader34.13550.23784.exe 91 10->15         started        20 Psdmva.exe 14 7 10->20         started        file6 signatures7 process8 dnsIp9 112 mantis.co.ug 15->112 114 telete.in 195.201.225.248, 443, 49737 HETZNER-ASDE Germany 15->114 116 34.65.10.107, 49738, 49739, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 15->116 56 C:\Users\user\AppData\...\xWa7TiyLDm.exe, PE32 15->56 dropped 58 C:\Users\user\AppData\...\ihaWOT4eKi.exe, PE32 15->58 dropped 60 C:\Users\user\AppData\...\P4m1doWxAb.exe, PE32 15->60 dropped 64 66 other files (2 malicious) 15->64 dropped 120 Tries to steal Mail credentials (via file access) 15->120 22 xWa7TiyLDm.exe 15->22         started        27 73zvtDT4xd.exe 15->27         started        29 P4m1doWxAb.exe 15->29         started        39 2 other processes 15->39 118 mantis.co.ug 20->118 62 C:\Users\user\AppData\Local\...\IUvsOle.exe, PE32 20->62 dropped 122 Injects a PE file into a foreign processes 20->122 31 Psdmva.exe 61 20->31         started        33 IUvsOle.exe 3 20->33         started        35 Psdmva.exe 20->35         started        37 Psdmva.exe 20->37         started        file10 signatures11 process12 dnsIp13 98 googlehosted.l.googleusercontent.com 216.58.214.193, 443, 49750 GOOGLEUS United States 22->98 100 192.168.2.1 unknown unknown 22->100 102 doc-04-3c-docs.googleusercontent.com 22->102 66 C:\Users\user\AppData\Local\Prhcsec.exe, PE32 22->66 dropped 132 Writes to foreign memory regions 22->132 134 Allocates memory in foreign processes 22->134 136 Creates a thread in another existing process (thread injection) 22->136 68 C:\Users\user\AppData\...\&startupname&.exe, PE32 27->68 dropped 41 P4m1doWxAb.exe 29->41         started        104 michaeldiamantis.ug 31->104 70 C:\Users\user\AppData\...\vcruntime140.dll, PE32 31->70 dropped 72 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 31->72 dropped 74 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 31->74 dropped 76 45 other files (none is malicious) 31->76 dropped 138 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->138 140 Tries to steal Instant Messenger accounts or passwords 31->140 142 Tries to steal Mail credentials (via file access) 31->142 148 3 other signatures 31->148 144 Injects a PE file into a foreign processes 33->144 146 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 33->146 44 IUvsOle.exe 33->44         started        48 conhost.exe 39->48         started        50 timeout.exe 39->50         started        52 ihaWOT4eKi.exe 39->52         started        file14 signatures15 process16 dnsIp17 78 C:\Windows\Temp\h0mgfweg.exe, PE32 41->78 dropped 54 cmstp.exe 41->54         started        110 mantis.ug 44->110 80 C:\ProgramData\vcruntime140.dll, PE32 44->80 dropped 82 C:\ProgramData\sqlite3.dll, PE32 44->82 dropped 84 C:\ProgramData\softokn3.dll, PE32 44->84 dropped 86 4 other files (none is malicious) 44->86 dropped 154 Tries to steal Crypto Currency Wallets 44->154 file18 signatures19 process20
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-07-30 17:05:36 UTC
AV detection:
22 of 31 (70.97%)
Threat level
  5/5
Result
Malware family:
asyncrat
Score:
  10/10
Tags:
ransomware rat evasion trojan spyware discovery infostealer family:azorult stealer family:raccoon family:asyncrat
Behaviour
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of SetThreadContext
JavaScript code in executable
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Windows security modification
Deletes itself
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Modifies Windows Defender Real-time Protection settings
Azorult
Raccoon
Raccoon log file
Contains code to disable Windows Defender
Threat name:
Kryptik
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 07dd81aa4994d15fd4d26bb4b9a4aa5dff47d99da2ab76718f480f62cb4ddb93

(this sample)

Comments