MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d7fcb87c1ac2786c319720a857328d19e7ac523396992b445fec60de47919df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d7fcb87c1ac2786c319720a857328d19e7ac523396992b445fec60de47919df
SHA3-384 hash: 0708564f7cd1c7440079007921d7c42c3b4d74fe07a8659bb00983b36b23aa1bce56bd4f306264d7125dc9cfb28f885f
SHA1 hash: 499a644a9c7837735c7d91d3643c67a05fee9255
MD5 hash: 0f26358fd91d83052eca6eade733e5ea
humanhash: spring-pasta-lactose-comet
File name:0f26358fd91d83052eca6eade733e5ea
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'224'704 bytes
First seen:2021-09-23 05:04:03 UTC
Last seen:2021-09-23 05:56:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 31fdddb41123508749dd6c9468f73e6f (2 x RaccoonStealer, 2 x ArkeiStealer, 1 x AZORult)
ssdeep 24576:qmuf2c1tInjcY9mlD80atXRjiM5gAf2T3lF0risc2bb/JFQi/BcwcONLYTp:fM2cD1I0URiGgAYlF7by/QiJcwjNe
Threatray 9'084 similar samples on MalwareBazaar
TLSH T1B045334B9C661843F04C06B24ED905EC9D7EAD237268A90FFF046E4B0BD129B5EE54B7
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
download.exe
Verdict:
Malicious activity
Analysis date:
2021-09-21 08:49:28 UTC
Tags:
loader trojan stealer raccoon vidar rat azorult
Link:
https://app.any.run/tasks/e26ce5e8-1d8a-4463-b45b-0e981bbc5309

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190463/
Detection(s):
SecuriteInfo.com.Variant.Barys.102299.29371.28776.UNOFFICIAL
Create hunting rule

Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4cc658c5-fd9b-457b-8cff-5eb8973c0873
Result
Threat name:
Azorult Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856155
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 488582 Sample: yVel5pTl3G Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 61 telete.in 2->61 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 11 other signatures 2->75 10 yVel5pTl3G.exe 20 2->10         started        signatures3 process4 file5 57 C:\Users\user\AppData\Local\...\dscadeq.exe, PE32 10->57 dropped 59 C:\Users\user\AppData\Local\Temp\dnadeq.exe, PE32 10->59 dropped 89 Maps a DLL or memory area into another process 10->89 14 dscadeq.exe 4 10->14         started        17 dnadeq.exe 4 10->17         started        19 yVel5pTl3G.exe 10->19         started        signatures6 process7 dnsIp8 91 Maps a DLL or memory area into another process 14->91 22 dscadeq.exe 67 14->22         started        27 dnadeq.exe 191 17->27         started        63 telete.in 195.201.225.248, 443, 49686, 49689 HETZNER-ASDE Germany 19->63 signatures9 process10 dnsIp11 65 maurizio.ac.ug 185.215.113.77, 49687, 49688, 49690 WHOLESALECONNECTIONSNL Portugal 22->65 41 C:\Users\user\AppData\...\vcruntime140.dll, PE32 22->41 dropped 43 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 22->43 dropped 45 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 22->45 dropped 53 45 other files (none is malicious) 22->53 dropped 77 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->77 79 Tries to steal Instant Messenger accounts or passwords 22->79 81 Tries to steal Mail credentials (via file access) 22->81 87 2 other signatures 22->87 29 cmd.exe 1 22->29         started        67 maurizio.ug 27->67 47 C:\ProgramData\vcruntime140.dll, PE32 27->47 dropped 49 C:\ProgramData\sqlite3.dll, PE32 27->49 dropped 51 C:\ProgramData\softokn3.dll, PE32 27->51 dropped 55 4 other files (none is malicious) 27->55 dropped 83 Tries to harvest and steal browser information (history, passwords, etc) 27->83 85 Tries to steal Crypto Currency Wallets 27->85 31 cmd.exe 1 27->31         started        file12 signatures13 process14 process15 33 conhost.exe 29->33         started        35 timeout.exe 1 29->35         started        37 taskkill.exe 1 31->37         started        39 conhost.exe 31->39         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2d7fcb87c1ac2786c319720a857328d19e7ac523396992b445fec60de47919df/
Threat name:
Win32.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 10:37:11 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fv74xb6bvqtynqyzoifik4zi2gphvrjdhfuzfncf73da3zdzdhpq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
raccoon
Create hunting rule
Similar samples:
0290fd4f9c7240911d9051f76167a75dd78834e6a03faf6b09aeae21ff3094db
RaccoonStealer
29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a
RaccoonStealer
42caa5a2e19134770914b3b33dffaceaae03a44fc52babd8abc250d7d7696945
RaccoonStealer
547bf6d6ed5ae181513ed653109514c73e5f50c3ea3a094bcd382fbd3c4b4bb0
RaccoonStealer
959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
RaccoonStealer
9d4a0a8ffa11fc953750c07bd6997bcd23871fe277f65b4113e197b779aa24f0
RaccoonStealer
a60bebe1f77523c999022885b6d6ba4c2e96e930d21b26f2254f113e179c48cc
RaccoonStealer
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a
RaccoonStealer
fc576ede17e81cc2d5229f3a8ff900df35ba9c46fef5c67c8bb0fbb83f418b3e
RaccoonStealer
+ 9'074 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/210923-fqahwahbal/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
maurizio.ug
Unpacked files
SH256 hash:
d6bcb29d704c235ce3ec08ac1265b7d3434627ff440ae69d193d4c894298acc7
MD5 hash:
9fb0b8503e75fa08a7ebf5d56de55f60
SHA1 hash:
7830899da150d54608248f9b128116c439eacded
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/e9b374b5-9625-4033-8ba9-ac23c775ca6d/
SH256 hash:
9c3184336bcf6f8168c2968a4d429c1ce1f1c8670700c7288f16bba46445e34e
MD5 hash:
f8593b76e2454e3917794c0c907f0c06
SHA1 hash:
68af6b73a13112696b0b6a19384af15c56a5d7bb
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/e9b374b5-9625-4033-8ba9-ac23c775ca6d/
SH256 hash:
516dec75a22fce2b0d4d7d4b2b34fa4da90789a03f057ec3f7000c09bb01685d
MD5 hash:
ece94d6ba82f611e21298e9d2580be00
SHA1 hash:
a94018032dbd0986c3161011f192607e87d0294e
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/e9b374b5-9625-4033-8ba9-ac23c775ca6d/
SH256 hash:
2d7fcb87c1ac2786c319720a857328d19e7ac523396992b445fec60de47919df
MD5 hash:
0f26358fd91d83052eca6eade733e5ea
SHA1 hash:
499a644a9c7837735c7d91d3643c67a05fee9255
Link:
https://www.unpac.me/results/e9b374b5-9625-4033-8ba9-ac23c775ca6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d7fcb87c1ac2786c319720a857328d19e7ac523396992b445fec60de47919df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.oski.
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 2d7fcb87c1ac2786c319720a857328d19e7ac523396992b445fec60de47919df

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190463/
  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/1539388/
  
URLhaus
https://urlhaus.abuse.ch/url/1514315/
  
URLhaus
https://urlhaus.abuse.ch/url/1596394/
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
  
URLhaus
https://urlhaus.abuse.ch/url/1514297/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/

Comments


Avatar
zbet commented on 2021-09-23 05:04:05 UTC

url : hxxp://jamshed.pk/zxcv.EXE