MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12c65e9b2189c8853552288feac6470dcc8ffe458f33c43d95146a420045c7ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12c65e9b2189c8853552288feac6470dcc8ffe458f33c43d95146a420045c7ac
SHA3-384 hash: 2a32a99c4d004b388785b224f97e0216fca04126096bc7afb78c530f68a646b3d23e9b00d3bf6f3ee6e2e7a128a0ad22
SHA1 hash: 71ac488c5478abac471076363ffc5450a851ff98
MD5 hash: afb698582199dd76136f3fd78a6b40a3
humanhash: white-oranges-rugby-may
File name:AFB698582199DD76136F3FD78A6B40A3.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:702'145 bytes
First seen:2021-06-26 06:36:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 12288:VOOfN590uu6opX+t4sPxXEg112rYvqefXU+468QZ467XKtFYev6DXfdH:YOfNkuu6oLsJXN1WqqeW68QZ46jKLYeW
Threatray 1'372 similar samples on MalwareBazaar
TLSH EAE4F111B5D08071D5721D3819F8AB346A3DBD301F358EDBA3D43A2E5E305D29A3ABA7
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.141.128.39/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.141.128.39/ https://threatfox.abuse.ch/ioc/153871/

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AFB698582199DD76136F3FD78A6B40A3.exe
Verdict:
Malicious activity
Analysis date:
2021-06-26 06:39:37 UTC
Tags:
autoit evasion trojan stealer vidar loader
Link:
https://app.any.run/tasks/b9b40264-ad96-4364-a2de-a97ef6ccc561

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168422/
Detection(s):
SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Steam.19390.13490.17676.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4404d9a5-6d81-4faf-9722-01bb2f856219
Result
Threat name:
Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808390
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440801 Sample: ILQyJ80qCs.exe Startdate: 26/06/2021 Architecture: WINDOWS Score: 100 90 Multi AV Scanner detection for domain / URL 2->90 92 Found malware configuration 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 8 other signatures 2->96 10 ILQyJ80qCs.exe 1 10 2->10         started        13 iexplore.exe 2 85 2->13         started        process3 file4 68 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 10->68 dropped 15 File.exe 3 20 10->15         started        20 iexplore.exe 39 13->20         started        process5 dnsIp6 74 newja.webtm.ru 92.53.96.150, 49711, 80 TIMEWEB-ASRU Russian Federation 15->74 48 C:\Users\Public\run2.exe, PE32 15->48 dropped 50 C:\Users\Public\run.exe, PE32 15->50 dropped 82 Binary is likely a compiled AutoIt script file 15->82 84 Drops PE files to the user root directory 15->84 22 run.exe 90 15->22         started        27 run2.exe 3 15->27         started        76 iplogger.org 88.99.66.31, 443, 49720, 49721 HETZNER-ASDE Germany 20->76 file7 signatures8 process9 dnsIp10 70 159.69.20.131, 49723, 80 HETZNER-ASDE Germany 22->70 72 sergeevih43.tumblr.com 74.114.154.18, 443, 49722 AUTOMATTICUS Canada 22->72 60 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 22->60 dropped 62 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 22->62 dropped 64 C:\Users\user\AppData\...\mozglue[1].dll, PE32 22->64 dropped 66 9 other files (none is malicious) 22->66 dropped 98 Multi AV Scanner detection for dropped file 22->98 100 Detected unpacking (changes PE section rights) 22->100 102 Detected unpacking (overwrites its own PE header) 22->102 106 4 other signatures 22->106 29 cmd.exe 22->29         started        104 Contains functionality to steal Internet Explorer form passwords 27->104 31 run2.exe 27->31         started        file11 signatures12 process13 dnsIp14 36 conhost.exe 29->36         started        38 taskkill.exe 29->38         started        40 timeout.exe 29->40         started        78 t.me 149.154.167.99, 443, 49724 TELEGRAMRU United Kingdom 31->78 80 34.141.128.39, 49725, 80 ATGS-MMD-ASUS United States 31->80 52 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 31->52 dropped 54 C:\Users\user\AppData\...\vcruntime140.dll, PE32 31->54 dropped 56 C:\Users\user\AppData\...\ucrtbase.dll, PE32 31->56 dropped 58 56 other files (none is malicious) 31->58 dropped 86 Tries to steal Mail credentials (via file access) 31->86 88 Tries to harvest and steal browser information (history, passwords, etc) 31->88 42 cmd.exe 31->42         started        file15 signatures16 process17 process18 44 conhost.exe 42->44         started        46 timeout.exe 42->46         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/12c65e9b2189c8853552288feac6470dcc8ffe458f33c43d95146a420045c7ac/
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2021-06-23 16:12:54 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cldf5gzbrheiknksfch6vrshbxgi77sfr4z4ipmvcrveeacfy6wa._file
Verdict:
malicious
Similar samples:
2c2d88dbff1f9196148cc3c7501d4c45b05ef51887651b3bcdbb111fcc7a2ba2
RaccoonStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RaccoonStealer
79ac302029ae7a3c7601260bb855725bd568f3b1c3730dca0edd74d72a5b9efb
RaccoonStealer
8358e817e423f16dcdcd3f213229f7b7b63de4a1ccce5f7ab07997a57183f758
RaccoonStealer
8eb065a0ab7b4771f2fb1ec4264cd0c1505a948b358e200b46ce5e540fcbdbf5
RaccoonStealer
913f62676d29a2368f9f6f97a3adc623ede915b58812e05aba24a1b0177697d4
RaccoonStealer
9daf087ef991160871f07d75d1577eccd34d926e1bd5d30cc30516fdcbd84b45
RaccoonStealer
ad26db45e89bfcb2804b1c39b2eed3e92a98480cb0096746f57362b784cb1df7
RaccoonStealer
b751a245f558db84cf77e46e473073e2dd23fbde9f9d150d63e525bbf4b88e8c
RaccoonStealer
e8a770fcbfbdf7ee350c3df44ea62a2c4e36ca523f9f14b0b770395dabea7fc4
RaccoonStealer
+ 1'362 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:vidar discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/210626-pc78l6m3n2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
autoit_exe
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Raccoon
Vidar
Unpacked files
SH256 hash:
4d1ed631e365438776e6036cb179821c5b00d80f503878443ab6588383032d92
MD5 hash:
d3f5dae3315bb3146d57f68c67f9e5cf
SHA1 hash:
a93ac78b0abdcbacc465fb527bca9e9bb830b9b1
Link:
https://www.unpac.me/results/ad725b7d-1796-4c25-bd45-7824864d6eb2/
SH256 hash:
12c65e9b2189c8853552288feac6470dcc8ffe458f33c43d95146a420045c7ac
MD5 hash:
afb698582199dd76136f3fd78a6b40a3
SHA1 hash:
71ac488c5478abac471076363ffc5450a851ff98
Link:
https://www.unpac.me/results/ad725b7d-1796-4c25-bd45-7824864d6eb2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12c65e9b2189c8853552288feac6470dcc8ffe458f33c43d95146a420045c7ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168422/

Comments